Cyber Norms in the Context of Armed Conflict

In “‘Patriotic Hacking’ Is No Exception,” Jay Healey and Olivia Grinberg discussed Ukrainian government officials’ public outreach to online activists to help defend against the Russian invasion. (For the simplicity of this discussion only, we address the conflict as if it began this year rather than in 2014.) Their article focuses on concerns regarding the Ukrainian government’s association with hackers from across the world, as well as potential consequences that Ukraine’s online supporters may face. However, the article overstates the role of international norms generally and norms related to cyberspace specifically as they relate to armed conflict. While enlisting civilians across the world raises issues (which we discuss below), Ukraine’s decision to disregard cybersecurity norms vis-a-vis Russia under current circumstances is wholly consistent with international law and does not represent a failure to live up to its normative commitments in any way. 

As Healey and Grinberg identify, international norms do not have the force of law but carry moral weight and expectations. A nation’s failure to observe a normative commitment is more likely to lead to rapid and severe consequences than is a nation falling short of international expectations for behavior unguided by a norm. While some international norms become laws, and some overlap with law, norms that are not legal commitments cannot be the basis for action before an international tribunal. 

The normative commitments to which Ukraine and most other nations agreed are found in a 2021 U.N. report titled “Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security.” The report includes a paragraph that specifically highlights that Ukraine, and any nation that might be similarly situated, is not restrained by their commitments under the following circumstances:

States reaffirmed that norms do not replace or alter States’ obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible State behaviour in the use of [information and communications technologies]. Norms do not seek to limit or prohibit action that is otherwise consistent with international law.

Ukraine did not give up its right to self-defense by taking on the normative commitments. It took on the normative commitments knowing that it was free to act within the full boundaries of international law. To expect Ukraine to shrink those boundaries is inconsistent not only with the norms but also with international law.

Even if the report did not explicitly identify the intended relationship between the norms and international law, language throughout the report indicates that the norms are not expected to bind parties during armed conflict. As the report notes, a major purpose of norms is to prevent conflict from occuring in the first place: “Voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability and play an important role in increasing predictability and reducing risks of misperceptions, thus contributing to the prevention of conflict.” The report further notes that states sought to develop cyber norms because they were “increasingly concerned about the implications of the malicious use of (information and communications technologies) for the maintenance of international peace and security, and subsequently for human rights and development.” The eventuality the norms seek to avoid is a reality because of Russia’s actions, mooting the purpose for the norms and their observation. Russia’s invasion made the peace, security, and stability the norms sought to preserve impossible, and Ukraine has no obligation—legal, moral, or otherwise—to observe the cyber norms under these circumstances. 

Armed conflict almost always changes the rules that apply to the parties to the conflict, to include the applicable international law. During peacetime, the international human rights law (IHRL) regime prevails, and under IHRL, killing is illegal in most instances unless excused by self-defense or other special circumstances. Much that is legal during an armed conflict is illegal during times of peace. During an international armed conflict, IHRL steps aside and the legal framework of the law of armed conflict (LOAC) prevails. Many killings that would be illegal under IHRL are legal under LOAC. Combatants are immunized from prosecution for killing legitimate targets pursuant to lawful orders given by the chain of command established by their government.

The shift from IHRL to LOAC can be initiated through a declaration of hostilities (or war) by one government against another, or by real-world circumstances such as violence or troop movements making evident that an international armed conflict has commenced. Applied to the current conflict, Russia’s armed attack triggered the application of LOAC to both Ukraine and Russia. This includes the lawfully authorized killing associated with international armed conflict.

No such shift in regimes is required for international norms to change in their application. Because norms do not have the force of law, a nation can choose to refrain from observing them of its own volition and under any conditions. Unlike international law, no change in circumstances or declaration is necessary if a nation chooses to change its normative commitments due to the onset of armed conflict.

A nation cannot be expected to observe standard norms under conditions in which it is not expected to observe standard legal requirements. Undoubtedly, cyber norms should be expected to fall to the wayside before or along with the transition from IHRL to LOAC, much in the same way killing combatants becomes legal under the latter regime. 

Regardless of Ukraine’s supposed requirements, their solicitation of patriotic hackivists has done no damage to the international cyber norms the U.N. memorialized recently. The only exception Ukraine conceivably has established is that when a nation is invaded by foreign forces (that is, when it has been subjected to an armed attack), that nation need not observe cyber norms vis-a-vis its attacker.  

While their concern regarding the normative issue is overstated, Healey and Grinberg raise another important issue that Ukraine, its allies, and non-state cyber supporters should consider. Foremost, any civilian seeking to impact the operations of a party to an armed conflict should be aware of the potential consequences of their participation. Depending on the level and type of engagement, under LOAC, a civilian may fall into the category of a direct participant in the hostilities. As such, a civilian becomes a legitimate target who can be engaged with force, to include lethal force, during the time that the civilian is directly participating. 

According to the International Committee of the Red Cross (ICRC), examples of direct participation in hostilities include picking up a weapon and firing it, delivering ammunition to the front lines of a conflict, and erecting roadblocks. Cyberspace adds interesting dimensions to the concept of direct participation in hostilities. The ICRC notes that interfering electronically with military computer networks would qualify as directly participating. Beyond that, it remains uncertain to what extent a particular cyber operation conducted by a civilian will qualify as direct participation. This lack of clarity becomes more acute when one considers both the geographic dispersion of those engaging in cyber operations and their use against other aspects of Russia’s government, propaganda apparatus, and industrial base. 

Presumably a civilian directly participating in hostilities is targetable regardless of geographic location. Whether in Lviv, London, or Louisville, hackers conducting identical activities in support of a Ukrainian infantry attack would be no different under LOAC, assuming those activities qualify as direct participation in hostilities. However, the risk is vastly different for practical purposes depending on how far participants are from traditional battle lines, and it is unlikely that hackers’ current level and types of participation would qualify as direct participation in hostilities.

For reasons political, operational, and legal, it is also unlikely that online participants from nations outside Ukraine will draw their respective nations into the conflict, as Healey and Grinberg suggest. LOAC applies to those who are a party to the conflict. States that are not a party to the conflict are not bound by the restrictions of the law of armed conflict, nor may they take advantage of the lex specialis associated with its applicability. Nevertheless, states may be responsible for certain internationally wrongful actions emanating from their territory under the principle of due diligence. Due diligence is a foundational principle embodied within numerous international law regimes. As articulated by the International Court of Justice in its Corfu Channel judgment, the due diligence principle imposes an obligation on states to not knowingly allow their territory to be used in a manner prejudicial to the rights of other states. In practice, the obligation merely requires a state to take appropriate action against those engaging in such activities when the state becomes aware of them. Absent a state’s affirmative action to direct those activities and its effective control over those engaging in them, the state would not be responsible for the action, nor would the state become a party to an international armed conflict through the wayward acts of those within its borders. 

One caveat to this analysis is that there is a risk that the Russian government may use hackers’ actions as a pretext to accuse a nation of responsibility and treat them as a party to the Ukraine-Russia conflict. Such a declaration would be more likely due to the Russian government’s strategic interests rather than a genuine analysis of the law, but Ukraine and its allies should be wary of the Russian government’s dubious legal track record.

That Ukraine as a state is not violating international norms or law should not, however, legitimate the efforts of individual hackers assisting Ukraine. If one, for instance, accesses a computer without authorization, one may be violating a domestic law such as the United States’ Computer Fraud and Abuse Act or comparable laws in other states. While it is doubtful that Russia would direct an attack against a hacker in the United States, even if that hacker’s activities amounted to direct participation in hostilities, it is foreseeable that the Department of Justice would indict and try that hacker, even if that hacker appears to be aligned with the United States’ Ukrainian policy. Healey and Grinberg wisely highlight the danger that a hacker might complicate military and diplomatic conditions through uncoordinated cyberspace operations against Russia.

This discussion highlights a more fundamental question: If cyberspace operations can achieve strategic effects peacefully when normally they can be accomplished only through violence, to what end is observing a norm that limits the more benign tactic? Any number of dead, detained, or displaced Ukrainians and Russians certainly would have preferred competition through cyberspace to the kinetic effects of the past eight months. It is crucial that those who think critically about cyberspace operations keep in mind the possibility that limits on those operations may have lethal consequences.

These opinions are the authors’ own and do not necessarily reflect official positions of the Department of the Navy, Department of Defense, or any other U.S. Government organization.