“PATRIOTIC HACKERS”: NON-STATE
ACTORS FIGHTING WARS FOR STATES?
Nuno Jorge Carvalho Barata
Student Number 10763376
Supervisor: Professor Terry Gill
Table of Contents
1.
Introduction .............................................................................................................. 7
2.
Cyber Armed Conflict ............................................................................................ 11
3.
4.
2.1.
Jus ad bellum ................................................................................................... 11
2.2.
Jus in bello ....................................................................................................... 14
2.2.1.
International and non-international cyber armed conflict ........................ 15
2.2.2.
Personal status .......................................................................................... 16
2.2.3.
Direct participation in hostilities .............................................................. 17
2.2.4.
Possibility of stand-alone cyber-attacks? ................................................. 19
Patriotic Hackers..................................................................................................... 23
3.1.
Characterization ............................................................................................... 23
3.2.
Patriotic Hacking attacks ................................................................................. 25
3.3.
Standalone Patriotic Hacking reaching the level of armed conflict? ............... 27
3.3.1.
International Armed Conflict.................................................................... 27
3.3.2.
Non-International Armed Conflict ........................................................... 28
3.4.
State sponsored Patriotic hackers..................................................................... 29
3.5.
Non-State sponsored Patriotic Hackers ........................................................... 31
3.5.1.
Organized Armed Groups......................................................................... 31
3.5.2.
Unorganized Armed Groups or individuals ............................................. 33
Attribution and legal responsibility for cyber attacks ............................................ 35
4.1.
Technical attribution ........................................................................................ 35
4.2.
Legal attribution ............................................................................................... 36
4.2.1.
State Sponsored ........................................................................................ 37
4.2.2.
Non-State Sponsored ................................................................................ 41
4.3.
The Principle of Sovereignty: a duty of prevention ......................................... 43
5.
Conclusions ............................................................................................................ 45
6.
Bibliography ........................................................................................................... 49
6.1.
Literature .......................................................................................................... 49
6.2.
Table of Cases .................................................................................................. 53
3
Abbreviations
AP I
Protocol Additional to the Geneva Conventions of 12 August 1949, and
relating to the Protection of Victims of International Armed Conflicts
(Protocol I) of 8 June 1977
AP II
Protocol Additional to the Geneva Conventions of 12 august 1949, and
relating to the Protection of Victims of non-International Armed
Conflicts (Protocol II) of 8 june 1977
ARSIWA
Articles on Responsibility of States for Internationally Wrongful Acts
DDoS
Distributed Denial of Service
DPH
Direct Participation in Hostilities
IAC
International Armed Conflict
ICJ
International Court of Justice
ICRC
International Committee of the Red Cross
ICSCERT
Industrial Control Systems Cyber Emergency Response Team
ICTY
International Criminal Tribunal for the Former Yugoslavia
IHL
International Humanitarian Law
ILC
International Law Commission
ISIS
Islamic State of Iraq and Syria
PLA
People’s Liberation Army
NATO
North Atlantic Treaty Organization
NIAC
Non-International Armed Conflict
NSA
National Security Agency
OAG
Organized Armed Group
RBN
Rusian Business Network
UK
United Kingdom
US
United States of America
UN
United Nations
UNC
United Nations Charter
UNSC
United Nations Security Council
5
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
6
1. Introduction
Cyber-attacks are emerging as one of the biggest concerns for governments,
corporations, and individuals. The numbers show some reason to worry. For instance,
focusing only on Distributed Denial of Service (DDoS) type of attack, during 2014
alone an estimated 3 to 4 million attacks were conducted. 1
The motivation for the attacks varies. They may be perpetrated to obtain a
financial gain (cyber-crime), intellectual property (cyber espionage), or other reasons.
For the present work not all kind of cyber-attacks are relevant. Actually, this thesis will
focus only on cyber-attacks conducted within, or that rise to the status of, armed
conflict: cyber warfare.
A number of cyber-attack definitions can be found throughout the relevant
literature. For instance, cyber-attack has been defined as an attack by a hostile nation
against the networks of another to cause disruption or damage. 2 In the 2006 United
States National Military Strategy for Cyberspace Operations 3, cyberwar was termed as
“computer network operations” (CNO) which comprises computer network attacks 4
(CNA), computer network defence 5 (CND) and “related computer network exploitation
enabling operations” 6 (CNE).
The Tallinn Manual provides a more accurate and comprehensive definition of
cyber-attack considering it as “a cyber operation, whether offensive or defensive, that is
reasonably expected to cause injury or death to persons or damage or destruction to
objects.” 7 One important note to consider is that although the wording only refers to
objects and persons, the International Expert Group on the Commentaries states that
cyber operations against data are also included in the scope of cyber-attack, at least
1
2015 Internet Security Threat Report, April 2015 Volume 20, Symantec, p. 44 [online via
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-reportvolume-20-2015-social_v2.pdf]
2
Shackelford, S. & Andres, R. State responsibility for cyber attacks: competing standards for a growing
problem, Georgetown Journal of International Law, 2010-, p. 971-1016 [online via HeinOnline]
3
United States Department of Defense (DoD), The National Military Startegy for Cyberspace Operations,
2006, GL-1 < http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf>
4
“Operations to disrupt, deny, degrade, or destroy information resident in computers and computer
networks, or the computers and networks themselves.”, See note 2
5
“Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD
information systems and computer networks”, See note 2
6
“Enabling operations and intelligence collection to gather data from target or adversary automated
information systems or networks”, see note 2
7
Rule 30 of the Tallinn Manual
7
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
whenever such attack results in the injury or death of individuals or damage or
destruction of physical objects.
One of the first examples of cyber warfare occurred in 1999, during the Kosovo
conflict when pro-Serbian groups of hackers, such as the so-called “Black Hand”
conducted cyber-attacks against NATO, US and UK computers with the goal of
disrupting their military operations. 8
Another example of such kind of attack occurred in August 2008, during the
conflict that opposed the Russian Federation and Georgia over South Ossetia. During
the same time a traditional armed conflict occurred, Georgia was the target of cyberattacks. According to what is publicly known, the cyber-attacks were not conducted by
the Russia government (namely its armed forces), but rather by Russian civilian
hackers. Several Distributed Denial of Service (DDoS) attacks were carried out against
Georgian network servers, disrupting many (governmental and media) websites.
More recently, within the Russia-Ukraine conflict it has been reported that proRussian groups (for instance, the CyberBerkut) have, allegedly without official support,
been conducting cyber operations against the Ukraine. 9
One singularity follows as common from the given examples: the individuals that
are conducting cyber-attacks are generally not part of the armed forces. These
individuals are sometimes called “Patriotic Hackers”. Holt and Schell advance a
definition of Patriotic Hackers, considering them as “citizens and expatriates engaging
in cyber-attacks to defend their mother country or country of ethnic origin. Typically,
patriotic networks attack the websites and email accounts of countries whose actions
have threatened or harmed the interests of their mother country” 10 Thus the “hackers”
are not (or at least don’t appear to be) regular armed forces. Nonetheless, as seen in the
examples mentioned above, the non-state led cyber-attacks often serve State interests
even without having any (official) linkage between them.
8
Geers, K., Cyberspace and the Changing Nature of Warfare, Cooperative Cyber Defence Centre of
Excellence Tallinn, Estonia, [online via https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08Geers/BlackHat-Japan-08-Geers-Cyber-Warfare-Whitepaper.pdf]
9
Boulet, G., Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From Cyber War to
Cyber Security, American Society of International Law, Volume 19, Issue 1, January 07, 2015 [online via
http://www.asil.org/insights/volume/19/issue/1/cyber-operations-private-actors-ukraine-russia-conflictcyber-war-cyber]
10
Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and
Implications, New York: Information Science Reference, 2011 [online via New York: Information
Science Reference, 2011]
8
Introduction
Chapter 2 will start by focusing on the definition of cyber armed conflict (both
international and non-international), the law applicable and the status of persons
involved in such conflicts.
After having set a clear definition of cyber armed conflict and of the applicable
legal framework, the legal consequences of Patriotic Hacking will be surveyed,
including those arising from International law applicable to cyber warfare (namely if
their actions are to be considered as Direct Participation in Hostilities, hereafter DPH).
Thus Chapter 3 will address the legal consequences of cyber-attack activities conducted
by patriotic hackers within a cyber armed conflict.
But how and when can a cyber-attack be attributable to an individual or group?
The answer to this question is twofold: on one hand there is the question of technical
attribution, meaning that first it is necessary to identify the person or group that
conducted the attack by technical means; on the other hand it has to be determined
whether the attack can be legally attributed to the person (or eventually to a state).
Chapter 4 will be dedicated to the question of attribution of attacks to individuals in the
cyber realm and the (possible) connection with the state. Given the potential for
anonymity with internet use – as well as the constant development of relevant
technologies - the task of pinpointing the cyber-conflict source can pose substantial
difficulty. Nevertheless, the feat of determining the responsible parties (attribution) is
not impossible.
After examining the dynamics of cyber-attack attribution, Chapter 5 will review
the nature of the responsibility that arises from cyber-attacks conducted by Patriotic
Hackers. In this context I shall also assess whether the conduct of patriotic hackers can
be attributed and whether this can originate state responsibility.
The research and subsidiary questions shall be addressed on the basis of
applicable international law, in particular the legal framework given by IHL and
academic literature such as The Tallinn Manual on International Law Applicable to
Cyber Warfare and doctrine and other leading publications.
9
2. Cyber Armed Conflict
2.1. Jus ad bellum
Jus ad bellum is the set of rules that govern “when resort to armed force is
permissible” 11 as opposed to jus in bello which is “the law applicable to the conduct of
hostilities that applies once a party has entered into armed conflict”.
The most important provisions of jus ad bellum are found on the United Nations
Charter: Article 2(4) and the Chapter VII. Article 2(4) provides that “All Members shall
refrain in their international relations from the threat or use of force against the
territorial integrity or political independence of any state, or in any other manner
inconsistent with the Purposes of the United Nations.” Being - as it is – a rule of
customary international law 12, both UN members and non-state members are bound by
the principle. Furthermore, given the ICJ stated that “These provisions do not refer to
specific weapons. They apply to any use of force, regardless of the weapons
employed” 13, it seems accurate to conclude that cyber-attacks are not excluded from the
scope of the mentioned provision. Rule 10 of the Tallinn Manual states a similar
principle of prohibition on the use of force.
But what is “use of force” and “threat of the use of force” within cyber warfare?
According to the view expressed on the Tallinn Manual “a cyber operation constitutes
a use of force when its scale and effects are comparable to non-cyber operations rising
to the level of a use of force.” 14 For an action to be qualified as a use of force, it does not
need to be conducted by the State armed forces. 15 But when and how can it be assessed
whether a cyber-attack reaches the threshold of use of force? The dominant approach
bases the assessment on the effects of the action, according to which a cyber operation
qualifies as a use of force when its outcome results in physical damage and/or human
injury or death. This latter approach seems to have been the one adopted by the
International Expert Group on the Tallinn Manual. The Expert Group advanced a non11
O’Connell, M. E., Historical Development and Legal Basis, in The Handbook of International
Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [1]
12
ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United
States of America), Merits, § 190 [online].
13
ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 39 [online]
14
Rule 11 of the Tallinn Manual
15
as infra will be seen, cyber operations can also be conducted by other state organs and – under certain
conditions - even by private actors can be qualified as use of force by the state.
11
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
exhaustive list of factors that could help on the use of force assessment, namely:
severity, immediacy, and directness, and invasiveness, measurability of effects, military
character, state involvement and presumptive legality. 16
Regarding the threat of the use of force, Rule 12 of the Tallinn Manual advances
that “a cyber operation, or threatened cyber operation, constitutes an unlawful threat of
force when the threatened action, if carried out, would be an unlawful use of force.”
Regarding this rule, the International Experts Group devised two situations of the threat
of the use of force: “a cyber operation that is used to communicate a threat to use
force” and “a threat conveyed by any means (…) to carry out cyber operations
qualifying as a use of force.” 17
The prohibition on the use of force knows two exceptions: military action
authorized by the UN Security Council and the right to self-defence. 18
According to article 39 of the UNC in conjunction with articles 41 and 42, when
the UN Security Council determines a “threat to the peace, breach of the peace, or act
of aggression” and in order to “maintain or restore international peace and security” it
may decide to employ measures not involving the use of force 19, such as economic
sanctions; or, depending on the circumstances and severity of certain situations, it may
authorize the use of force 20.
Article 51 of the UNC also provides Member states with the right of individual or
collective self-defence “if an armed attack occurs against a Member of the United
Nations, until the Security Council has taken the measures necessary to maintain
international peace and security”. First of all, the right of self-defence requires the
existence of an armed attack. According to the ICJ “an armed attack must be
understood as including not merely action by regular armed forces across an
international border, but also "the sending by or on behalf of a State of armed bands,
groups, irregulars or mercenaries, which carry out acts of armed force against another
State of such gravity as to amount to" (inter alia) an actual armed attack conducted by
regular forces, "or its substantial involvement therein”. 21 Also, according to the ICJ the
16
Commentary on Rule 11 of the Tallinn Manual
Commentary on Rule 12 of the Tallinn Manual
18
Self-Defence shall be dealt infra on Chapter 5.3
19
Article 41 UNC
20
Article 42 UNC
21
ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United
States of America), Merits, § 195 [online].
17
12
Cyber Armed Conflict
important criteria to assess whether an operation amounts to an armed attack are its
“scale and effects” 22, meaning its gravity. The International Experts Group, in the
Tallinn Manual, seem to have followed the ICJ reasoning accepting that sometimes selfdefence can be direct against armed groups 23 and using the same criteria to assess the
concept of armed attack.
Secondly, the wording of the quoted provision establishes a temporal limit by
which the right of self-defence only lasts until the Security Council takes measures to
restore or maintain peace and security. Related reporting obligations also result from the
Tallinn Manual. 24
A state is obligated to report to the Security Council any time it exercises its right
of self-defence.
Notwithstanding, even though not expressly indicated in the
abovementioned provision, the measures adopted in self-defence must also observe the
conditions of necessity and proportionality. 25 The Tallinn Manual also contains a rule
conditioning self-defence to necessity and proportionality. Regarding necessity it should
be assessed whether there are (or not) alternative courses of action that do not rise to the
level of a use of force, that are sufficient to repeal the attack. 26 Once concluded
necessary the use of force, proportionality permits assessing how much force is
permissible. Rule 15 of the Tallinn Manual goes further than article 51 of UNC and
seems to expressly allow anticipatory self-defence. 27
Finally, it should be highlighted that private individuals and armed groups are
excluded from the scope of article 2(4) of the UNC. In such case, cyber operations may
be unlawful (domestically or even internationally) but won’t amount to a violation of
the use of force. Nevertheless, article 2(4) will be applicable when the cyber operations
conducted by such actors is attributable – under law of state responsibility - to a state
given that it would be accountable for the violation. This would be the case – which will
be examined below – where an organized group of Patriotic Hackers conducts cyber
operations under the direction and control of the State.
22
Ibid
For instance when acting on behalf of a state
24
Rule 17 of the Tallinn Manual
25
Ibid, § 194
26
Commentaries on Rule 14 of the Tallinn Manual
27
Gill, T. D. and Ducheine, P. A. L. also consider that there can be anticipatory self-defence and this can
take the form of simultaneous cyber operations and kinetic conventional attack or one of each. See Gill,
T. D. and Ducheine, P. A. L., Anticipatory Self-Defense in the Cyber Context, International Law Studies,
Vol 89, 2013 [438-471]
23
13
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
2.2. Jus in bello
Regarding jus in bello, one first question arises regarding which law is applicable
to cyber armed conflicts. As a matter of fact, none of the international humanitarian law
treaties foresee application to cyber warfare operations, which can be easily explained
by the fact that cyber warfare is a very recent phenomenon. Here, it seems adequate to
follow the reasoning of the ICJ according to which the Court found that the Law of
Armed Conflict principles apply “to al1 forms of warfare and to al1 kinds of weapons,
those of the past, those of the present and those of the future.” 28 Thus it should be
concluded that cyber armed conflict in the absence of a specific legal instrument with
binding force, such as an international treaty, is regulated by the International
Humanitarian law rules and principles.
Therefore this thesis shall recall important principles of the IHL and International
Customary law. Aside from that, in 2012 an International Group of Experts – at the
Invitation of the NATO Cooperative Cyber Defence Centre of Excellence – prepared an
important document regarding the subject discussed in the present work: the “Tallinn
Manual on the International Law Applicable to Cyber Warfare.” Although being
doctrine and non-legally binding it addresses comprehensively the question on the
applicability of law within the cyber operations context, hence it will also serve as basis
for the present work.
One final note should be added regarding the question on the law applicable to
cyber armed conflict. Even if it was not possible to conclude that IHL rules and
principles were applicable de jure to cyber warfare that would not imply some kind of
legal vacuum. In that case the “Martens Clause” would always be applicable, according
to which “Until a more complete code of the laws of war has been issued, the High
Contracting Parties deem it expedient to declare that, in cases not included in the
Regulations adopted by them, the inhabitants and the belligerents remain under the
protection and the rule of the principles of the law of nations, as they result from the
usages established among civilized peoples, from the laws of humanity, and the dictates
of the public conscience.” 29
28
ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 86 [online]
Preamble of the 1907 Hague Convention IV. See also article 63 of the Geneva Convention I, article 62
of the Geneva Convention II, article 142 of the Geneva Convention III and article 158 of the Geneva
Convention IV.
29
14
Cyber Armed Conflict
2.2.1. International and non-international cyber armed conflict
Armed conflicts have historically been classified as international or noninternational. According to Rule 22 of the Tallinn Manual, “an international armed
conflict exists whenever there are hostilities, which may include or be limited to cyber
operations, occurring between two or more states.” 30 This definition follows closely to
the one provided by Common Article 2 of the 1949 Geneva Conventions and customary
law. From the mentioned definition thus two conditions are required for an international
armed conflict to exist. First, it must be international in the sense that two different
States must be party to the conflict in opposing sides. 31 Aside from this an armed
conflict can also be international when “peoples are fighting against colonial
domination and alien occupation and against racist régimes in the exercise of their
right of self-determination” 32, provided that the State is a party to the AP I. Second, an
international armed conflict must also be “armed”, which means that there must be
hostilities between the states involved, with kinetic, and cyber or stand-alone cyber
operations. Regarding the threshold of required violence that must be attained in order
to classify the conflict as such, evaluation of the incidents must be made on a case-bycase basis.
The Tallinn Manual provides in Rule 23 that “A non-international armed
conflict exists whenever there is protracted armed violence, which may include or be
limited to cyber operations, occurring between governmental armed forces and the
forces of one or more armed groups, or between such groups. The confrontation must
reach a minimum level of intensity and the parties involved in the conflict must show a
minimum degree of organization.” The rule closely follows customary international law
and the Common Article 3 of the 1949 Geneva Conventions. Accordingly, noninternational armed conflicts are protracted armed violence between governmental
authorities and organized armed groups or between such groups within a State. Note
two basic requirements for the existence of a non-international armed conflict: the
“armed violence must be of sufficient intensity and the parties must be sufficiently
30
This definition follows closely the definition provided by common article 2 of the 1949 Geneva
Conventions and customary law.
31
The required stateness opposition does not mean that non-state actors cannot, under certain conditions,
participate in international armed conflicts. This will be dealt further. See Chapter 3.2
32
Article 1(4) of the Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to
the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977.
15
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
organized.” 33 The ICTY case law established some indicative factors of intensity 34 and
organization 35 criteria. As to the geographical scope of non-international armed
conflicts, also note that “the fact that an armed conflict is not limited to the territory of
a single state does, not mean, without more, that a non-international armed conflict
changes its character and is to be considered international.” 36 That may be the case of
the so-called transnational armed conflicts. The distinction between international and
non-international armed conflicts “rests on the question who the parties to the armed
conflict are.” 37 Thus a cyber operation may be conducted by an organized group from
the territory of other State without this fact alone, meaning a change of the classification
of the conflict.
2.2.2. Personal status
There is no prohibition of anyone participating in hostilities. The Tallinn Manual
restates this customary law principle in its Rule 25. Nevertheless the law of armed
conflicts stipulates consequences on the participation, namely combatant immunity,
prisoner of war status and targetability.
International Humanitarian Law devises different personae status, depending on
the nature of the armed conflict.
33
Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of
International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press
[49]
34
In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals
Chamber, Judgement, 3 April 2008, para. 49 as to intensity included such factors as “the number,
duration and intensity of individual confrontations; the type of weapons and other military equipment
used; the number and calibre of munitions fired; the number of persons and type of forces partaking in
the fighting; the number of casualties; the extent of material destruction; and the number of civilians
fleeing combat zones”
35
In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals
Chamber, Judgement, 3 April 2008, para. 60 as to organization included such factors as “indicative
factors include the existence of a command structure and disciplinary rules and mechanisms within the
group; the existence of a headquarters; the fact that the group controls a certain territory; the ability of
the group to gain access to weapons, other military equipment, recruits and military training; its ability
to plan, coordinate and carry out military operations, including troop movements and logistics; its ability
to define a unified military strategy and use military tactics; and its ability to speak with one voice and
negotiate and conclude agreements such as cease-fire or peace accords.”
36
Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of
International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press
[50]
37
ibid
16
Cyber Armed Conflict
In International Armed Conflicts two statuses exist: combatants and civilians.
Combatants comprise two groups: (i) the regular armed forces 38 - essentially the state
armed forces -, and (ii) “members of other militias and members of other volunteer
corps, including those of organized resistance movements, belonging to a Party to the
conflict and operating in or outside their own territory, even if this territory is
occupied” 39 provided that they satisfy the conditions prescribed in article 13 (2) of the
Geneva Convention I. Qualifying as combatants means the entitlement of combatant
immunity and prisoner of war status. Civilians are defined in negative term as “all
persons who are neither members of the armed forces of a party to the conflict nor
participants in a levée en masse (…) and, therefore, entitled to protection against direct
attack unless and for such time as they take a direct part in hostilities.” 40
In the context of non-international armed conflicts there is no combatant status.
Civilians are “all persons who are not members of State armed forces or organized
armed groups of a party to the conflict … and, therefore, entitled to protection against
direct attack unless and for such time as they take a direct part in hostilities.” 41 So, as
opposed to civilians who do not participate in hostilities, there are state-led armed
forces and also non-state organized armed groups which are the non-state actor armed
forces.
2.2.3. Direct participation in hostilities
2.2.3.1. Requirements
According to the ICRC Interpretive Guidance on the Notion of Direct
Participation in Hostilities, “Acts amounting to direct participation in hostilities must
meet three cumulative requirements: (1) a threshold regarding the harm likely to result
from the act, (2) a relationship of direct causation between the act and the expected
harm, and (3) a belligerent nexus between the act and the hostilities conducted between
38
According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to
the conflict as well as members of militias or volunteer corps forming part of such armed forces”
39
See article 13 (2) of the Geneva Convention I
40
Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under
International Humanitarian Law, ICRC, May 2009, p. 26
41
Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under
International Humanitarian Law, ICRC, May 2009, p. 26
17
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
the parties to an armed conflict.” 42 The Commentaries on Rule 35 of the Tallinn
Manual show the International Group of Experts agreed to such requirement criteria.
As to meeting the first requirement – threshold of harm – two alternatives are
possible. The cyber operation must (or be intended to) affect the enemy military
capabilities or operations, not being necessary that the act causes injury or death to
persons or destruction to objects. Alternatively, the threshold of harm may also be met
when the attacks are conducted against protected objects or persons and result,
respectively, in destruction or injury and death. 43 In practice whenever a cyber-attack
causes (or is likely to potentially) cause destruction or damage on military infrastructure
by that way diminishing military capabilities of the adversary will meet the threshold.
As mentioned previously there must also exist a relation of direct causality
between the act and the harm. For this second requirement to be met the harm must be
the consequence of the particular cyber-attack. 44
Finally, for an action to qualify as direct participation in hostilities there must also
be belligerent nexus. This means that the operation must be linked to hostilities in
benefit of one party and consequently in detriment of the other.
Once the three abovementioned requirements are met the conduct of an individual
can be qualified as direct participation in hostilities. On the other hand, cyber operations
that do not meet all of the defining requirements may have a criminal nature, but have
no relevance in the framework of the law of armed conflicts.
As a consequence of qualification of conduct as direct participation in hostilities,
individuals lose protection against direct attack entitled to civilians, insofar and as long
as the participation lasts.
2.2.3.2. Temporal extension
As mentioned above, the suspension of protection from direct attack lasts for as
long as civilians participate in hostilities. The question that arises is when does
participation start and end?
42
Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international
humanitarian law, May 2009, ICRC [50]
43
Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international
humanitarian law, May 2009, ICRC [51]
44
The Commentary on rule 35 of Tallinn Manual gives as an example “the disruption to the enemy’s
command and control is directly caused by the cyber attack”
18
Cyber Armed Conflict
First, it should be considered the nature of cyber-attacks having “delayed effects”,
where the action may not coincide with the moment when the related damage occurs.
As such, it makes sense to follow the position (of the majority) of the International
Experts Group expressed in the Commentaries of Rule 35 of the Tallinn Manual,
according to which “the duration of an individual’s direct participation extends from
the beginning of his involvement in mission planning to the point when he or she
terminates an active role in the operation.” 45
Another question surrounds a situation of multiple and repeated cyber-attacks
conducted by an individual, whether the entire period of the attacks or the period of
each attack should be considered as direct participation in hostilities. Considering that
the direct participation in hostilities is reduced to the temporal extension of each cyberattack opens the door for civilians to lose and regain civilian protection in between the
attacks (the “revolving door” of civilian protection). Such position can be considered
opening the door for abuse on the part of civilians. Nonetheless, the conducting of one
cyber-attack does not allow a presumption of additional future cyber-attacks and the
future conduct of an individual cannot be predicted. Thus the most adequate position
seems to be the one considering that direct participation in hostilities only exists for as
long as each cyber-attack period takes place. 46
2.2.4. Possibility of stand-alone cyber-attacks?
As already observed supra, the International Experts Group supported the view
that cyber operations alone have the potential of rising to meet the threshold of an
armed conflict and thus International Humanitarian law would be applicable. Even so,
as of today there has not been such armed conflict wherein a party to the conflict
resorted exclusively to the use of cyber weapons.
In this regard Sheldon asseverates that “The real threat lies not in stand-alone
cyber attacks, but in cyber attacks accompanied by attacks and other actions in the
45
Commentary on rule 35 of Tallinn Manual
In this way, Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under
international humanitarian law, May 2009, ICRC [71]
46
19
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
physical realm” 47 and thus considers cyber-attacks as only “meaningful when coupled
with other, more traditional, threats.” 48
Given the impossibility of predicting the evolution of cyber weapons and present
day society’s increasing dependency on technology, such a position seems quite
conservative. A less restrictive approach might perhaps be more open to future
possibilities. In line with Terry Gill (et al.), it seems acceptable that while unlikely, “the
possibility of a stand-alone cyber attack, that is, one not occurring in conjunction with an
attack employing traditional kinetic force, rising to the level of an armed attack cannot be
ruled out” 49 Meaning that it should not be denied that in so far as a future cyber-operation
meets the (abovementioned) conditions, it may rise to the threshold of armed conflict.
As an example of a stand-alone cyber operation that could potentially turn into armed
conflict,
major concern surrounds the threat of cyber-attacks that could disrupt the US
electric power grid, resulting in serious economic and national security consequences. 50 On
a related note, the Industrial Control Systems Cyber Emergency Response Team
(ICSCERT) reported 198 cyber incidents against critical infrastructure sectors alone during
2012. From those incidents, 41% were related to the energy sector. 51 Even with these
recorded instances, no large-scale cyber-operation has yet been carried out (at least none
publically known).
What have so far been seen are cyber operations in conjunction with conventional
kinetic armed attacks? In the previously mentioned case of the Russia-Georgia conflict,
the conventional kinetic armed attack was accompanied by cyber operations allegedly
conducted by Patriotic Hackers against Georgian governmental and media websites.
However, those cyber operations did not meet the threshold of a cyber-attack since they
only resulted in defacement of targeted websites.
Another situation, as identified by Terry Gill (et al.), does present a case of
combined cyber and kinetic force operations having been used: “in Operation Orchard,
when Israel carried out an airstrike against the Al-Kibar nuclear facility in northern Syria
47
Sheldon, J. B., State of the Art: Attackers and Targets in Cyberspace, Journal of Military and Strategic
Studies,
Volume
14,
Issue
2,
2012,
p.
18
[online
via
http://ww.w.jmss.org/jmss/index.php/jmss/article/viewFile/462/458]
48
Ibid
49
Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law
Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180)
50
Robert Lenzner, Chinese Cyber Attack Could Shut Down U.S. Electric Power Grid [online via
http://www.forbes.com/sites/robertlenzner/2014/11/28/chinese-cyber-attack-could-shut-down-u-selectric-power-grid/]
51
InfoSecurity, National Electric Grid Remains at Significant Risk for Cyber-attack [online via
http://www.infosecurity-magazine.com/news/national-electric-grid-remains-at/]
20
Cyber Armed Conflict
in September 2007.”52 Reportedly, Israel conducted cyber operations to disrupt the Syrian
national air defence system and thus successfully enabled an Israeli airstrike. 53
Therefore, while not ruling out the possibility for stand-alone cyber operations in
the future, present expectation is that cyber-attack occurrence will accompany
conventional kinetic attacks.
52
Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law
Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180); Daveed
Gartenstein-Ross & Joshua D. Goodman, The Attack on Syria's al-Kibar Nuclear Facility, INFOCUS
QUARTERLY, Spring 2009, [online via http://www.jewishpolicycenter.org/826/the-attack-on-syrias-alkibar-nuclear-facility]
53
David A. Fulghum & Douglas Barrie, Israel Used Electronic Attack in Air Strike Against Syrian
Mystery Target, AVIATION WEEK, Oct. 8, 2007 [online via http://www.freerepublic.com/focus/fnews/1908050/posts]
21
3. Patriotic Hackers
3.1. Characterization
As indicated in the Introduction chapter Holt and Schell advance a definition
according to which Patriotic Hackers are “citizens and expatriates engaging in cyberattacks to defend their mother country or country of ethnic origin.” 54 Similarly, Dinniss
qualifies patriotic hackers as those “individuals and groups motivated by national and
political aims” 55 that conduct cyber-attacks.
According to the quoted definitions Patriotic Hackers are therefore individuals
who having ties of allegiance towards a certain country (of nationality or ethnic related),
conduct politically motivated cyber-attacks against perceived enemies of that country,
in the name of a sense of patriotism, against threats or attacks by perceived enemies of
that country. While in principle Patriotic Hackers conduct cyber operations
independently and by their own will, sometimes there can be – as dealt with below –
some sort of connection with the country on the behalf of which the cyber–attacks are
conducted.
Several examples of Patriotic Hackers can be given: the Nashi Youth from Russia;
the Red Hacker Alliance from China; and the Syrian Electronic Army from Syria.
Patriotic Hackers are distinguishable from other cyber actors. For instance, while
Patriotic Hackers’ main concern is the defence of the country to which its patriotism is
devoted, Hacktivists (such as “Anonymous”) are moved by political causes, human
rights, and open access to information. 56 In practice Hacktivists distinguish themselves
from Patriotic Hackers by the absence of a sense of patriotism (at least exclusive); in
that their political motivations may actually be aimed at national authorities of the
54
Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and
Implications, New York: Information Science Reference, 2011 [online via New York: Information
Science Reference, 2011]
55
Harrison Dinniss, H. 2013, Participants in Conflict – Cyber Warriors, Patriotic Hackers and Laws of
War, in International Humanitarian Law and the Changing Technology of War, ed. Dan Saxon, Martinus
*Nijhoff [251]
56
For a more profound analysis on the difference between Hacktivists and Patriotic Hackers see Dahan,
M. Hacking for the homeland: Patriotic Hackers Versus Hacktivists in Proceedings of the 8th
International Conference on Information Warfare and Security (ICIW 2013), ed. Doug Hart, Academic
Conferences and Publishing International Limited, 2013 [55]
23
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
country of nationality or ethnic related. 57 Hacktivists are essentially activists who hack
with a purpose of defending certain social issues.
It is questionable whether Cybercaliphate (the Islamic State of Iraq and Syria –
hereafter ISIS - cyber arm) should be qualified as a Patriotic Hacker. In some sense
Cybercaliphate could be considered as having motivations similar to those of Patriotic
Hackers: conducting cyber-attacks against perceived enemies of the State. However, the
motivation of Cybercaliphate is mostly (if not totally) the expansion and defence of
their religion. Political motivations are relegated to a consequential level. Even though
ISIS is a State in terms of International law, is it moreso an organized armed group?
From a strictly (more or less) formal perspective – and independent of the question of
international recognition - ISIS should not be qualified as a State, at least in the sense of
the 1933 Montevideo Convention 58, given that the criteria for statehood is not verified.
ISIS is an organized armed group. Thus the mentioned cyber arm of ISIS should not be
qualified as a Patriotic Hacker group. Denning considers the Cybercaliphate as an entity
parallel to Hacktivists and Patriotic Hackers. 59
Regarding the organization and execution of cyber operations, Patriotic Hackers
can act individually or as a group. The manner of organization of cyber-attacks can have
legal consequences, as will be seen below. Regarding the organization and potential
damage of attacks, opinions are not consensual. One on hand, while some (probably
alarmist 60) media claims that one individual alone has the technological ability to bring
down the entire network of a country 61, according to other entities “the most
comprehensive of cyber attacks against a nation would be a substantial operation. The
simultaneous targeting of an entire country’s most crucial government and critical
57
A practical example of the difference between Hacktivists and Patriotic Hackers is the one when
th3j35t3r (the jester) – a known US Patriotic Hacker -, attacked Wikileaks, following the release of a
collection of secret U.S. government documents. See, Neil J. Rubenking, Wikileaks Attack: Not the First
by th3j35t3r, PCMAG, [online via http://www.pcmag.com/article2/0,2817,2373559,00.asp]
58
For instance ISIS lacks a defined territory and it’s very dubious whether it has capability to enter in
relations with other countries.
59
Denning, D. E., Cyber Conflict as an emergent Social Phenomenon in Corporate Hacking and
Technology-Driven Crime: Social Dynamics and Implications, (ed. Thomas J. Holt et al.) New York:
Information Science Reference, 2011 [172]
60
At least given what we have assisted so far.
61
Cristen Conger, Could a single hacker crash a country’s network? [online via
http://computer.howstuffworks.com/hacker-crash-country-network1.htm]
24
Patriotic Hackers
infrastructure networks would be enormously complicated, and would likely require the
type of resources only a state could leverage.” 62
Assessing the organization of cyber operations and attacks, the sections to follow
will review the scenarios in which Patriotic Hackers have, or do not have, relationship
with the home State. . In the case where Patriotic Hackers lack state sponsorship,
further review will evaluate two subgroups: organized armed groups, and individuals
and unorganized armed groups.
3.2. Patriotic Hacking attacks
Regarding the kind of attacks conducted by Patriotic Hackers, so far they have
typically been limited to Web Defacements 63, Distributed Denial of Service Attacks 64
and Malware Attacks 65. The following non exhaustive list gives some examples of
attacks politically motivated conducted by Patriotic Hackers.
Victim
State
Nationality of
Hacker (or
Group)
Type of
Description
Attack
In 1999, following the US accidental
bombing of the Chinese embassy in
U.S.A.
Chinese
DDoS
Belgrade, Web sites at the departments of
Energy and the Interior and the National
Park and www.whitehouse.gov were object
of attack. 66
62
Alexander Klimburg (ed.), National Cyber Security Framework Manual, NATO Cooperative Cyber
Defence Centre of Excelence, Talllinn, Estonia, 2012
63
Website defacement is an attack on a website that changes the visual appearance of the site or a
webpage.
64
A DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or
node to deny service to its customers. When this attempt derives from a single host of the network, it
constitutes a DoS attack. When it derives simultaneously from multiple malicious hosts coordinated to
flood the victim with an abundance of attack packets is called a Distributed DoS or DDoS attack.
65
Malware is short for malicious software. It is code or software that is specifically designed to damage,
disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks. It
comprises viruses, worms, Trojans, and bots.
66
Ellen Messmer, Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites, government says,
CNN [online via http://edition.cnn.com/TECH/computing/9905/12/cyberwar.idg/]
25
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Honkers
US/China
Union of
Web
China/US (or
Defacement
ally) Hackers
Following an incident involving a US spy
plane and a Chinese Jet Fighter, 80 US and
100 Chinese web sites were defaced. 67
Following a decision of the Estonian
Authorities to relocate the Bronze Soldier
Estonia
Russian
(allegedly)
Soviet war memorial in Tallinn, allegedly
DDoS
Russian Hackers, during a three week period
targeted Estonian governmental, private and
media websites through a series of DDoS
attacks. 68
Georgia
Russian
DDoS and In
2008,
simultaneously
with
the
Business
Web
conventional armed conflict that opposed the
Network
defacement
Russian Federation and Georgia over South
Ossetia, Georgia governmental and media
websites were object of defacement and
DDoS attacks. 69
U.S.A.
Syrian
Web
In 2013 the Syrian Electronic Army in face
Electronic
defacement
of the possibility of US Marines potentially
Army
being drawn to the Civil war in Syria,
defaced the US Marines Corps web site. 70
The question is whether these attacks qualify as cyber-attacks that reach the
threshold of a cyber armed conflict. The answer has - it will be seen below - is negative.
But then when do cyber-attacks (alone) reach such threshold?
67
Sarah Left, Chinese and American hackers declare 'cyberwar', The Guardian [online via
http://www.theguardian.com/technology/2001/may/04/china.internationalnews]
68
Ian Traynor, Russia accused of unleashing cyberwar to disable Estonia, The Guardian [online via
http://www.theguardian.com/world/2007/may/17/topstories3.russia]
69
Jon Swaine, Georgia: Russia 'conducting cyber war', The Telegraph [online via
http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyberwar.html]
70
David Gilbert, Syrian Electronic Army Cyber Attacks Continue With US Marines Hack, IBTimes
[online via http://www.ibtimes.co.uk/syrian-electronic-army-hacks-marine-website-hacked-503037]
26
Patriotic Hackers
3.3. Standalone Patriotic Hacking reaching the level of armed conflict?
3.3.1. International Armed Conflict
As mentioned above an IAC is an armed conflict that opposes two or more states.
In face of that it seems accurate to say that Patriotic Hacking will only trigger an IAC
when the cyber operations conducted by them are state sponsored and thus such actions
are attributable to the state. 71 Additionally, it would be necessary for the cyber-attacks
conducted by the Patriotic Hackers to reach a certain degree of violence against the
adversary. 72 That would be the case where the cyber-attack resulted in damage or
physical injury.
Another question is the required duration of the violence. In this regard the
International Experts Group was divided. While some considered that a single cyber
operation that caused “a fire to break out at a small military installation would suffice
to initiate an international armed conflict.”, others were of the view that “a single
cyber incident that causes only limited damage, destruction, injury or death would not
necessarily initiate an international armed conflict”. 73
A cyber-attack aimed at the critical national infrastructure – such as the national
power grid 74 – causing severe damage to it and eventual destruction would suffice to
meet the threshold of an armed attack.
The fact is that to date no (solely) cyber international armed conflict has
happened. As it was mentioned before, none of the listed attacks exemplified on
Chapter 3.2 did met such threshold. While DDoS attack in those cases was directed
towards taking down websites, they can also be targeted at servers or networks. Some
believe that through DDoS attacks it is possible to disrupt “industrial control systems
such as supervisory control and data acquisition (SCADA) and programmable logic
controllers (PLCs)” or (at least) facilitate secondary attacks (for instance by implanting
malware). 75 76
71
See Rule 149 of IHL Customary International Law. The attribution to the state of the responsibility for
operations conducted by a non-state actor shall also be dealt infra IN Chapter 4.2.
72
Article 49(1) AP I
73
See Commentaries to Rule 22 of Tallinn Manual
74
The NSA Director already manifested that at least China has the ability to take down US power grids.
See Ken Dilanian, NSA Director: Yes, China Can Shut Down Our Power Grids, Business Insider [online
via http://uk.businessinsider.com/nsa-director-yes-china-can-shut-down-our-power-grids-2014-11?r=US]
75
See Sahba Kazerooni, The Growing Threat of Denial-of-Service Attacks, Electric Light & Power,
[online via http://www.elp.com/articles/powergrid_international/print/volume-20/issue-2/features/thegrowing-threat-of-denial-of-service-attacks.html]
27
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Notwithstanding what so far has been said, it seems that the assessment on
whether a conflict reaches the threshold of a cyber armed conflict has to be made on a
case by case basis.
3.3.2. Non-International Armed Conflict
Regarding NIAC, one first distinction should be readily established. Under AP II
a NIAC is one which taking place in the territory of a High Contracting Party opposes
its "armed forces to a dissident armed forces or other organized armed groups which,
under responsible command, exercise such control over a part of its territory as to
enable them to carry out sustained and concerted military operations”. 77 Given that
cyber operations alone are insufficient to constitute physical control over a territory, a
standalone Patriotic Hacking operation reaching the threshold of a NIAC is not possible
under the AP II.
However, Common Article 3 does not require physical control of the territory.
Two situations can be devised: (i) a NIAC where Patriotic Hacking operations are
conducted against a rebel armed group; and (ii) a NIAC where Patriotic Hackers – not
acting on behalf of their country or homeland 78 -, attack another country.
The threshold of Common Article 3 is lower than the one established by AP II.
For the former a NIAC exists depending on the level of violence taking place and the
degree of organization of the parties to the conflict. For the threshold to be met, as it
was developed in the Tadic case it is required protracted armed violence between
organized armed groups and/or a State. It should be noted that a sporadic cyber-attack
will not meet the threshold, rising only to internal disturbances. A required continuity of
violence is also required. The group must also be an organized armed group. For that
purpose, armed should be understood as having the ability to conduct cyber-attacks;
whereas “organized” implies a certain organizational structure, coordinated acting
towards a common objective. The organization criterion has always to be assessed on a
case by case basis.
76
ICS are command and control networks and systems designed to support industrial processes – for
instance SCADA (Supervisory Control and Data Acquisition) systems. They allow from a remote
location to control local field operations such as opening and closing valves and monitoring and
controlling the local conditions.
77
Article 1(1) AP II
78
Otherwise – if acting on behalf of – the conflict is internationalized
28
Patriotic Hackers
In the case of a NIAC where Patriotic Hacking operations are conducted against a
rebel cyber armed group, one practical example that could be mentioned would be
cyber-attacks directed towards disrupting the communication ability of the rebel groups
by for instance destroying the computers or the network communications.
On the other hand, on a NIAC where Patriotic Hackers – not acting on behalf of
their country or homeland 79 -, attack another country a practical example could be the
one (already above mentioned regarding IAC) of conducting cyber-attacks against the
National Critical Infrastructure (e.g., telecommunications and electrical power grids)
with such violence that is able to disrupting or destroying it.
3.4. State sponsored Patriotic hackers
As previously mentioned the legal status of combatant essentially comprises two
groups: (i) the regular armed forces 80 - essentially the state armed forces -, and (ii)
“members of other militias and members of other volunteer corps, including those of
organized resistance movements, belonging to a Party to the conflict and operating in
or outside their own territory, even if this territory is occupied” 81 provided that they
satisfy the following conditions: “(a) commanded by a person responsible for his
subordinates; (b) having a fixed distinctive sign recognizable at a distance; (c) carrying
arms openly; and, (d) conducting their operations in accordance with the laws and
customs of war.” 82
Following, the case of a group of civilian hackers that conduct cyber operations
with state sponsorship could be included in the second category of combatants as
irregular armed forces. Of course to be considered as such, the abovementioned
conditions have to be fulfilled. Insofar as they fulfil the mentioned conditions, one could
mention as an example the case of China recruiting unpaid civilians from the hacker
community and high tech companies into their cyber militia. 83 Another example is the
79
Otherwise – if acting on behalf of – the conflict is internationalized
According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to
the conflict as well as members of militias or volunteer corps forming part of such armed forces”
81
See article 13 (2) of the Geneva Convention I
82
Ibid
83
Anthony Capaccio, China Most Threatening Cyberspace Force, U.S. Panel Says [online via
http://www.bloomberg.com/news/articles/2012-11-05/china-most-threatening-cyberspace-force-u-spanel-says];
Shannon
Tiezzi,
China
(Finally)
Admits
to
Hacking
[online
via
http://thediplomat.com/2015/03/china-finally-admits-tohacking/?utm_content=buffer5af99&utm_medium=social&utm_source=facebook.com&utm_campaign=
80
29
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Estonian Cyber Defence League - “an all-volunteer paramilitary force dedicated to
maintaining the country's security and preserving its independence.” 84 - That includes
not only government agencies but also private specialists. Regarding the condition that
a group is commanded by a person responsible for the subordinates, this may likely be
a somewhat natural consequence of the organization of a group. The fact that the
“cyber” group is only virtual and has no physical contact does not necessarily mean that
the condition is not fulfilled. Insofar as there is organization 85 and a “chain of
command” exists, the condition of leader responsibility being fulfilled could be argued.
As to the condition of bearing a distinctive sign, this corresponds to the
undisputed customary rule of International Humanitarian Law that combatants must
distinguish themselves from the civilian population. This requirement is a rule of
customary international law, which has been codified in the Geneva Convention III 86
and the Additional Protocol I 87.
The final condition for combatant status is the obligation of conducting operations
in accordance with the laws and customs of war. Without prejudice of such obligation
there can be cases of violation of the Law or Customary Law by certain individuals
within the group – as also may happen within conventional warfare.
Failure by
individuals to comply with the obligation of respecting the law does not mean that they
lose their legal status of combatants, but only that they may be tried for their actions;
namely for war crimes.
The concept of Civilian Hackers sponsored by the State could at some point be
confused with the concept of mercenaries. Article 47 (2) of the Additional Protocol I88
defines the concept of mercenary. Without extending too much on this particular topic,
as Patriotic Hackers are individuals who having ties of allegiance towards a certain
country (of nationality or ethnic related) conduct politically motivated cyber-attacks
buffer]; Mandiant, APT1 Exposing One of China’s Cyber Espionage Units [online via
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf]
84
Tom
Gjelten,
Volunteer
Cyber
Army
Emerges
In
Estonia
[online
via
http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends-nation]
85
The concept of organization shall be discussed in detail infra. See Chapter 3.3.1
86
See article 4 (A)
87
See article 44(3)
88
“a mercenary is “any person who: (a) is specially recruited locally or abroad in order to fight in an
armed conflict; (b) does, in fact, take a direct part in the hostilities; (c) is motivated to take part in the
hostilities essentially by the desire for private gain and, in fact, is promised, by or on behalf of a Party to
the conflict, material compensation (…); (d) is neither a national of a Party to the conflict nor a resident
of territory controlled by a Party to the conflict; (e) is not a member of the armed forces of a Party to the
conflict; and (f) has not been sent by a State which is not a Party to the conflict on official duty as a
member of its armed forces.”
30
Patriotic Hackers
against perceived enemies of that country, in name of a sense of patriotism. Given that
their motivation is not private monetary gain no such confusion should arise.
As will be discussed below the fact that states sponsor the conduct of cyber
operations will have important consequences, namely the eventual accountability of
those states for wrongful acts resulting from such operations.
Based on the information provided, it should be concluded that whenever Patriotic
Hackers are conducting cyber operations that are state-sponsored, and insofar as the
conditions prescribed in article 13 (2) of the Geneva Convention I are met, the hacker
parties should be considered as irregular armed forces. In such case, Patriotic Hackers
should be recognized under the legal status of combatants, thus being entitled to all the
rights and obligations of such status, for instance prisoner of war status. In cases where
the conditions of the abovementioned provision are not met, the Patriotic Hacker, even
if state-sponsored, does not attain combatant status.
3.5. Non-State sponsored Patriotic Hackers
3.5.1. Organized Armed Groups
The concept of organized armed groups (hereafter, OAG) is of utmost
importance within non-international armed conflicts; which exist when there is
protracted armed violence between governmental authorities and organized armed
groups or between such groups within a State. 89 The threshold of a NIAC is met with
certain intensity of hostilities and involvement of an organized armed group
As previously noted, the ICTY jurisprudence identifies some factors that can
help assess the required intensity and organization of the armed group. 90
In assessing required intensity of hostilities, within the cyber realm has yet to
occur any stand-alone cyber operations conducted by non-State actors that rise to the
level of triggering a non-international armed conflict; although the future possibility of
such should not be ruled out. Certainly, governmental website defacements – as those
that have been carried out thus far - do not suffice to meet the requirements of intensity.
Regarding the required organization criteria, hackers who work individually (or
autonomously) can immediately be dismissed from consideration. Remaining, the
89
Prosecutor v. Tadic, IT-94-1, ICTY Appeals Chamber, Decision on the Defence Motion for
Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 70
90
See supra chapter 2.2.1
31
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
International Experts Group devised two categories: groups of individuals that operate
“collectively” and those that operate “cooperatively”. The former would be the case of
those who lack coordination in conducting attacks despite acting simultaneously and
with a shared purpose. The latter would be the case of those who have such
coordination or as the International Experts Group describe : “a distinct online group
with a leadership structure that coordinates its activities by, for instance, allocating
specified cyber targets amongst themselves, sharing attack tools, conducting cyber
vulnerability assessments, and doing cyber damage assessment to determine whether
‘reattack’ is required”. 91 Although it seems that this described situation would be the
only case in which the organization criteria were satisfied, the collective conclusion
appears to be that evaluation of meeting the organization criteria must be done on a
case-by-case basis.
The organization of cyber armed group is to differ from the one of conventional
organized armed groups. In the Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi
Brahimaj Case, the ICTY stated as indicative factors of organization – aside from others
-, the existence of a headquarter and control of territory. Such factors are irrelevant on
the qualification of the level of organization of cyber armed group. Another important
difference: no physical presence and meeting is required for the existence of the
organization.
Nevertheless it appears that the conclusion on the satisfaction of the organization
criteria depends on an evaluation on a case-by-.case basis.
Within a NIAC, organized armed groups are understood as the armed forces of
the non-state actor. Thus, Patriotic Hackers who are members of an organized armed
group, “whose continuous function involves the preparation, execution, or command of
acts or operations amounting to direct participation in hostilities are assuming a
continuous combat function”. 92 Therefore in the case of organized armed groups the
participation in hostilities does not qualify as DPH.
But it is not only in NIAC that organized armed groups may have relevance
while conducting cyber operations. During an IAC, Patriotic Hackers as an organized
armed group not belonging to a party of the conflict could conduct cyber-attacks against
another party to the conflict. In such scenario, given that they didn’t belong to any of
91
Commentary on Rule 23 of the Tallinn Manual
Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under
International Humanitarian Law, ICRC, May 2009, p. 34
92
32
Patriotic Hackers
the parties in the conflict, they would not be seen as part of those armed forces.
Therefore they would retain a civilian status. Thus, insofar as the conditions are met,
civilians involved with an organized armed group that does not belong to a party of the
conflict, but engages in hostilities, would be in DPH.
As earlier discussed in the Introduction chapter, during the conflict that opposed
the Russian Federation and Georgia over South Ossetia – simultaneously with a
conventional armed conflict conducted by both States, that qualifying as an IAC –
several Distributed Denial of Service (DDoS) cyber-attacks conducted against Georgian
network servers consequently disrupting many (governmental and media) websites.
These cyber-attacks – according to public reports - were carried out by groups of
hackers (namely the RBN) without any connection to the state. 93 Russian authorities
denied allegations of linkage. However, regarding the nature of the cyber-attacks
conducted, the threshold of a cyber armed conflict was not met. Thus the actions
conducted by the RBN were not relevant under International Humanitarian Law.
3.5.2. Unorganized Armed Groups or individuals
A third category comprises armed groups that do not satisfy the organization
criteria and hackers that act individually
As matter fact, Patriotic Hackers may also act and conduct cyber operations,
individually or by unorganized armed group, only on the basis of their beliefs, namely,
the defence of their homeland or ethnic origins and without any support or cooperation
with other individuals or sponsorship by the State.
The participation of those in hostilities has important consequences. For instance
if an individual participates in hostilities and as long as that participation takes place the
targetability protection is lost.
But when should be qualified the actions conducted by patriotic hackers during
armed conflicts? As already stated above 94, three requirements must be met: a threshold
of harm; there must be a relation of direct causality between the act and the harm; and,
there must also be belligerent nexus. In practice this means that cyber operations
conducted by unorganized armed groups or individuals will be qualified as DPH
93
John Markoff, Before the Gunfire, Cyberattacks, The New York Times [online via
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0]
94
See chapter 2.2.3
33
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
whenever, they conducted cyber operations, on behalf of one party of the conflict, that
either were intended to or affected the enemy military capabilities or operations (not
being necessary that the act causes injury or death to persons or destructions to objects)
or alternatively, the attacks must be conducted against protected objects or persons and
result, respectively, destruction or injury and death; being the resulted harm
consequence of the cyber-attack.
Such would be the case, if an unorganized group conducted a cyber-attack, within
a NIAC, against a rebel armed group aimed at destroying those communications
equipment that way disrupting them.
34
4. Attribution and legal responsibility for cyber
attacks
Attribution of cyber operations is of extreme relevance for states. For instance the
exercise of self-defence by a victim State is dependent upon determining who conducted
the cyber-attack, meaning the individualization of the group (state sponsored) or the
State that conducted such operation.
While in conventional armed conflicts involving kinetic attacks such attribution is
easier - given for instance that weapons and military personnel are clearly identified within the cyber realm attribution poses a real problem. As a matter of fact, the
anonymity potential of internet activity – as well as the constant development of
technologies – makes the task of determining accurate attribution very difficult.
Furthermore, even when some certainty can be ascertained regarding the origin
of an attack, it remains questionable whether an individual acted alone or if there was
any state involvement; and thus who should be considered as legally responsible?
Attribution encompasses two dimensions: technical attribution and legal
attribution.
4.1. Technical attribution
Technical attribution is the way by which computer forensic techniques are
employed to determine the “identity or location of an attacker or an attacker’s
intermediary.” 95 In terms of location it may be physical, or an IP 96 or MAC address 97.
Many problems arise in pinpointing technical attribution. For instance in the
DDoS kind of attack, a network of bot computers – which are computers infected by,
for example, Trojan horses - are used and thus an attack will appear to have multiple
(intermediary) origins and determining the actual origin is complex. Additionally,
95
Wheeler, D. A., Techniques for Cyber Attack Attribution, Institute for Defense Analyses, October 2003
[1]
96
IP address consists of four sets of numbers from 0 to 255, separated by three dots assigned by the
Internet Service Provider (ISP). IP address can be static (which is always the same) or dynamic (which
changes everytime the system is logged on).
97
MAC Address stands for "Media Access Control Address," and is a hardware identification number
that uniquely identifies each device on a network. The MAC address is manufactured into every network
card, such as an Ethernet card or Wi-Fi card, and therefore in principle cannot be changed. See
<http://techterms.com/definition/macaddress>
35
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
attackers may spoof their IP address, obscuring actual location thus blocking the
discovery of the attack’s origin.
Complexities aside, attribution is of utmost importance. As Glennon stated,
attribution is the “ability to say “who did it” (…) that makes law work. When a
transgressor can be identified, penalties can be assessed, and retaliation and deterrence
are possible―and so is legal regulation. Attribution permits the target to assign
responsibility. It provides the rules’ ultimate enforcement mechanism―the ever-present
threat of retaliation and punishment.” 98
Despite the constant evolution of attack techniques, governments and some
private security corporations do seem to have at least some ability to trace the origins of
cyber-attacks. As a matter of fact, the development of means to determine cyber-attack
attribution appears of major concern. 99 As an example, recently SONY was targeted
with cyber-attacks reportedly because of a movie where Kim Jon-un and the North
Korean regime were satirized. 100 In this case, the evolution of cyber-attack attribution
capability was evident, where the US (voiced by President Barack Obama) was able to
attribute the attack to the Democratic People's Republic of Korea on the basis of
information gathered by the NSA. 101
4.2. Legal attribution
Provided the possibility to establish, via technical attribution, the authority of a
certain cyber-attack, the next step is legal attribution. In some situations even though
cyber operations are conducted by private actors, they may still be attributable to the
98
Glennon, M. J., The Road Ahead: Gaps, Leaks and Drips, International Law Studies, Volume 89, 2013
[380]
99
Department of Defense, Department of Defense Cyberspace Policy Report: A Report to Congress
Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934, November 2011
[online
via
http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Re
port_For%20webpage.pdf] [(…) the Department seeks to increase our attribution capabilities by
supporting innovative research and development in both DoD and the private sector. This research
focuses on two primary areas: developing new ways to trace the physical source of an attack, and seeking
to assess the identity of the attacker via behavior-based algorithms. In the near future, the Department
intends to expand and deploy applications that detect, track, and report malicious activities across all DoD
networks and information systems on a near real-time basis.)]
100
James Cook, Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So
Far Business Insider [online via http://uk.businessinsider.com/the-sony-hackers-still-have-a-massiveamount-of-data-that-hasnt-been-leaked-yet-2014-12?r=US]. However it should be noted that this cyberattack does meet the threshold of cyber armed attack.
101
David E. Sanger and Martin Fackler, N.S.A. Breached North Korean Networks Before Sony Attack,
Officials Say, The New York Times [online via http://www.nytimes.com/2015/01/19/world/asia/nsatapped-into-north-korean-networks-before-sony-attack-officials-say.html]
36
Error! Reference source not found.
State. Having identified that the core aim of Patriotic Hackers is conducting cyber
operations to defend the country (to which they relate) from threats of perceived
enemies, a connection to the State may exist in some circumstances. Following,
situations in which a Patriotic Hacker acts in connection with the State should be
examined to determine if responsibility for the cyber operation should be attributed to
the State.
Legal examination has to be made within the adequate legal framework. Of
particular relevance to legal framework are Article 3 of the Hague Convention IV102,
Article 91 of AP I 103, Rules 149 104 and 150 105 of Customary IHL, the ILC Articles on
State Responsibility and, finally, Rule 6 of Tallinn Manual 106.
Expanding on the subject of legal examination, the tripartite groupings of Patriotic
Hackers will be addressed: state sponsored organized armed groups; non-state
sponsored organized armed groups; and, finally, non-state sponsored unorganized
groups and individuals.
4.2.1. State Sponsored
A few scenarios in which cyber operations are conducted by Patriotic Hackers that
are sponsored by the state must be devised.
First could be the case of Patriotic Hackers being recruited by the State. As
previously mentioned China reportedly recruits from the hacker community and high
tech companies to its cyber militia. 107 One such example is the PLA Unit 61398.
Another example is the Estonian Defence League which although composed of
volunteers, is “part of the Defence Forces, a voluntary militarily organised national
102
“A belligerent party which violates the provisions of the said Regulations shall, if the case demands,
be liable to pay compensation. It shall be responsible for all acts committed by persons forming part of its
armed forces.”
103
“A Party to the conflict which violates the provisions of the Conventions or of this Protocol shall, if
the case demands, be liable to pay compensation. It shall be responsible for all acts committed by persons
forming part of its armed forces.”
104
“A State is responsible for violations of international humanitarian law attributable to it, including:
(a) violations committed by its organs, including its armed forces; (b) violations committed by persons or
entities it empowered to exercise elements of governmental authority; (c) violations committed by persons
or groups acting in fact on its instructions, or under its direction or control; and (d) violations committed
by private persons or groups which it acknowledges and adopts as its own conduct.”
105
“A State responsible for violations of international humanitarian law is required to make full
reparation for the loss or injury caused.”
106
“A state bears international legal responsibility for a cyber operation attributable to it and which
constitutes a breach of an international obligation”
107
See supra footnotes 60
37
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
defence organisation operating in the area of government of the Ministry of
Defence.” 108
Article 13 (1) of the Geneva Convention I provides that armed forces include
“members of the armed forces of a Party to the conflict as well as members of militias
or volunteer corps forming part of such armed forces.”
Therefore any Patriotic Hackers recruited under such circumstance would be
considered as part of the armed forces and cyber operations conducted would be
attributable to the State. Supporting such notion would apply Article 3 of the Hague
Convention IV, Article 91 of AP I, Rule 149 (a) of Customary IHL and Rule 4 of the
ILC ARSIWA.
Another case is when a private actor is not part of a state entity (such as the
armed forces) for the purpose of Article 4 of ILC ARSIWA, but under domestic law is
empowered to exercise governmental authorities. In the Phillips Petroleum Co. Iran v.
Islamic Republic of Iran case, the tribunal stated that “international law recognizes that
a State may act through organs or entities not part of its formal structure. The conduct
of such entities is considered an act of the State when undertaken in the governmental
capacity granted to it under the internal law. See article 7(2) of the draft articles on
State responsibility adopted by the International Law Commission, Yearbook
International Law Commission 2 (1975), at p. 60. The 1974 Petroleum Law of Iran
explicitly vests in NIOC “the exercise and ownership right of the Iranian nation on the
Iranian Petroleum Resources”. NIOC was later integrated into the newly-formed
Ministry of Petroleum in October 1979.” 109 Of note, the ILC admits that Article 5 may
be applied to “public corporations, semi-public entities, public agencies of various
kinds” 110 Accordingly, offensive cyber operations would be attributable to the state
when conducted by Patriotic Hackers recruited by entities that were granted power to
exercise governmental authorities.
A third scenario to be considered is the situation when the conduct of individuals
or groups of individuals was directed or controlled by the state. Article 8 of the ILC
108
See online http://www.kaitseliit.ee/en/edl
Iran-United States Claims Tribunal, [Phillips Petroleum Co. Iran] v. Islamic Republic of Iran, Award
No. 326–10913–2, 3 November 1987, Iran-United States Claims Tribunal Reports, vol. 21 (1989), p. 79,
§ 89, footnote 22.
110
United Nations, Draft articles on Responsibility of States for Internationally Wrongful Acts, with
commentaries
2001,
[13]
[online
via
http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf]
109
38
Error! Reference source not found.
ARSIWA prescribes that “The conduct of a person or group of persons shall be
considered an act of a State under international law if the person or group of persons is
in fact acting on the instructions of, or under the direction or control of, that State in
carrying out the conduct.”
The situation of entity acting under the instruction of the State is apparently easier
to identify. The ILC suggests that “cases of this kind will arise where State organs
supplement their own action by recruiting or instigating private persons or groups who
act as “auxiliaries” while remaining outside the official structure of the State. These
include, for example, individuals or groups of private individuals who, though not
specifically commissioned by the State and not forming part of its police or armed
forces, are employed as auxiliaries or are sent as “volunteers” to neighbouring
countries, or who are instructed to carry out particular missions abroad.”
But in what case would an entity’s conduct be considered as “controlled” by the
State? In other words, what is the threshold degree of “control” necessary to be met?
The ICJ had the opportunity to analyse this concept of control during the
judgement of the case of Military and Paramilitary Activities in and against Nicaragua
(hereafter, Nicaragua case). The question posed to the Court was whether the Contra’s
conduct was attributable to the US and thus the latter was to be held responsible for IHL
breaches. The Court took the view that “United States participation, even if
preponderant or decisive, in the financing, organizing, training, supplying and
equipping of the contras, the selection of its military or paramilitary targets, and the
planning of the whole of its operation, is still insufficient in itself (…), for the purpose of
attributing to the United States the acts committed by the contras in the course of their
military or paramilitary operations in Nicaragua” 111 and concluded that “For this
conduct to give rise to legal responsibility of the United States, it would in principle
have to be proved that that State had effective control of the military or paramilitary
operations in the course of which the alleged violations were committed.” 112 According
to the “effective control” test, for the act to be attributable it has to be proven that the
111
ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United
States of America), Merits, § 115 [online].
112
Ibid
39
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
State had participation in the planning, direction, support and execution of the armed
operations. 113
In the Tadic Case, the ICTY was confronted with a similar situation. The
question was whether the Bosnian Serbs were or were not agents of the (now) Former
Republic of Yugoslavia. Firstly to note, the case ruling distinguished between military
and non-military organized armed groups and individuals. 114 The ICTY rejected the
“effective control” test and ruled that the “overall control” over the armed group was
sufficient for the attribution of its action to a State. According to the ICTY ruling “an
organised group differs from an individual in that the former normally has a structure,
a chain of command and a set of rules as well as the outward symbols of authority.
Normally a member of the group does not act on his own but conforms to the standards
prevailing in the group and is subject to the authority of the head of the group.
Consequently, for the attribution to a State of acts of these groups it is sufficient to
require that the group as a whole be under the overall control of the State.” 115
Furthermore the ruling establishes that “In order to attribute the acts of a military or
paramilitary group to a State, it must be proved that the State wields overall control
over the group, not only by equipping and financing the group, but also by coordinating
or helping in the general planning of its military activity. Only then can the State be
held internationally accountable for any misconduct of the group. However, it is not
necessary that, in addition, the State should also issue, either to the head or to members
of the group, instructions for the commission of specific acts contrary to international
law.” 116 Thus the ICTY “overall control” test broadens the scope of state responsibility
further than for “effective control”.
In the Application of the Convention on the Prevention and Punishment of the
Crime of Genocide Case (hereafter, Genocide Case), the ICJ was again confronted with
the question of degree of control required for an action of a group to be attributable to
State. In the end the ICJ ruled against “overall control” and was of the opinion that
“effective control” should prevail given that the former had “the major drawback of
broadening the scope of State responsibility well beyond the fundamental principle
governing the law of international responsibility: a State is responsible only for its own
113
See Grosswald, L., Cyberattack Attribution Matters under Article 51 of the U.N. Charter, Brooklyn
Journal of International Law, Vol. 36, 2010-2011, [1160] [via HeinOnline]
114
The consideration of the ICTY over non-organized armed groups shall be dealt infra in Chapter 4.2.3
115
Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July 1999, § 120
116
Ibid, § 131
40
Error! Reference source not found.
conduct, that is to say the conduct of persons acting, on whatever basis, on its behalf
(…) the “overall control” test is unsuitable, for it stretches too far, almost to breaking
point, the connection which must exist between the conduct of a State’s organs and its
international responsibility” 117
Conclusion can be made that whenever Patriotic Hackers engage in cyber
operations under the direction or control of the State or by being issued specific
instructions by the State then those operations will be attributable to the State.
Conversely, whenever Patriotic Hackers engage in cyber operations in their own
initiative, state responsibility will be logically excluded.
As previously discussed, during the Georgia-Russia conflict cyber-attacks were
conducted against Georgia; reportedly by the RBN.
Russian authorities was unclear, and officially denied,
Although involvement of the
118
if it were to be proven that
the Russian authorities indeed had effective control over such cyber-operations, then the
attacks would be attributable to Russia.
4.2.2. Non-State Sponsored
4.2.2.1. Organized Armed Groups
Article 1(1) of the AP II restates the customary rule notion that armed groups shall
operate under responsible command. However, the AP II was only signed by 168 States
and thus only applies to conflicts that take place in the territories of those State parties.
But, on another point, Article 1(1) of the AP II presupposes physical control over part of
the territory of one of the State parties. Given that cyber operations cannot in principle
grant such physical control, then the AP II is not likely applicable to stand-alone cyber
warfare. 119 Nonetheless, under customary law, non-state organized armed groups are
obliged to respect IHL. 120
As a principle, a State cannot be held responsible for the acts of non-State
organized armed groups. Given that an NIAC involves (non-State) organized armed
groups acting against the (State) government forces, it would be odd for the State to be
117
ICJ, 26-02-2007, Application of the Convention on the Prevention and Punishment of the Crime of
Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgement, § 406 [online].
118
John Markoff, Before the Gunfire, Cyberattacks, The New York Times [online via
http://www.nytimes.com/2008/08/13/technology/13cyber.html]
119
Of course that if those cyber operations are simultaneously with conventional kinetic attacks and there
is in fact control over part of the territory by the organized armed group, then the applicability of AP II
could not be questioned.
120
Rule 139 of IHL Customary International Law
41
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
held responsible for the actions of those organized armed group at least in so far and as
long as the government stays in function. The Sambaggio Case provides an example of
the application of such principle where it was considered that “from the standpoint of
general principle, that, save under the exceptional circumstances indicated, the
Government should not be held responsible for the acts of revolutionists because — 1.
Revolutionists are not the agents of government, and a natural responsibility does not
exist. 2. Their acts are committed to destroy the government, and no one should be held
responsible for the acts of an enemy attempting his life. 3. The revolutionists were
beyond governmental control, and the Government cannot be held responsible for
injuries committed by those who have escaped its restraint.” 121
In the event that operations conducted by an organized armed group succeed in
overthrowing the government or eventually a new state is formed by secession, then it
makes sense that the State would be assigned responsibility for the actions of the
organized armed group. Continuity exists between the armed group and the new
government which explains the legal responsibility for the operation that otherwise
would not exist.
During an armed conflict a non-State armed group may engage in cyber
operations that would not in any way be attributable to the State, but the State expresses
its support for the operations by acknowledging and adopting them as its own. In such
cases, the operations would be considered as an act of that State and therefore the State
will have indirect responsibility. 122
Such was the situation in the Tehran Hostages Case. In this case after a group of
Iranian students took over the US embassy and held embassy personnel hostage, (action
which would not be attributable to Iran) the Ayatollah Khomeini on November 17, 1979
issued a decree approving the actions by expressing that “the premises of the Embassy
and the hostages would remain as they were until the United States had handed over the
former Shah for trial and returned his property to Iran.” 123 Following ILC
Commentaries, not just any level of support will suffice to deem State responsibility:
“the term “acknowledges and adopts” in article 11 makes it clear that what is required
121
Sambaggio Case (Italy v. Venezuela) (Mixed Claims Commission Italy-Venezuela)(1903) 10 Reports
of International Arbitral Awards, Vol. X [513] [online via http://legal.un.org/riaa/cases/vol_X/477692.pdf]
122
See Article 11 of the ILC ARSIWA
123
ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States of America v.
Iran), Judgement, § 73 [online].
42
Error! Reference source not found.
is something more than a general acknowledgement of a factual situation, but rather
that the State identifies the conduct in question and makes it its own.” 124
4.2.2.2. Unorganized Armed Groups or individuals
As previously stated, regarding the degree of control by a State for an act
practiced by a non-state actor to be attributable to it, the ICTY in the Tadic Case
followed the case law of other international courts distinguishing between military
groups and individuals or non-organized groups. 125 The Court expressly stated that
International law imposed a different degree of control whether it concerned actions
taken by military groups and individuals or non-organized groups. 126
The ICTY concluded that in order for the actions taken by individuals or
unorganized armed groups to be attributable to the State “it is necessary to ascertain
whether specific instructions concerning the commission of that particular act had been
issued by that State to the individual or group in question”. 127 Thus, in comparison to
the criteria required for organized armed groups, a much higher threshold has to be met
for the acts of individuals are unorganized groups to be attributable to the State.
Alternatively, a case may arise where an act carried out by an individual or
unorganized armed group, although not attributable to the State, is then considered as an
act of the State following the State’s acknowledgement and adoption of the action as its
own. 128
4.3. The Principle of Sovereignty: a duty of prevention
The Tallinn Manual Rule 1 establishes that a State may “exercise control over
cyber infrastructure and activities within its sovereign territory.”
Acknowledging sovereignty gives rise to an obligation of all States to respect
each other’s authority and autonomy.
Such obligation was included in the Tallinn
Manual as Rule 5 prescribes that “A State shall not knowingly allow the cyber
infrastructure located in its territory or under its exclusive governmental control to be
124
United Nations, Draft articles on Responsibility of States for Internationally Wrongful Acts, with
commentaries
2001,
[24]
[online
via
http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf]
125
Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July 1999, § 132
126
Ibid, § 137
127
Ibid
128
See what has been said regarding this issue supra Chapter 4.2.2
43
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
used for acts that adversely and unlawfully affect other States.” The requirement to not
knowingly allow sovereign territory to be used in a way that affects other States’ rights
means that individual States have a positive duty to take action and protect those
rights. 129
This means that if a State has knowledge of the use of cyber infrastructures –
within its territory or outside but over which it has de facto control - that have negative
effects on other States, then unless it takes appropriate measures to avoid such usage,
that State violates its international obligations.
This rule does pose challenge to countries less developed technologically and
with less cyber capabilities. Those countries will probably have less ability to track
cyber-attacks that are being conducted from within its territory. Such passiveness and
inability to maintain the development of technology may turn those countries into
sanctuary states, from where cyber-attacks could be safely conducted.
One practical problem is the required degree of knowledge of cyber
infrastructure and attack capability. The International Group of Experts agreed that the
Rule (5) applies if the State had “actual knowledge”, that is, if the State knows that a
cyber-attack has been made or has information that an attack will take place.
In conclusion, whenever a State’s controlled cyber infrastructure is being used
with a negative effect on other countries, the State has to take appropriate measures to
prevent or avoid such usage. In case of State passiveness that results in damage to
another, the victim-state may be entitled to resort to, under certain circumstances,
countermeasures or self-defence.
129
See ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States of
America v. Iran), Judgement, § 67-68 [online].
44
5. Conclusions
The present Thesis proposed to examine whether Patriotic Hackers were a tacit
method of cyber warfare at the disposal of States during armed conflicts. Although
Patriotic Hackers potentially can take the role of fighting wars for the States the answer
to the question cannot be given peremptorily in the form of a yes or no.
Patriotic Hackers has been defined as those individuals who having ties of
allegiance towards a certain country (of nationality or ethnic related) conduct politically
motivated cyber-attacks against perceived enemies of that country, in name of a sense of
patriotism, against threats or attacks by perceived enemies of that country.
But such common motivation is sufficient to conclude that Patriotic Hackers are
fighting wars for the States? History shows – aside from others that could be named - a
number of confronts for instance between US and China Hackers, and Russian Hackers
and States of the former USSR – such Georgia and Estonia. So far, the attacks have
been limited to so far they have typically been limited to Web Defacements, Distributed
Denial of Service Attacks and Malware Attacks with reduced level of harm.
A first question that arises is whether abstractly standalone Patriotic Hacking can
reach the threshold of a cyber armed conflict. In this regard given what has been said
above it should be concluded that cyber operations conducted by Patriotic Hackers will
only rise to a cyber IAC when state sponsored, thus being the attacks attributable to the
State. On the other hand - and dependent of the observance of the requirements of
Common Article 3 -, Patriotic Hacking may meet the threshold of a NIAC when the
cyber operations are conducted against a rebel armed group and when Patriotic Hackers
attack another country and don’t act in behalf of their homeland country – because
otherwise the conflict would be internationalized
In practice two categories of Patriotic Hackers can be devised: Sate sponsored
Patriotic Hackers and Non State Sponsored Hackers.
The first category comprises the assumedly state sponsored Patriotic Hackers.
An example of this group would be the one where, for instance, Chinese authorities
recruit civilians from the hacker community and high tech companies. Regarding this
group and insofar the conditions provided by article 13(2) of Geneva Convention I, they
have combatant status.
45
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
The second category would include non-state actors non-state sponsored. Under
this category may be distinguished organized armed groups and unorganized groups or
individuals.
The subcategory of organized armed groups is of extremely relevance within
NIAC where a State could be facing the opposition of an organized armed group. In
NIAC, although there is no combatant status, organized armed groups are understood as
the armed forces of the non-state actor. Thus Patriotic Hackers who are members of an
organized armed group, who are involved in the cyber-attacks amounting to DPH,
assume a continuous combat function. But not only in NIAC are organized armed
groups relevant. In this case, Patriotic Hackers would not be assumed as armed forces of
the Parties to the conflict retaining their civilian status. Thus insofar the conditions are
met Patriotic Hackers engaging in the hostilities would be in DPH.
A third category would involve non-sate sponsored unorganized armed groups
and individuals. Here the legal status – when engaging in hostilities - would always be
DPH. It should be stated however that this category is of residual value because
potentially they lack the capability to meet the threshold of cyber armed conflict given
that individually (at least theoretically) they would not have the technological capability
to engage in cyber operations causing sufficient harm.
One of the biggest problems that Patriotic Hackers pose is the attribution. On
one hand, and not disregarding the development on this field, the technical attribution
reveals as one difficult task. But even after being able to disclose the origin of the
attack, another problem arises: the legal attribution.
In this regard it should be concluded that the cyber operation can be attributable
to a state when they were: (i) conducted by a state of the organ; (ii) conducted by
persons or private entities exercising governmental authority; (iii) conducted by person
or group of persons that were under direct and control of the state; (iv) acknowledged
and adopted by the State as their own; (v) conducted by an organized armed group that
successfully overthrow the country and became government.
The states nevertheless have an obligation – given the principle of sovereignty to prevent or avoid cyber operations being conduct from its territory with adverse
effects on other states. If the state has knowledge of such and does not act with the due
care it can entail the breach of an international obligation.
From what has been said and above exposed, it is possible to conclude that
Patriotic Hackers can under some conditions fight wars for the States, avoiding the legal
46
Error! Reference source not found.
accountability of the former. The fact is that in practice States if it is convenient will
always deny any relation whatsoever to the cyber attackers or the cyber-attack. This
happened on multiple occasions: Russia denied the attacks on Georgia and having
connection to them; the same happened more recently when the Democratic People's
Republic of Korea authorities denied any involvement on the attack on Sony.
So far we have not assisted to a cyber-attacked conducted by Patriotic Hackers
that reached the threshold of a cyber armed conflict. It is unforeseeable the potential
damage that one such attack could reach. Although, International humanitarian law has
historically developed following conflicts meaning that the legal evolution has - in most
of the cases - been one step back to the historical events that motivate the legal change.
It appears to be urgent a legal regulation of the cyber operations, namely the one
conducted by Patriotic Hackers. The danger posed by the dependence on technology of
our digital era urges such regulation. The Tallinn Manual, although being only an
academic work was a first step towards that objective. The Patriotic Hackers
phenomenon calls for the necessity of such regulation. And in particular it poses some
other questions. Being the interest between State and Patriotic Hackers common – as
they are -, the question that arises is whether the linkage between the two of them, for
instance in the issue of attribution can be seen in the terms that it was for conventional
warfare. Is the actual regime of legal attribution given by the Customary Law,
Conventional Humanitarian Law and ILC ARSIWA sufficient to solve the issues
raised?
Aside from the urgent necessity of legal regulation of Cyber warfare it appears
also conclusive that it is required a much more international cooperation between states.
What happens today is that political ideology determines passiveness towards cyber
operations being taken from a state’s territory when it is against a recognized adversary.
This more political dimension probably of the problem posed by cyber operation has,
not only, to be addressed within the framework of the United Nations, but also, through
direct cooperation by the states.
47
6. Bibliography
6.1. Literature
Boulet, G., Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From
Cyber War to Cyber Security, American Society of International Law Volume 19 Issue
1 2015 [online via http://www.asil.org/insights/volume/19/issue/1/cyber-operationsprivate-actors-ukraine-russia-conflict-cyber-war-cyber]
Capaccio, A. China Most Threatening Cyberspace Force, U.S. Panel Says, Bloomberg
[online
via
http://www.bloomberg.com/news/articles/2012-11-05/china-most-
threatening-cyberspace-force-u-s-panel-says]
Conger, C., Could a single hacker crash a country’s network? [online via
http://computer.howstuffworks.com/hacker-crash-country-network1.htm]
Cook, J. Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200
Gigabytes So Far Business Insider [online via http://uk.businessinsider.com/the-sonyhackers-still-have-a-massive-amount-of-data-that-hasnt-been-leaked-yet-201412?r=US]
Dan Saxon (ed.), in International Humanitarian Law and the Changing Technology of
War, Martinus Nijhoff Publishers 2013
Danchev, D., Coordinated Russia vs Georgia cyber attack in progress, ZDNET [online
via
http://www.zdnet.com/article/coordinated-russia-vs-georgia-cyber-attack-in-
progress/]
Dieter Fleck (ed.), The Handbook of International Humanitarian Law, Oxford
University Press 2013 (3rd Revised ed)
Dilanian, K., NSA Director: Yes, China Can Shut Down Our Power Grids, Business
Insider [online via http://uk.businessinsider.com/nsa-director-yes-china-can-shut-downour-power-grids-2014-11?r=US]
49
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Doug Hart (ed.), Proceedings of the 8th International Conference on Information
Warfare and Security (ICIW 2013), Academic Conferences and Publishing International
Limited 2013
Fulghum, D. A. & Barrie, D., Israel Used Electronic Attack in Air Strike Against Syrian
Mystery
Target,
AVIATION
WEEK,
Oct.
8,
2007
[online
via
http://www.freerepublic.com/focus/f-news/1908050/posts]
Gartenstein-Ross, D. & Goodman, J. D., The Attack on Syria's al-Kibar Nuclear
Facility,
INFOCUS
QUARTERLY,
Spring
2009,
[online
via
http://www.jewishpolicycenter.org/826/the-attack-on-syrias-al-kibar-nuclear-facility]
Geers, K., Cyberspace and the Changing Nature of Warfare, Cooperative Cyber
Defence Centre of Excellence Tallinn, Estonia
Gilbert, D., Syrian Electronic Army Cyber Attacks Continue With US Marines Hack,
IBTimes [online via http://www.ibtimes.co.uk/syrian-electronic-army-hacks-marinewebsite-hacked-503037]
Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context,
International
Law
Studies
Volume
89
2013,
p.
459-460
[online
via
http://dare.uva.nl/document/2/135180)
Gjelten, T. Volunteer Cyber Army Emerges In Estonia, NPR [online via
http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defendsnation]
Glennon, M. J., The Road Ahead: Gaps, Leaks and Drips, International Law Studies,
Volume 89, 2013 p. 380 [online via https://www.usnwc.edu/getattachment/2d451822f2d7-4556-b975-3186ba404060/The-Road-Ahead--Gaps,-Leaks-and-Drips.aspx]
Grosswald, L., Cyberattack Attribution Matters under Article 51 of the U.N. Charter,
Brooklyn Journal of International Law Vol. 36 2010-2011, p.1160 [via HeinOnline]
50
Bibliography
Holt, T. J. (ed) and Schell, B. H., Corporate Hacking and Technology-Driven Crime:
Social Dynamics and Implications, IGI Global Publishers, 2010 (1st ed.)
InfoSecurity, National Electric Grid Remains at Significant Risk for Cyber-attack
[online via http://www.infosecurity-magazine.com/news/national-electric-grid-remainsat/]
Kazerooni, S., The Growing Threat of Denial-of-Service Attacks, Electric Light &
Power, [online via http://www.elp.com/articles/powergrid_international/print/volume20/issue-2/features/the-growing-threat-of-denial-of-service-attacks.html]
Klimburg, A (ed.), National Cyber Security Framework Manual, NATO Cooperative
Cyber Defence Centre of Excelence, Talllinn, Estonia, 2012
Left, S. Chinese and American hackers declare 'cyberwar', The Guardian [online via
http://www.theguardian.com/technology/2001/may/04/china.internationalnews]
Lenzner, R., Chinese Cyber Attack Could Shut Down U.S. Electric Power Grid [online
via http://www.forbes.com/sites/robertlenzner/2014/11/28/chinese-cyber-attack-couldshut-down-u-s-electric-power-grid/]
Markoff, J. Before the Gunfire, Cyberattacks, The New York Times [online via
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0]
Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities
under International Humanitarian Law, ICRC 2009
Messmer, E., Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites,
government
says,
CNN
[online
via
http://edition.cnn.com/TECH/computing/9905/12/cyberwar.idg/]
Rubenking, N. J., Wikileaks Attack: Not the First by th3j35t3r, PCMAG, [online via
http://www.pcmag.com/article2/0,2817,2373559,00.asp]
51
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Sanger, D. E. and Fackler, M., N.S.A. Breached North Korean Networks Before Sony
Attack,
Officials
Say,
The
New
York
Times
[online
via
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-koreannetworks-before-sony-attack-officials-say.html]
Schmitt, M. N. (Ed.), Tallinn Manual on the International Law Applicable to Cyber
Warfare, Cambridge University Press 2013
Shackelford, S. & Andres, R. State responsibility for cyber attacks: competing
standards for a growing problem, Georgetown Journal of International Law 2010, p.
971-1016
Sheldon, J. B., State of the Art: Attackers and Targets in Cyberspace, Journal of
Military and Strategic Studies Volume 14 Issue 2 2012, p. 18 [online via
http://ww.w.jmss.org/jmss/index.php/jmss/article/viewFile/462/458]
Swaine, J., Georgia: Russia 'conducting cyber war', The Telegraph [online via
http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russiaconducting-cyber-war.html]
Symantec, 2015 Internet Security Threat Report, Volume 20, 2015
Tiezzi, S., China (Finally) Admits to Hacking, The Diplomat [online via
http://thediplomat.com/2015/03/china-finally-admits-tohacking/?utm_content=buffer5af99&utm_medium=social&utm_source=facebook.com
&utm_campaign=buffer];
Traynor, I., Russia accused of unleashing cyberwar to disable Estonia, The Guardian
[online via http://www.theguardian.com/world/2007/may/17/topstories3.russia]
United Nations, Draft articles on Responsibility of States for Internationally Wrongful
Acts, with commentaries 2001
52
Bibliography
United States Department of Defense (DoD), The National Military Strategy for
Cyberspace Operations, 2006
United States Department of Defense (DoD), Department of Defense Cyberspace Policy
Report: A Report to Congress Pursuant to the National Defense Authorization Act for
Fiscal Year 2011, Section 934, 2011
Wheeler, D. A., Techniques for Cyber Attack Attribution, Institute for Defense
Analyses, October 2003 p. 1 [online via http://handle.dtic.mil/100.2/ADA468859]
6.2. Table of Cases
ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States
of America v. Iran), Judgement [online].
ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua
(Nicaragua v. United States of America), Merits [online].
ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion
[online]
ICJ, 26-02-2007, Application of the Convention on the Prevention and Punishment of
the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgement
[online].
Prosecutor v. Tadic, IT-94-1, ICTY Appeals Chamber, Decision on the Defence Motion
for Interlocutory Appeal on Jurisdiction, 2 October 1995 [online]
Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July
1999[online]
Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY
Appeals Chamber, Judgement, 3 April 2008 [online]
53
“Patriotic Hackers”: Non-State Actors fighting wars for the states?
Sambaggio
Case
(Italy
v.
Venezuela)
(Mixed
Claims
Commission
Italy-
Venezuela)(1903) 10 Reports of International Arbitral Awards, Vol. X [online via
http://legal.un.org/riaa/cases/vol_X/477-692.pdf]
Iran-United States Claims Tribunal, [Phillips Petroleum Co. Iran] v. Islamic Republic of
Iran, Award No. 326–10913–2, 3 November 1987, Iran-United States Claims Tribunal
Reports, vol. 21 (1989)
54