The Laws Of War Must Apply In Cyberspace

A Cyberwarfare Insight

•  SCARS Editorial Team – Society of Citizens Against Relationship Scams Inc.
•  Article by: Johanna Weaver, Director, ANU Tech Policy Design Centre, Australian National University
•  Portions by the International Committee of the Red Cross
Article Originally Published: October 25, 2023 – Used With Permission

About This Article

Governments and hackers alike are increasingly acknowledging the necessity of applying the laws of war to cyberspace. Traditionally, international humanitarian law has regulated conduct in armed conflict to safeguard civilians and minimize suffering.

However, with the emergence of cyberattacks and online information operations, a new battleground has evolved, exemplified by Russia’s actions in Ukraine and the Israel–Hamas conflict. Contrary to the misconception of cyberspace being lawless, there is a global consensus that existing laws of war are applicable online.

Recent developments underscore this shift, including proposals for rules governing “civilian hackers” during war, endorsed by key hacktivist groups involved in conflicts. Additionally, the International Committee of the Red Cross has issued a report emphasizing the application of established principles and rules of international humanitarian law to all forms of warfare, digital included.

Also, the International Criminal Court’s prosecutor has signaled intent to collect evidence on cyber warfare, signaling accountability for violations in cyberspace. As these developments unfold, it becomes increasingly evident that whether through bombs or bytes, adherence to international humanitarian law remains imperative in mitigating harm and protecting civilians in the evolving landscape of conflict.

The Laws Of War Must Apply In Cyberspace - A Cyberwarfare Insight - 2024

Governments and Hackers Agree: the Laws of War Must Apply in Cyberspace

There are rules in war. International humanitarian law regulates what combatants can and can’t do, with the goal of protecting civilians and limiting suffering.

Most of these laws were developed during the 19th and 20th centuries. But in our own century a new kind of battlefield has emerged: the domain of cyberattacks, digital campaigns and online information operations. All these have played a heightened role in Russia’s war in Ukraine and, increasingly, in the current Israel–Hamas conflict.

There is a persistent myth that cyberspace is a lawless wild west. This could not be further from the truth. There is a clear international consensus that existing laws of war apply online.

In the past month, we have seen three significant developments in this area. Rules for “civilian hackers” have begun to gain traction. A new international humanitarian report has recommended ways forward for governments, tech companies and others. And the International Criminal Court has for the first time signalled that it considers cyber warfare to fall within its jurisdiction.

Rules for hacktivists
On October 4 2023, two advisers to the International Committee of the Red Cross proposed a set of rules for “civilian hackers” during war. The proposals include things like “do not conduct any cyber operation against medical and humanitarian facilities” and “when planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians”.

The authors were motivated by evidence of online attacks disrupting banks, companies, pharmacies, hospitals, railway networks and civilian government services.

Cyber, digital and information operations – used alongside “real-world” military operations – have risen into the mainstream during Russia’s war in Ukraine. Many operations are carried out by civilian groups not formally connected to the military.

These manoeuvres are not spectacular. However, as Jeremy Fleming (former head of GCHQ, United Kingdom’s electronic spy agency) put it:

it was never our understanding that a catastrophic cyberattack was central to Russia’s use of offensive cyber in their military doctrine. To think otherwise, misjudges how cyber has an effect in military campaigns. That’s not to say that we haven’t seen cyber in this conflict. We have – and lots of it.

After the proposed rules for civilian hackers were published, something extraordinary happened.

Two of the largest hacktivist groups actively engaged on opposite sides of the war in Ukraine are the Russian-affiliated Killnet and the Ukrainian IT Army. Spokespeople for both groups vowed to the BBC they would uphold the rules.

Digital threats during armed conflict
It is not just actors in Ukraine, and not just hacktivist groups, who must comply with the laws of war in cyberspace.

On October 18, the International Committee of the Red Cross published the final report of its global advisory board on digital threats during armed conflicts.

The report is the culmination of two years of work. The board comprises a diverse group of experts spanning the geopolitical spectrum, including the United States, Russia, China, South Africa, Mexico, India and Australia (including me).

We worked on “the international consensus that the established principles and rules of [international humanitarian law] apply to all forms of warfare and to all kinds of weapons, be they new or old, digital or physical”.

To safeguard civilians against digital threats, the report includes 25 action-oriented recommendations for belligerents, states, tech companies and humanitarian organisations.

Since 2013, negotiated agreements at the United Nations have recognised that existing international law applies to what states do in cyberspace.

In 2021, Russia, China, the US, Australia and every country in the United Nations went one step further, explicitly recognising the application of the laws of war to cyber operations.

The International Committee of the Red Cross – its mission being “to prevent suffering by promoting and strengthening humanitarian law and universal humanitarian principles” – has also affirmed this many times, including via the reports above.

The International Criminal Court weighs in
Of course, agreeing to the rules doesn’t prevent irresponsible actors from breaking them. And this is where the third significant development comes in.

In September 2023, Karim A.A. Khan, the prosecutor of the International Criminal Court, signalled the court would begin “collecting and reviewing” evidence of cyber warfare. It will also examine “misuse of the internet to amplify hate speech and disinformation, which may facilitate or even directly lead to the occurrence of atrocities”.

This is the first time the International Criminal Court has expressly indicated cyber warfare and misuse of the internet fall within its jurisdiction. This puts governments, militaries, tech companies and hacktivists on notice that they do not act with impunity in cyberspace.

As the war drags on in Ukraine and conflict escalates between Israel and Hamas (including increasing reports of hacktivism), all parties would do well to reflect that the rules of cyber warfare are clear.

Bombs or bytes, missiles or malware, international humanitarian law applies.

Published under Creative Commons license

The 8 Rules for Cyberwarfare

8 Rules for “Civilian Hackers” during War, and 4 Obligations for States to Restrain Them – By the International Committee of the Red Cross

October 4, 2023 Analysis Law and Conflict New Technologies

As digital technology is changing how militaries conduct war, a worrying trend has emerged in which a growing number of civilians become involved in armed conflicts through digital means. Sitting at some distance from physical hostilities, including outside the countries at war, civilians – including hacktivists, to cyber security professionals, ‘white hat’, ‘black hat’ and ‘patriotic’ hackers – are conducting a range of cyber operations against their ‘enemy’. Some have described civilians as ‘first choice cyberwarriors’ because the ‘vast majority of expertise in cyber(defence) lies with the private (or civilian) sector’.

Examples of civilian hackers operating into the context of armed conflicts are diverse and many (see hereherehere). In particular in the international armed conflict between Russia and Ukraine, some groups present themselves as a ‘worldwide IT community’ with the mission to, in their words, ‘help Ukraine win by crippling aggressor economies, blocking vital financial, infrastructural and government services, and tiring major taxpayers’. Others have reportedly ‘called for and carried out disruptive – albeit temporary – attacks on hospital websites in both Ukraine and allied countries’, among many other operations. With many groups active in this field, and some of them having thousands of hackers in their coordination channels and providing automated tools to their members, the civilian involvement in digital operations during armed conflict has reached unprecedented proportions.

This is not the first time that civilian hackers operate in to the context of an armed conflict, and likely not the last. In this post, we explain why this trend must be of concern to States and societies. Subsequently, we present 8 international humanitarian law-based rules that all hackers who carry out operations in the context of an armed conflict must comply with, and recall States’ responsibility to restrain them.

Civilians engaging in digital warfare – a worrying trend

The phenomenon of civilian hackers conducting cyber operations in the context of an armed conflicts is worrying for at least three reasons.

One, they cause harm to civilian populations, either by targeting civilian objects directly or damaging them incidentally. Some experts have considered civilian hackers and groups primarily as ‘cyber vigilantism’ and stress that their operations are technically not sophisticated and unlikely to cause significant effects. However, it is also true that civilian hackers and ‘armies’ have disrupted various civilian objects – including banks, companies, pharmacies, hospitals, railway networks and civilian government services.

Two, civilian hackers risk exposing themselves, and people close to them, to military operations. Depending on the type of operation they conduct, a party to an armed conflict may consider them as directly participating in hostilities (see cyber-specific analyses here and here). This means that the computers and digital infrastructure they use risk becoming military objectives, meaning that they are at risk of being attacked. Likewise, in the adversary’s eyes, and depending where the hacker sits, they may be attacked – by bullet, missile, or cyber operation.

Three, the more civilians take an active part in warfare, the more the line blurs between who is a civilian and who a combatant. As a result, the risk of harm to civilians grows; and legal experts have asked whether the principle of distinction, the centre-piece of international humanitarian law, will withhold this pressure.

8 rules for civilian hackers operating in the context of an armed conflict

Cyberspace is not a lawless space – even wars have limits.

It goes without saying that civilian hackers must respect the law of the countries they operate in. Where these national laws are lenient, not enforced, or if a civilian hacker decides to disregard them, in times of armed conflict international humanitarian law (IHL) provides a universally agreed set of rules that aim to safeguard civilians, and soldiers who are no longer able to fight, from some of the horrors of war. The most egregious violations of these rules constitute war crimes, which may be prosecuted nationally or internationally.

In the context of an armed conflict, IHL does not prohibit ‘hacking’ as such, and it does not prohibit civilians from conducting cyber operations against military assets. But it sets out elementary considerations of humanity on the protection of civilians, meaning obligations that everybody must respect when conducting operations in the context of an armed conflict, irrespective of the reasons for the conflict, whose goals are deemed legitimate, or whether an operation is conducted in offence or defense.

IHL consists of hundreds of rules – here is one word of caution and  8 rules that anyone who conducts a cyber operation in the context of an armed conflict (including non-States armed groups and civilian hackers) must be aware of and respect as a minimum. Groups or collectives should ensure that their members respect these limits.

Caution: Civilian hackers risk losing protection against cyber or physical attack and may be criminally prosecuted if they directly participate in hostilities through cyber means        

Under IHL, civilians must not be attacked unless and for such time as they directly participate in hostilities. Conducting cyber attacks against military or civilian targets can amount to such direct ‘participation in hostilities’ and risks making civilian hackers liable to attacks. In addition, while members of a State’s armed forces (including cyber operators) enjoy impunity for lawful acts of war (such as attacking a military installation) and become ‘prisoners of war’ when captured, civilian hackers do not (here, para. 3634 on article 85 GCIII). If captured, they risk being considered criminals or ‘terrorists’ and prosecuted as such.

1. Do not direct cyber attacks* against civilian objects.

Civilian objects are all objects that are not military objectives. This includes civilian infrastructure, public services, companies, private property, and arguably civilian data. Military objectives do not enjoy the same protection. ‘Military objectives’ comprise primarily the physical and digital infrastructure of the military of a warring party. It may also include civilian objects, depending on whether and how they are being used by the military.

2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.

For example, malware that spreads automatically, spills-over, and damages military objectives and civilian objects without distinction must not be used.

3. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.

For example, if you aim to disrupt electricity or railway services used by military forces, you must avoid or minimize the effects your operation may have on civilians. It is essential to research and understand the effects of an operation – including unintended ones – before conducting it. When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians, and stop the attack if the harm to civilians risks being excessive.  If you have gained access to an operating system but you do not understand the possible consequences of your operation, or realize that the harm to civilians risks being excessive, stop the attack.

4. Do not conduct any cyber operation against medical and humanitarian facilities.

Hospitals or humanitarian relief organizations must never be targeted.

5. Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.

In international humanitarian law, objects containing dangerous forces are defined as ‘dams, dykes and nuclear electrical generating stations’; in reality, however, chemical and similar plants also contain dangerous forces. Objects indispensable for the survival of the civilian population include, among others, drinking water installations or irrigation systems.

6. Do not make threats of violence to spread terror among the civilian population.

For example, hacking into communication systems to publish information designed primarily to spread terror among civilian populations is prohibited. Likewise, designing and spreading graphic content to spread terror among civilians in order to make them flee is unlawful.

7. Do not incite violations of international humanitarian law.

Do not encourage or enable others to conduct cyber or other operations against civilians or civilian objects. For example, do not share technical details in communication channels to facilitate attacks against civilian institutions.

8. Comply with these rules even if the enemy does not.

Revenge or reciprocity are no excuses for violations of international humanitarian law.

* Under IHL, and in the context of cyber operations, the notion of attack refers to cyber operations that can be reasonably expected to result – directly or indirectly – in damage, disabling, or destruction of objects (such as infrastructure and, arguably, data) or injury or death of people. It does not, for instance, include cyber operations aimed at obtaining unauthorized access to information.

For more detailed positions of the International Committee of the Red Cross on IHL and cyber operations, see here and here. To learn more about how international law applies in cyberspace, consult the ‘Cyberlaw Toolkit’.

Hackers do not live in cyberspace – States must impose limits

States should not encourage or tolerate civilian hackers conducting cyber operations in to the context of an armed conflict.

The more civilian hackers engage in cyber operations, the greater the risk of operations that violate applicable law and blur the line between combatants and civilians. Therefore, the ICRC has called on States to ‘give due consideration to the risk of exposing civilians to harm if encouraging or requiring them to be involved in military cyber operations’.

From a legal point of view, all States have pledged to not ‘knowingly allow their territory to be used for internationally wrongful acts using ICTs’ (here, para. 13(c)). While formulated as a political commitment, this norm reflects States’ ‘due diligence’ obligation under international law, including in respect of civilian hackers operating from their territory (see here). Any State that is committed to the rule of law or a ‘rules-based international order’ must not close its eyes when people on its territory conduct cyber operations in disregard of national or international law, even if directed against an adversary.

This means, first and foremost, to adopt and enforce national laws that regulate civilian hacking.

In addition, and specifically with regard to the conduct of private individuals in times of armed conflict, States have undertaken to respect and to ensure respect for IHL. This legal commitment means at least four things:

First, if civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law (see here, article 8, and here). For instance, if a State uses private individuals or groups as “volunteers” and instructs them to carry out particular cyber operations in disregard of international law, the state is legally responsible for such violations (see here, para. 2 on article 8). (This responsibility comes in addition to possible criminal responsibility of the private hacker).

Second, States must not encourage civilians or groups to act in violation of international humanitarian law (see here, para. 220). Concretely, this means that State agents – be they military, intelligence, or any other government actor – are prohibited from encouraging civilians or groups to, for example, direct cyber attacks against civilian objects, irrespective of which channel or app is used to do so.

Third, States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory (see here, para. 183). Of course, a State cannot prevent all violations of the law. However, it must take feasible measures, such as taking public positions requiring civilian hackers not to conduct cyber operations in relation to armed conflicts, to respect IHL if they do, and suppress violations under national law (see next).

Fourth, States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations (article 49/50/129/146 GCI-IV; article 85 Additional Protocol I). First, this requires the adoption and enforcement of the necessary laws that criminalize cyber operations amounting to war crimes, and second, to take effective measures to stop all other violations of IHL, which may include legal, disciplinary, or administrative measures. Clearly, adopting laws or policies that turn a blind eye on civilian hackers conducting cyber operations as long as these operations are committed against ‘the enemy’ does not comply with this obligation.

IHL sets out essential rules to limit the effects of armed conflicts on civilians. No one that participates in war is beyond these rules. In particular, every hacker that conducts operations in the context of an armed conflict must respect them, and States must ensure this is the case to protect civilian populations against harm.

Editor’s note: This article was originally published in EJIL:Talk! and is available here.
8 Rules

SCARS Resources:

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.


The opinions of the author are not necessarily those of the Society of Citizens Against Rleationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.







This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at