Based on international humanitarian law, the rules are:
Do not direct cyber-attacks against civilian objects
Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
Do not conduct any cyber-operation against medical and humanitarian facilities
Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
Do not make threats of violence to spread terror among the civilian population
Do not incite violations of international humanitarian law
Comply with these rules even if the enemy does not
Perhaps this will be an unpopular opinion amongst the lawful good, but the only rules that apply to hackers in a meaningful manor during wartime or most times are these: What a person can do and what a person can't do. [1]
Hackers engaging in warfare are not likely interested in laws. People responsible for securing things and protecting people should keep that in mind. Anyone engaging in warfare is effectively an enemy combatant in the eyes of their opponents regardless of being civilian or soldier.
It's not so much an unpopular opinion as an unfortunate one, especially for the hacker in question, and those who have the misfortune of being physically located around them.
Specifically, because their actions may or may not make them a lawful target under IHL for kinetic force. While the hacker themselves may not be interested in laws, you better believe the State whom they are hacking is interested in whether their act just reached the magic threshold to lawfully drop a missile on them.
you better believe the State whom they are hacking is interested in whether their act just reached the magic threshold to lawfully drop a missile on them.
Absolutely. I should have added that as well. Well meaning hacktivists may or may not be aware of or in denial about the risks they are taking on.
If y'all want to write a rebuttal, "The Practitioner's Guide to Decency and Survival in Nation State Cyberwarfare," I would chip in some fiat towards that. Far better coming from educated, experienced practitioners vs some folks pushing thought leadership white papers on the topic.
Hackers (in the negative sense of the word) are also very unlikely to be caught & face consequences for their actions. Yes it can happen, but rarely.
So from attacked parties' p.o.v., one can secure systems, mitigate attacks, take attacked systems offline, maybe counter-attack (like try wiping systems that attack, legal or not), but practically always the hackers behind an attack will remain out of reach. At most one may get lucky & identify attack as orchestrated by a specific hacking group.
6 comments
[ 4.7 ms ] story [ 58.5 ms ] threadDo not direct cyber-attacks against civilian objects
Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians
Do not conduct any cyber-operation against medical and humanitarian facilities
Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces
Do not make threats of violence to spread terror among the civilian population
Do not incite violations of international humanitarian law
Comply with these rules even if the enemy does not
Hackers engaging in warfare are not likely interested in laws. People responsible for securing things and protecting people should keep that in mind. Anyone engaging in warfare is effectively an enemy combatant in the eyes of their opponents regardless of being civilian or soldier.
[1] - https://www.youtube.com/watch?v=Wxi-IUnCN_8 [video][1 min]
Absolutely. I should have added that as well. Well meaning hacktivists may or may not be aware of or in denial about the risks they are taking on.
So from attacked parties' p.o.v., one can secure systems, mitigate attacks, take attacked systems offline, maybe counter-attack (like try wiping systems that attack, legal or not), but practically always the hackers behind an attack will remain out of reach. At most one may get lucky & identify attack as orchestrated by a specific hacking group.