“PATRIOTIC HACKERS” : NON-STATE ACTORS FIGHTING WARS FOR THE STATES?

(1)

“PATRIOTIC HACKERS”: NON-STATE

ACTORS FIGHTING WARS FOR STATES?

Nuno Jorge Carvalho Barata Student Number 10763376 Supervisor: Professor Terry Gill

(2)

(3)

3

Abbreviations

AP I Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I) of 8 June 1977

AP II Protocol Additional to the Geneva Conventions of 12 august 1949, and relating to the Protection of Victims of non-International Armed Conflicts (Protocol II) of 8 june 1977

ARSIWA Articles on Responsibility of States for Internationally Wrongful Acts DDoS Distributed Denial of Service

DPH Direct Participation in Hostilities IAC International Armed Conflict ICJ International Court of Justice

ICRC International Committee of the Red Cross

ICSCERT Industrial Control Systems Cyber Emergency Response Team ICTY International Criminal Tribunal for the Former Yugoslavia IHL International Humanitarian Law

ILC International Law Commission ISIS Islamic State of Iraq and Syria PLA People’s Liberation Army

NATO North Atlantic Treaty Organization NIAC Non-International Armed Conflict NSA National Security Agency

OAG Organized Armed Group RBN Rusian Business Network

UK United Kingdom

US United States of America

UN United Nations

UNC United Nations Charter

(6)

(7)

7

1. Introduction

Cyber-attacks are emerging as one of the biggest concerns for governments, corporations, and individuals. The numbers show some reason to worry. For instance, focusing only on Distributed Denial of Service (DDoS) type of attack, during 2014 alone an estimated 3 to 4 million attacks were conducted.1

The motivation for the attacks varies. They may be perpetrated to obtain a financial gain (cyber-crime), intellectual property (cyber espionage), or other reasons. For the present work not all kind of cyber-attacks are relevant. Actually, this thesis will focus only on cyber-attacks conducted within, or that rise to the status of, armed conflict: cyber warfare.

A number of cyber-attack definitions can be found throughout the relevant literature. For instance, cyber-attack has been defined as an attack by a hostile nation

against the networks of another to cause disruption or damage.2 In the 2006 United States National Military Strategy for Cyberspace Operations3, cyberwar was termed as

“computer network operations” (CNO) which comprises computer network attacks4

(CNA), computer network defence5 (CND) and “related computer network exploitation

enabling operations”6 (CNE).

The Tallinn Manual provides a more accurate and comprehensive definition of cyber-attack considering it as “a cyber operation, whether offensive or defensive, that is

reasonably expected to cause injury or death to persons or damage or destruction to objects.”7 One important note to consider is that although the wording only refers to objects and persons, the International Expert Group on the Commentaries states that cyber operations against data are also included in the scope of cyber-attack, at least

1

2015 Internet Security Threat Report, April 2015 Volume 20, Symantec, p. 44 [online via https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf]

2_{Shackelford, S. & Andres, R. State responsibility for cyber attacks: competing standards for a growing}

problem, Georgetown Journal of International Law, 2010-, p. 971-1016 [online via HeinOnline]

3_{United States Department of Defense (DoD), The National Military Startegy for Cyberspace Operations,}

2006, GL-1 < http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf>

4_{“Operations to disrupt, deny, degrade, or destroy information resident in computers and computer}

networks, or the computers and networks themselves.”, See note 2

5_{“Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD}

information systems and computer networks”, See note 2

6_{“Enabling operations and intelligence collection to gather data from target or adversary automated}

information systems or networks”, see note 2

(8)

8 whenever such attack results in the injury or death of individuals or damage or destruction of physical objects.

One of the first examples of cyber warfare occurred in 1999, during the Kosovo conflict when pro-Serbian groups of hackers, such as the so-called “Black Hand” conducted cyber-attacks against NATO, US and UK computers with the goal of disrupting their military operations.8

Another example of such kind of attack occurred in August 2008, during the conflict that opposed the Russian Federation and Georgia over South Ossetia. During the same time a traditional armed conflict occurred, Georgia was the target of cyber-attacks. According to what is publicly known, the cyber-attacks were not conducted by the Russia government (namely its armed forces), but rather by Russian civilian hackers. Several Distributed Denial of Service (DDoS) attacks were carried out against Georgian network servers, disrupting many (governmental and media) websites.

More recently, within the Russia-Ukraine conflict it has been reported that pro-Russian groups (for instance, the CyberBerkut) have, allegedly without official support, been conducting cyber operations against the Ukraine.9

One singularity follows as common from the given examples: the individuals that are conducting cyber-attacks are generally not part of the armed forces. These individuals are sometimes called “Patriotic Hackers”. Holt and Schell advance a definition of Patriotic Hackers, considering them as “citizens and expatriates engaging

in cyber-attacks to defend their mother country or country of ethnic origin. Typically, patriotic networks attack the websites and email accounts of countries whose actions have threatened or harmed the interests of their mother country”10 Thus the “hackers” are not (or at least don’t appear to be) regular armed forces. Nonetheless, as seen in the examples mentioned above, the non-state led cyber-attacks often serve State interests even without having any (official) linkage between them.

8

Geers, K., Cyberspace and the Changing Nature of Warfare, Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia, [online via https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Geers/BlackHat-Japan-08-Geers-Cyber-Warfare-Whitepaper.pdf]

9_{Boulet, G., Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From Cyber War to}

Cyber Security, American Society of International Law, Volume 19, Issue 1, January 07, 2015 [online via

http://www.asil.org/insights/volume/19/issue/1/cyber-operations-private-actors-ukraine-russia-conflict-cyber-war-cyber]

10_{Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and}

Implications, New York: Information Science Reference, 2011 [online via New York: Information Science Reference, 2011]

(9)

9 Chapter 2 will start by focusing on the definition of cyber armed conflict (both international and non-international), the law applicable and the status of persons involved in such conflicts.

After having set a clear definition of cyber armed conflict and of the applicable legal framework, the legal consequences of Patriotic Hacking will be surveyed, including those arising from International law applicable to cyber warfare (namely if their actions are to be considered as Direct Participation in Hostilities, hereafter DPH). Thus Chapter 3 will address the legal consequences of cyber-attack activities conducted by patriotic hackers within a cyber armed conflict.

But how and when can a cyber-attack be attributable to an individual or group? The answer to this question is twofold: on one hand there is the question of technical attribution, meaning that first it is necessary to identify the person or group that conducted the attack by technical means; on the other hand it has to be determined whether the attack can be legally attributed to the person (or eventually to a state). Chapter 4 will be dedicated to the question of attribution of attacks to individuals in the cyber realm and the (possible) connection with the state. Given the potential for anonymity with internet use – as well as the constant development of relevant technologies - the task of pinpointing the cyber-conflict source can pose substantial difficulty. Nevertheless, the feat of determining the responsible parties (attribution) is not impossible.

After examining the dynamics of cyber-attack attribution, Chapter 5 will review the nature of the responsibility that arises from cyber-attacks conducted by Patriotic Hackers. In this context I shall also assess whether the conduct of patriotic hackers can be attributed and whether this can originate state responsibility.

The research and subsidiary questions shall be addressed on the basis of applicable international law, in particular the legal framework given by IHL and academic literature such as The Tallinn Manual on International Law Applicable to Cyber Warfare and doctrine and other leading publications.

(10)

(11)

11

2. Cyber Armed Conflict

2.1. Jus ad bellum

Jus ad bellum is the set of rules that govern “when resort to armed force is

permissible”11 as opposed to jus in bello which is “the law applicable to the conduct of

hostilities that applies once a party has entered into armed conflict”.

The most important provisions of jus ad bellum are found on the United Nations Charter: Article 2(4) and the Chapter VII. Article 2(4) provides that “All Members shall

refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Being - as it is – a rule of

customary international law12, both UN members and non-state members are bound by the principle. Furthermore, given the ICJ stated that “These provisions do not refer to

specific weapons. They apply to any use of force, regardless of the weapons employed”13, it seems accurate to conclude that cyber-attacks are not excluded from the

scope of the mentioned provision. Rule 10 of the Tallinn Manual states a similar principle of prohibition on the use of force.

But what is “use of force” and “threat of the use of force” within cyber warfare? According to the view expressed on the Tallinn Manual “a cyber operation constitutes

a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”14 For an action to be qualified as a use of force, it does not need to be conducted by the State armed forces.15 But when and how can it be assessed whether a cyber-attack reaches the threshold of use of force? The dominant approach bases the assessment on the effects of the action, according to which a cyber operation qualifies as a use of force when its outcome results in physical damage and/or human injury or death. This latter approach seems to have been the one adopted by the International Expert Group on the Tallinn Manual. The Expert Group advanced a

11_{O’Connell, M. E., Historical Development and Legal Basis, in The Handbook of International}

Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [1]

12

ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, § 190 [online].

13_{ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 39 [online]} 14_{Rule 11 of the Tallinn Manual}

15

as infra will be seen, cyber operations can also be conducted by other state organs and – under certain conditions - even by private actors can be qualified as use of force by the state.

(12)

12 exhaustive list of factors that could help on the use of force assessment, namely: severity, immediacy, and directness, and invasiveness, measurability of effects, military character, state involvement and presumptive legality.16

Regarding the threat of the use of force, Rule 12 of the Tallinn Manual advances that “a cyber operation, or threatened cyber operation, constitutes an unlawful threat of

force when the threatened action, if carried out, would be an unlawful use of force.”

Regarding this rule, the International Experts Group devised two situations of the threat

of the use of force: “a cyber operation that is used to communicate a threat to use force” and “a threat conveyed by any means (…) to carry out cyber operations qualifying as a use of force.”17

The prohibition on the use of force knows two exceptions: military action authorized by the UN Security Council and the right to self-defence.18

According to article 39 of the UNC in conjunction with articles 41 and 42, when the UN Security Council determines a “threat to the peace, breach of the peace, or act

of aggression” and in order to “maintain or restore international peace and security” it

may decide to employ measures not involving the use of force19, such as economic sanctions; or, depending on the circumstances and severity of certain situations, it may authorize the use of force20.

Article 51 of the UNC also provides Member states with the right of individual or collective self-defence “if an armed attack occurs against a Member of the United

Nations, until the Security Council has taken the measures necessary to maintain international peace and security”. First of all, the right of self-defence requires the

existence of an armed attack. According to the ICJ “an armed attack must be

understood as including not merely action by regular armed forces across an international border, but also "the sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to" (inter alia) an actual armed attack conducted by regular forces, "or its substantial involvement therein”.21 Also, according to the ICJ the

16_{Commentary on Rule 11 of the Tallinn Manual} 17

Commentary on Rule 12 of the Tallinn Manual

18_{Self-Defence shall be dealt infra on Chapter 5.3} 19_{Article 41 UNC}

20_{Article 42 UNC} 21

ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, § 195 [online].

(13)

13 important criteria to assess whether an operation amounts to an armed attack are its “scale and effects”22, meaning its gravity. The International Experts Group, in the Tallinn Manual, seem to have followed the ICJ reasoning accepting that sometimes self-defence can be direct against armed groups23 and using the same criteria to assess the concept of armed attack.

Secondly, the wording of the quoted provision establishes a temporal limit by which the right of self-defence only lasts until the Security Council takes measures to restore or maintain peace and security. Related reporting obligations also result from the Tallinn Manual.24

A state is obligated to report to the Security Council any time it exercises its right of self-defence. Notwithstanding, even though not expressly indicated in the abovementioned provision, the measures adopted in self-defence must also observe the conditions of necessity and proportionality.25 The Tallinn Manual also contains a rule conditioning self-defence to necessity and proportionality. Regarding necessity it should be assessed whether there are (or not) alternative courses of action that do not rise to the level of a use of force, that are sufficient to repeal the attack.26 Once concluded necessary the use of force, proportionality permits assessing how much force is permissible. Rule 15 of the Tallinn Manual goes further than article 51 of UNC and seems to expressly allow anticipatory self-defence.27

Finally, it should be highlighted that private individuals and armed groups are excluded from the scope of article 2(4) of the UNC. In such case, cyber operations may be unlawful (domestically or even internationally) but won’t amount to a violation of the use of force. Nevertheless, article 2(4) will be applicable when the cyber operations conducted by such actors is attributable – under law of state responsibility - to a state given that it would be accountable for the violation. This would be the case – which will be examined below – where an organized group of Patriotic Hackers conducts cyber operations under the direction and control of the State.

22_Ibid

23_{For instance when acting on behalf of a state} 24_{Rule 17 of the Tallinn Manual}

25

Ibid, § 194

26_{Commentaries on Rule 14 of the Tallinn Manual}

27_{Gill, T. D. and Ducheine, P. A. L. also consider that there can be anticipatory self-defence and this can}

take the form of simultaneous cyber operations and kinetic conventional attack or one of each. See Gill, T. D. and Ducheine, P. A. L., Anticipatory Self-Defense in the Cyber Context, International Law Studies, Vol 89, 2013 [438-471]

(14)

14

2.2. Jus in bello

Regarding jus in bello, one first question arises regarding which law is applicable to cyber armed conflicts. As a matter of fact, none of the international humanitarian law treaties foresee application to cyber warfare operations, which can be easily explained by the fact that cyber warfare is a very recent phenomenon. Here, it seems adequate to follow the reasoning of the ICJ according to which the Court found that the Law of Armed Conflict principles apply “to al1 forms of warfare and to al1 kinds of weapons,

those of the past, those of the present and those of the future.”28 Thus it should be concluded that cyber armed conflict in the absence of a specific legal instrument with binding force, such as an international treaty, is regulated by the International Humanitarian law rules and principles.

Therefore this thesis shall recall important principles of the IHL and International Customary law. Aside from that, in 2012 an International Group of Experts – at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence – prepared an important document regarding the subject discussed in the present work: the “Tallinn Manual on the International Law Applicable to Cyber Warfare.” Although being doctrine and non-legally binding it addresses comprehensively the question on the applicability of law within the cyber operations context, hence it will also serve as basis for the present work.

One final note should be added regarding the question on the law applicable to cyber armed conflict. Even if it was not possible to conclude that IHL rules and principles were applicable de jure to cyber warfare that would not imply some kind of legal vacuum. In that case the “Martens Clause” would always be applicable, according to which “Until a more complete code of the laws of war has been issued, the High

Contracting Parties deem it expedient to declare that, in cases not included in the Regulations adopted by them, the inhabitants and the belligerents remain under the protection and the rule of the principles of the law of nations, as they result from the usages established among civilized peoples, from the laws of humanity, and the dictates of the public conscience.”29

28_{ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 86 [online]} 29_{Preamble of the 1907 Hague Convention IV. See also article 63 of the Geneva Convention I, article 62}

of the Geneva Convention II, article 142 of the Geneva Convention III and article 158 of the Geneva Convention IV.

(15)

15

2.2.1. International and non-international cyber armed conflict

Armed conflicts have historically been classified as international or non-international. According to Rule 22 of the Tallinn Manual, “an international armed

conflict exists whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more states.”30 This definition follows closely to the one provided by Common Article 2 of the 1949 Geneva Conventions and customary law. From the mentioned definition thus two conditions are required for an international armed conflict to exist. First, it must be international in the sense that two different States must be party to the conflict in opposing sides.31 Aside from this an armed conflict can also be international when “peoples are fighting against colonial

domination and alien occupation and against racist régimes in the exercise of their right of self-determination”32, provided that the State is a party to the AP I.Second, an international armed conflict must also be “armed”, which means that there must be hostilities between the states involved, with kinetic, and cyber or stand-alone cyber operations. Regarding the threshold of required violence that must be attained in order to classify the conflict as such, evaluation of the incidents must be made on a case-by-case basis.

The Tallinn Manual provides in Rule 23 that “A non-international armed

conflict exists whenever there is protracted armed violence, which may include or be limited to cyber operations, occurring between governmental armed forces and the forces of one or more armed groups, or between such groups. The confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum degree of organization.” The rule closely follows customary international law

and the Common Article 3 of the 1949 Geneva Conventions. Accordingly, non-international armed conflicts are protracted armed violence between governmental authorities and organized armed groups or between such groups within a State. Note two basic requirements for the existence of a non-international armed conflict: the

“armed violence must be of sufficient intensity and the parties must be sufficiently

30

This definition follows closely the definition provided by common article 2 of the 1949 Geneva Conventions and customary law.

31_{The required stateness opposition does not mean that non-state actors cannot, under certain conditions,}

participate in international armed conflicts. This will be dealt further. See Chapter 3.2

32

Article 1(4) of the Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977.

(16)

16

organized.”33 The ICTY case law established some indicative factors of intensity34 and

organization35 criteria. As to the geographical scope of non-international armed

conflicts, also note that “the fact that an armed conflict is not limited to the territory of

a single state does, not mean, without more, that a non-international armed conflict changes its character and is to be considered international.”36 That may be the case of

the so-called transnational armed conflicts. The distinction between international and non-international armed conflicts “rests on the question who the parties to the armed

conflict are.”37 Thus a cyber operation may be conducted by an organized group from the territory of other State without this fact alone, meaning a change of the classification of the conflict.

2.2.2. Personal status

There is no prohibition of anyone participating in hostilities. The Tallinn Manual restates this customary law principle in its Rule 25. Nevertheless the law of armed conflicts stipulates consequences on the participation, namely combatant immunity, prisoner of war status and targetability.

International Humanitarian Law devises different personae status, depending on the nature of the armed conflict.

33_{Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of}

International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [49]

34_{In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals}

Chamber, Judgement, 3 April 2008, para. 49 as to intensity included such factors as “the number,

duration and intensity of individual confrontations; the type of weapons and other military equipment used; the number and calibre of munitions fired; the number of persons and type of forces partaking in the fighting; the number of casualties; the extent of material destruction; and the number of civilians fleeing combat zones”

35_{In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals}

Chamber, Judgement, 3 April 2008, para. 60 as to organization included such factors as “indicative

factors include the existence of a command structure and disciplinary rules and mechanisms within the group; the existence of a headquarters; the fact that the group controls a certain territory; the ability of the group to gain access to weapons, other military equipment, recruits and military training; its ability to plan, coordinate and carry out military operations, including troop movements and logistics; its ability to define a unified military strategy and use military tactics; and its ability to speak with one voice and negotiate and conclude agreements such as cease-fire or peace accords.”

36_{Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of}

International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [50]

(17)

17 In International Armed Conflicts two statuses exist: combatants and civilians. Combatants comprise two groups: (i) the regular armed forces38 - essentially the state armed forces -, and (ii) “members of other militias and members of other volunteer

corps, including those of organized resistance movements, belonging to a Party to the conflict and operating in or outside their own territory, even if this territory is occupied”39 provided that they satisfy the conditions prescribed in article 13 (2) of the Geneva Convention I. Qualifying as combatants means the entitlement of combatant immunity and prisoner of war status. Civilians are defined in negative term as “all

persons who are neither members of the armed forces of a party to the conflict nor participants in a levée en masse (…) and, therefore, entitled to protection against direct attack unless and for such time as they take a direct part in hostilities.”40

In the context of non-international armed conflicts there is no combatant status. Civilians are “all persons who are not members of State armed forces or organized

armed groups of a party to the conflict … and, therefore, entitled to protection against direct attack unless and for such time as they take a direct part in hostilities.”41 So, as

opposed to civilians who do not participate in hostilities, there are state-led armed forces and also non-state organized armed groups which are the non-state actor armed forces.

2.2.3. Direct participation in hostilities

2.2.3.1. Requirements

According to the ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities, “Acts amounting to direct participation in hostilities must

meet three cumulative requirements: (1) a threshold regarding the harm likely to result from the act, (2) a relationship of direct causation between the act and the expected harm, and (3) a belligerent nexus between the act and the hostilities conducted between

38_{According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to}

the conflict as well as members of militias or volunteer corps forming part of such armed forces”

39_{See article 13 (2) of the Geneva Convention I}

40_{Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under}

International Humanitarian Law, ICRC, May 2009, p. 26

41

Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under

(18)

18

the parties to an armed conflict.”42 The Commentaries on Rule 35 of the Tallinn Manual show the International Group of Experts agreed to such requirement criteria.

As to meeting the first requirement – threshold of harm – two alternatives are possible. The cyber operation must (or be intended to) affect the enemy military capabilities or operations, not being necessary that the act causes injury or death to persons or destruction to objects. Alternatively, the threshold of harm may also be met when the attacks are conducted against protected objects or persons and result, respectively, in destruction or injury and death.43 In practice whenever a cyber-attack causes (or is likely to potentially) cause destruction or damage on military infrastructure by that way diminishing military capabilities of the adversary will meet the threshold.

As mentioned previously there must also exist a relation of direct causality between the act and the harm. For this second requirement to be met the harm must be the consequence of the particular cyber-attack.44

Finally, for an action to qualify as direct participation in hostilities there must also be belligerent nexus. This means that the operation must be linked to hostilities in benefit of one party and consequently in detriment of the other.

Once the three abovementioned requirements are met the conduct of an individual can be qualified as direct participation in hostilities. On the other hand, cyber operations that do not meet all of the defining requirements may have a criminal nature, but have no relevance in the framework of the law of armed conflicts.

As a consequence of qualification of conduct as direct participation in hostilities, individuals lose protection against direct attack entitled to civilians, insofar and as long as the participation lasts.

2.2.3.2. Temporal extension

As mentioned above, the suspension of protection from direct attack lasts for as long as civilians participate in hostilities. The question that arises is when does participation start and end?

42

Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international

humanitarian law, May 2009, ICRC [50]

43_{Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international}

humanitarian law, May 2009, ICRC [51]

44

The Commentary on rule 35 of Tallinn Manual gives as an example “the disruption to the enemy’s

(19)

19 First, it should be considered the nature of cyber-attacks having “delayed effects”, where the action may not coincide with the moment when the related damage occurs. As such, it makes sense to follow the position (of the majority) of the International Experts Group expressed in the Commentaries of Rule 35 of the Tallinn Manual, according to which “the duration of an individual’s direct participation extends from

the beginning of his involvement in mission planning to the point when he or she terminates an active role in the operation.”45

Another question surrounds a situation of multiple and repeated cyber-attacks conducted by an individual, whether the entire period of the attacks or the period of each attack should be considered as direct participation in hostilities. Considering that the direct participation in hostilities is reduced to the temporal extension of each cyber-attack opens the door for civilians to lose and regain civilian protection in between the attacks (the “revolving door” of civilian protection). Such position can be considered opening the door for abuse on the part of civilians. Nonetheless, the conducting of one cyber-attack does not allow a presumption of additional future cyber-attacks and the future conduct of an individual cannot be predicted. Thus the most adequate position seems to be the one considering that direct participation in hostilities only exists for as long as each cyber-attack period takes place.46

2.2.4. Possibility of stand-alone cyber-attacks?

As already observed supra, the International Experts Group supported the view that cyber operations alone have the potential of rising to meet the threshold of an armed conflict and thus International Humanitarian law would be applicable. Even so, as of today there has not been such armed conflict wherein a party to the conflict resorted exclusively to the use of cyber weapons.

In this regard Sheldon asseverates that “The real threat lies not in stand-alone

cyber attacks, but in cyber attacks accompanied by attacks and other actions in the

45_{Commentary on rule 35 of Tallinn Manual} 46

In this way, Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under

(20)

20

physical realm”47 and thus considers cyber-attacks as only “meaningful when coupled

with other, more traditional, threats.”48

Given the impossibility of predicting the evolution of cyber weapons and present day society’s increasing dependency on technology, such a position seems quite conservative. A less restrictive approach might perhaps be more open to future possibilities. In line with Terry Gill (et al.), it seems acceptable that while unlikely, “the possibility of a stand-alone cyber attack, that is, one not occurring in conjunction with an attack employing traditional kinetic force, rising to the level of an armed attack cannot be

ruled out”49 Meaning that it should not be denied that in so far as a future cyber-operation

meets the (abovementioned) conditions, it may rise to the threshold of armed conflict. As an example of a stand-alone cyber operation that could potentially turn into armed conflict, major concern surrounds the threat of cyber-attacks that could disrupt the US electric power grid, resulting in serious economic and national security consequences.50 On a related note, the Industrial Control Systems Cyber Emergency Response Team (ICSCERT) reported 198 cyber incidents against critical infrastructure sectors alone during 2012. From those incidents, 41% were related to the energy sector.51 Even with these recorded instances, no large-scale cyber-operation has yet been carried out (at least none publically known).

What have so far been seen are cyber operations in conjunction with conventional kinetic armed attacks? In the previously mentioned case of the Russia-Georgia conflict, the conventional kinetic armed attack was accompanied by cyber operations allegedly conducted by Patriotic Hackers against Georgian governmental and media websites. However, those cyber operations did not meet the threshold of a cyber-attack since they only resulted in defacement of targeted websites.

Another situation, as identified by Terry Gill (et al.), does present a case of combined cyber and kinetic force operations having been used: “in Operation Orchard, when Israel carried out an airstrike against the Al-Kibar nuclear facility in northern Syria

47_{Sheldon, J. B., State of the Art: Attackers and Targets in Cyberspace, Journal of Military and Strategic}

Studies, Volume 14, Issue 2, 2012, p. 18 [online via

http://ww.w.jmss.org/jmss/index.php/jmss/article/viewFile/462/458]

48_Ibid

49_{Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law}

Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180)

50_{Robert Lenzner, Chinese Cyber Attack Could Shut Down U.S. Electric Power Grid [online via}

http://www.forbes.com/sites/robertlenzner/2014/11/28/chinese-cyber-attack-could-shut-down-u-s-electric-power-grid/]

51

InfoSecurity, National Electric Grid Remains at Significant Risk for Cyber-attack [online via http://www.infosecurity-magazine.com/news/national-electric-grid-remains-at/]

(21)

21

in September 2007.”52 Reportedly, Israel conducted cyber operations to disrupt the Syrian

national air defence system and thus successfully enabled an Israeli airstrike.53

Therefore, while not ruling out the possibility for stand-alone cyber operations in the future, present expectation is that cyber-attack occurrence will accompany conventional kinetic attacks.

52_{Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law}

Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180); Daveed Gartenstein-Ross & Joshua D. Goodman, The Attack on Syria's al-Kibar Nuclear Facility, INFOCUS

QUARTERLY, Spring 2009, [online via http://www.jewishpolicycenter.org/826/the-attack-on-syrias-al-kibar-nuclear-facility]

53_{David A. Fulghum & Douglas Barrie, Israel Used Electronic Attack in Air Strike Against Syrian}

Mystery Target, AVIATION WEEK, Oct. 8, 2007 [online via http://www.freerepublic.com/focus/f-news/1908050/posts]

(22)

(23)

23

3. Patriotic Hackers

3.1. Characterization

As indicated in the Introduction chapter Holt and Schell advance a definition according to which Patriotic Hackers are “citizens and expatriates engaging in

cyber-attacks to defend their mother country or country of ethnic origin.”54 Similarly, Dinniss qualifies patriotic hackers as those “individuals and groups motivated by national and

political aims”55 that conduct cyber-attacks.

According to the quoted definitions Patriotic Hackers are therefore individuals who having ties of allegiance towards a certain country (of nationality or ethnic related), conduct politically motivated cyber-attacks against perceived enemies of that country, in the name of a sense of patriotism, against threats or attacks by perceived enemies of that country. While in principle Patriotic Hackers conduct cyber operations independently and by their own will, sometimes there can be – as dealt with below – some sort of connection with the country on the behalf of which the cyber–attacks are conducted.

Several examples of Patriotic Hackers can be given: the Nashi Youth from Russia; the Red Hacker Alliance from China; and the Syrian Electronic Army from Syria.

Patriotic Hackers are distinguishable from other cyber actors. For instance, while Patriotic Hackers’ main concern is the defence of the country to which its patriotism is devoted, Hacktivists (such as “Anonymous”) are moved by political causes, human rights, and open access to information.56 In practice Hacktivists distinguish themselves from Patriotic Hackers by the absence of a sense of patriotism (at least exclusive); in that their political motivations may actually be aimed at national authorities of the

54

Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, New York: Information Science Reference, 2011 [online via New York: Information Science Reference, 2011]

55_{Harrison Dinniss, H. 2013, Participants in Conflict – Cyber Warriors, Patriotic Hackers and Laws of}

War, in International Humanitarian Law and the Changing Technology of War, ed. Dan Saxon, Martinus *Nijhoff [251]

56_{For a more profound analysis on the difference between Hacktivists and Patriotic Hackers see Dahan,}

M. Hacking for the homeland: Patriotic Hackers Versus Hacktivists in Proceedings of the 8th International Conference on Information Warfare and Security (ICIW 2013), ed. Doug Hart, Academic Conferences and Publishing International Limited, 2013 [55]

(24)

24 country of nationality or ethnic related.57 Hacktivists are essentially activists who hack with a purpose of defending certain social issues.

It is questionable whether Cybercaliphate (the Islamic State of Iraq and Syria – hereafter ISIS - cyber arm) should be qualified as a Patriotic Hacker. In some sense Cybercaliphate could be considered as having motivations similar to those of Patriotic Hackers: conducting cyber-attacks against perceived enemies of the State. However, the motivation of Cybercaliphate is mostly (if not totally) the expansion and defence of their religion. Political motivations are relegated to a consequential level. Even though ISIS is a State in terms of International law, is it moreso an organized armed group? From a strictly (more or less) formal perspective – and independent of the question of international recognition - ISIS should not be qualified as a State, at least in the sense of the 1933 Montevideo Convention58, given that the criteria for statehood is not verified. ISIS is an organized armed group. Thus the mentioned cyber arm of ISIS should not be qualified as a Patriotic Hacker group. Denning considers the Cybercaliphate as an entity parallel to Hacktivists and Patriotic Hackers.59

Regarding the organization and execution of cyber operations, Patriotic Hackers can act individually or as a group. The manner of organization of cyber-attacks can have legal consequences, as will be seen below. Regarding the organization and potential damage of attacks, opinions are not consensual. One on hand, while some (probably alarmist60) media claims that one individual alone has the technological ability to bring down the entire network of a country61, according to other entities “the most

comprehensive of cyber attacks against a nation would be a substantial operation. The simultaneous targeting of an entire country’s most crucial government and critical

57_{A practical example of the difference between Hacktivists and Patriotic Hackers is the one when}

th3j35t3r (the jester) – a known US Patriotic Hacker -, attacked Wikileaks, following the release of a collection of secret U.S. government documents. See, Neil J. Rubenking, Wikileaks Attack: Not the First

by th3j35t3r, PCMAG, [online via http://www.pcmag.com/article2/0,2817,2373559,00.asp]

58_{For instance ISIS lacks a defined territory and it’s very dubious whether it has capability to enter in}

relations with other countries.

59

Denning, D. E., Cyber Conflict as an emergent Social Phenomenon in Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, (ed. Thomas J. Holt et al.) New York: Information Science Reference, 2011 [172]

60_{At least given what we have assisted so far.} 61

Cristen Conger, Could a single hacker crash a country’s network? [online via http://computer.howstuffworks.com/hacker-crash-country-network1.htm]

(25)

25

infrastructure networks would be enormously complicated, and would likely require the type of resources only a state could leverage.”62

Assessing the organization of cyber operations and attacks, the sections to follow will review the scenarios in which Patriotic Hackers have, or do not have, relationship with the home State. . In the case where Patriotic Hackers lack state sponsorship, further review will evaluate two subgroups: organized armed groups, and individuals and unorganized armed groups.

3.2. Patriotic Hacking attacks

Regarding the kind of attacks conducted by Patriotic Hackers, so far they have typically been limited to Web Defacements63, Distributed Denial of Service Attacks64 and Malware Attacks65. The following non exhaustive list gives some examples of attacks politically motivated conducted by Patriotic Hackers.

Victim State Nationality of Hacker (or Group) Type of Attack Description

U.S.A. Chinese DDoS

In 1999, following the US accidental bombing of the Chinese embassy in Belgrade, Web sites at the departments of Energy and the Interior and the National Park and www.whitehouse.gov were object of attack.66

62_{Alexander Klimburg (ed.), National Cyber Security Framework Manual, NATO Cooperative Cyber}

Defence Centre of Excelence, Talllinn, Estonia, 2012

63_{Website defacement is an attack on a website that changes the visual appearance of the site or a}

webpage.

64_{A DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or}

node to deny service to its customers. When this attempt derives from a single host of the network, it constitutes a DoS attack. When it derives simultaneously from multiple malicious hosts coordinated to flood the victim with an abundance of attack packets is called a Distributed DoS or DDoS attack.

65_{Malware is short for malicious software. It is code or software that is specifically designed to damage,}

disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks. It comprises viruses, worms, Trojans, and bots.

66

Ellen Messmer, Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites, government says, CNN [online via http://edition.cnn.com/TECH/computing/9905/12/cyberwar.idg/]

(26)

26 US/China Honkers Union of China/US (or ally) Hackers Web Defacement

Following an incident involving a US spy plane and a Chinese Jet Fighter, 80 US and 100 Chinese web sites were defaced.67

Estonia Russian

(allegedly) DDoS

Following a decision of the Estonian Authorities to relocate the Bronze Soldier Soviet war memorial in Tallinn, allegedly Russian Hackers, during a three week period targeted Estonian governmental, private and media websites through a series of DDoS attacks.68 Georgia Russian Business Network DDoS and Web defacement

In 2008, simultaneously with the conventional armed conflict that opposed the Russian Federation and Georgia over South Ossetia, Georgia governmental and media websites were object of defacement and DDoS attacks.69 U.S.A. Syrian Electronic Army Web defacement

In 2013 the Syrian Electronic Army in face of the possibility of US Marines potentially being drawn to the Civil war in Syria, defaced the US Marines Corps web site.70

The question is whether these attacks qualify as cyber-attacks that reach the threshold of a cyber armed conflict. The answer has - it will be seen below - is negative. But then when do cyber-attacks (alone) reach such threshold?

67_{Sarah Left, Chinese and American hackers declare 'cyberwar', The Guardian [online via}

http://www.theguardian.com/technology/2001/may/04/china.internationalnews]

68_{Ian Traynor, Russia accused of unleashing cyberwar to disable Estonia, The Guardian [online via}

http://www.theguardian.com/world/2007/may/17/topstories3.russia]

69_{Jon Swaine, Georgia: Russia 'conducting cyber war', The Telegraph [online via}

http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html]

70

David Gilbert, Syrian Electronic Army Cyber Attacks Continue With US Marines Hack, IBTimes [online via http://www.ibtimes.co.uk/syrian-electronic-army-hacks-marine-website-hacked-503037]

(27)

27

3.3. Standalone Patriotic Hacking reaching the level of armed conflict?

3.3.1. International Armed Conflict

As mentioned above an IAC is an armed conflict that opposes two or more states. In face of that it seems accurate to say that Patriotic Hacking will only trigger an IAC when the cyber operations conducted by them are state sponsored and thus such actions are attributable to the state.71 Additionally, it would be necessary for the cyber-attacks conducted by the Patriotic Hackers to reach a certain degree of violence against the adversary.72 That would be the case where the cyber-attack resulted in damage or physical injury.

Another question is the required duration of the violence. In this regard the International Experts Group was divided. While some considered that a single cyber operation that caused “a fire to break out at a small military installation would suffice

to initiate an international armed conflict.”, others were of the view that “a single cyber incident that causes only limited damage, destruction, injury or death would not necessarily initiate an international armed conflict”.73

A cyber-attack aimed at the critical national infrastructure – such as the national power grid74 – causing severe damage to it and eventual destruction would suffice to meet the threshold of an armed attack.

The fact is that to date no (solely) cyber international armed conflict has happened. As it was mentioned before, none of the listed attacks exemplified on Chapter 3.2 did met such threshold. While DDoS attack in those cases was directed towards taking down websites, they can also be targeted at servers or networks. Some believe that through DDoS attacks it is possible to disrupt “industrial control systems such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs)” or (at least) facilitate secondary attacks (for instance by implanting malware).7576

71

See Rule 149 of IHL Customary International Law. The attribution to the state of the responsibility for operations conducted by a non-state actor shall also be dealt infra IN Chapter 4.2.

72_{Article 49(1) AP I}

73_{See Commentaries to Rule 22 of Tallinn Manual} 74

The NSA Director already manifested that at least China has the ability to take down US power grids. See Ken Dilanian, NSA Director: Yes, China Can Shut Down Our Power Grids, Business Insider [online via http://uk.businessinsider.com/nsa-director-yes-china-can-shut-down-our-power-grids-2014-11?r=US]

75_{See Sahba Kazerooni, The Growing Threat of Denial-of-Service Attacks, Electric Light & Power,}

[online via http://www.elp.com/articles/powergrid_international/print/volume-20/issue-2/features/the-growing-threat-of-denial-of-service-attacks.html]

(28)

28 Notwithstanding what so far has been said, it seems that the assessment on whether a conflict reaches the threshold of a cyber armed conflict has to be made on a case by case basis.

3.3.2. Non-International Armed Conflict

Regarding NIAC, one first distinction should be readily established. Under AP II a NIAC is one which taking place in the territory of a High Contracting Party opposes its "armed forces to a dissident armed forces or other organized armed groups which,

under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations”.77 Given that cyber operations alone are insufficient to constitute physical control over a territory, a standalone Patriotic Hacking operation reaching the threshold of a NIAC is not possible under the AP II.

However, Common Article 3 does not require physical control of the territory. Two situations can be devised: (i) a NIAC where Patriotic Hacking operations are conducted against a rebel armed group; and (ii) a NIAC where Patriotic Hackers – not acting on behalf of their country or homeland78 -, attack another country.

The threshold of Common Article 3 is lower than the one established by AP II. For the former a NIAC exists depending on the level of violence taking place and the degree of organization of the parties to the conflict. For the threshold to be met, as it was developed in the Tadic case it is required protracted armed violence between organized armed groups and/or a State. It should be noted that a sporadic cyber-attack will not meet the threshold, rising only to internal disturbances. A required continuity of violence is also required. The group must also be an organized armed group. For that purpose, armed should be understood as having the ability to conduct cyber-attacks; whereas “organized” implies a certain organizational structure, coordinated acting towards a common objective. The organization criterion has always to be assessed on a case by case basis.

76

ICS are command and control networks and systems designed to support industrial processes – for instance SCADA (Supervisory Control and Data Acquisition) systems. They allow from a remote location to control local field operations such as opening and closing valves and monitoring and controlling the local conditions.

77

Article 1(1) AP II

(29)

29 In the case of a NIAC where Patriotic Hacking operations are conducted against a rebel cyber armed group, one practical example that could be mentioned would be cyber-attacks directed towards disrupting the communication ability of the rebel groups by for instance destroying the computers or the network communications.

On the other hand, on a NIAC where Patriotic Hackers – not acting on behalf of their country or homeland79 -, attack another country a practical example could be the one (already above mentioned regarding IAC) of conducting cyber-attacks against the National Critical Infrastructure (e.g., telecommunications and electrical power grids) with such violence that is able to disrupting or destroying it.

3.4. State sponsored Patriotic hackers

As previously mentioned the legal status of combatant essentially comprises two groups: (i) the regular armed forces80 - essentially the state armed forces -, and (ii)

“members of other militias and members of other volunteer corps, including those of organized resistance movements, belonging to a Party to the conflict and operating in or outside their own territory, even if this territory is occupied”81 provided that they satisfy the following conditions: “(a) commanded by a person responsible for his

subordinates; (b) having a fixed distinctive sign recognizable at a distance; (c) carrying arms openly; and, (d) conducting their operations in accordance with the laws and customs of war.”82

Following, the case of a group of civilian hackers that conduct cyber operations with state sponsorship could be included in the second category of combatants as irregular armed forces. Of course to be considered as such, the abovementioned conditions have to be fulfilled. Insofar as they fulfil the mentioned conditions, one could mention as an example the case of China recruiting unpaid civilians from the hacker community and high tech companies into their cyber militia.83 Another example is the

79

Otherwise – if acting on behalf of – the conflict is internationalized

80_{According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to}

the conflict as well as members of militias or volunteer corps forming part of such armed forces”

81_{See article 13 (2) of the Geneva Convention I} 82

Ibid

83_{Anthony Capaccio, China Most Threatening Cyberspace Force, U.S. Panel Says [online via}

http://www.bloomberg.com/news/articles/2012-11-05/china-most-threatening-cyberspace-force-u-s-panel-says]; Shannon Tiezzi, China (Finally) Admits to Hacking [online via

(30)

30 Estonian Cyber Defence League - “an all-volunteer paramilitary force dedicated to

maintaining the country's security and preserving its independence.”84 - That includes not only government agencies but also private specialists. Regarding the condition that a group is commanded by a person responsible for the subordinates, this may likely be a somewhat natural consequence of the organization of a group. The fact that the “cyber” group is only virtual and has no physical contact does not necessarily mean that the condition is not fulfilled. Insofar as there is organization85 and a “chain of

command” exists, the condition of leader responsibility being fulfilled could be argued.

As to the condition of bearing a distinctive sign, this corresponds to the undisputed customary rule of International Humanitarian Law that combatants must distinguish themselves from the civilian population. This requirement is a rule of customary international law, which has been codified in the Geneva Convention III86 and the Additional Protocol I87.

The final condition for combatant status is the obligation of conducting operations in accordance with the laws and customs of war. Without prejudice of such obligation there can be cases of violation of the Law or Customary Law by certain individuals within the group – as also may happen within conventional warfare. Failure by individuals to comply with the obligation of respecting the law does not mean that they lose their legal status of combatants, but only that they may be tried for their actions; namely for war crimes.

The concept of Civilian Hackers sponsored by the State could at some point be confused with the concept of mercenaries. Article 47 (2) of the Additional Protocol I88 defines the concept of mercenary. Without extending too much on this particular topic, as Patriotic Hackers are individuals who having ties of allegiance towards a certain country (of nationality or ethnic related) conduct politically motivated cyber-attacks

buffer]; Mandiant, APT1 Exposing One of China’s Cyber Espionage Units [online via http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf]

84 _{Tom Gjelten, Volunteer Cyber Army Emerges In Estonia [online via} http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends-nation]

85

The concept of organization shall be discussed in detail infra. See Chapter 3.3.1

86_{See article 4 (A)} 87_{See article 44(3)}

88_{“a mercenary is “any person who: (a) is specially recruited locally or abroad in order to fight in an}

armed conflict; (b) does, in fact, take a direct part in the hostilities; (c) is motivated to take part in the hostilities essentially by the desire for private gain and, in fact, is promised, by or on behalf of a Party to the conflict, material compensation (…); (d) is neither a national of a Party to the conflict nor a resident of territory controlled by a Party to the conflict; (e) is not a member of the armed forces of a Party to the conflict; and (f) has not been sent by a State which is not a Party to the conflict on official duty as a member of its armed forces.”

(31)

31 against perceived enemies of that country, in name of a sense of patriotism. Given that their motivation is not private monetary gain no such confusion should arise.

As will be discussed below the fact that states sponsor the conduct of cyber operations will have important consequences, namely the eventual accountability of those states for wrongful acts resulting from such operations.

Based on the information provided, it should be concluded that whenever Patriotic Hackers are conducting cyber operations that are state-sponsored, and insofar as the conditions prescribed in article 13 (2) of the Geneva Convention I are met, the hacker parties should be considered as irregular armed forces. In such case, Patriotic Hackers should be recognized under the legal status of combatants, thus being entitled to all the rights and obligations of such status, for instance prisoner of war status. In cases where the conditions of the abovementioned provision are not met, the Patriotic Hacker, even if state-sponsored, does not attain combatant status.

3.5. Non-State sponsored Patriotic Hackers

3.5.1. Organized Armed Groups

The concept of organized armed groups (hereafter, OAG) is of utmost importance within non-international armed conflicts; which exist when there is protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.89 The threshold of a NIAC is met with certain intensity of hostilities and involvement of an organized armed group

As previously noted, the ICTY jurisprudence identifies some factors that can help assess the required intensity and organization of the armed group.90

In assessing required intensity of hostilities, within the cyber realm has yet to occur any stand-alone cyber operations conducted by non-State actors that rise to the level of triggering a non-international armed conflict; although the future possibility of such should not be ruled out. Certainly, governmental website defacements – as those that have been carried out thus far - do not suffice to meet the requirements of intensity. Regarding the required organization criteria, hackers who work individually (or autonomously) can immediately be dismissed from consideration. Remaining, the

89_{Prosecutor v. Tadic, IT-94-1, ICTY Appeals Chamber, Decision on the Defence Motion for}

Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 70

(32)

32 International Experts Group devised two categories: groups of individuals that operate “collectively” and those that operate “cooperatively”. The former would be the case of those who lack coordination in conducting attacks despite acting simultaneously and with a shared purpose. The latter would be the case of those who have such coordination or as the International Experts Group describe : “a distinct online group

with a leadership structure that coordinates its activities by, for instance, allocating specified cyber targets amongst themselves, sharing attack tools, conducting cyber vulnerability assessments, and doing cyber damage assessment to determine whether ‘reattack’ is required”.91 Although it seems that this described situation would be the only case in which the organization criteria were satisfied, the collective conclusion appears to be that evaluation of meeting the organization criteria must be done on a case-by-case basis.

The organization of cyber armed group is to differ from the one of conventional organized armed groups. In the Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi

Brahimaj Case, the ICTY stated as indicative factors of organization – aside from others

-, the existence of a headquarter and control of territory. Such factors are irrelevant on the qualification of the level of organization of cyber armed group. Another important difference: no physical presence and meeting is required for the existence of the organization.

Nevertheless it appears that the conclusion on the satisfaction of the organization criteria depends on an evaluation on a case-by-.case basis.

Within a NIAC, organized armed groups are understood as the armed forces of the non-state actor. Thus, Patriotic Hackers who are members of an organized armed group, “whose continuous function involves the preparation, execution, or command of

acts or operations amounting to direct participation in hostilities are assuming a continuous combat function”.92 Therefore in the case of organized armed groups the participation in hostilities does not qualify as DPH.

But it is not only in NIAC that organized armed groups may have relevance while conducting cyber operations. During an IAC, Patriotic Hackers as an organized armed group not belonging to a party of the conflict could conduct cyber-attacks against another party to the conflict. In such scenario, given that they didn’t belong to any of

91_{Commentary on Rule 23 of the Tallinn Manual} 92

Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under

(33)

33 the parties in the conflict, they would not be seen as part of those armed forces. Therefore they would retain a civilian status. Thus, insofar as the conditions are met, civilians involved with an organized armed group that does not belong to a party of the conflict, but engages in hostilities, would be in DPH.

As earlier discussed in the Introduction chapter, during the conflict that opposed the Russian Federation and Georgia over South Ossetia – simultaneously with a conventional armed conflict conducted by both States, that qualifying as an IAC – several Distributed Denial of Service (DDoS) cyber-attacks conducted against Georgian network servers consequently disrupting many (governmental and media) websites. These cyber-attacks – according to public reports - were carried out by groups of hackers (namely the RBN) without any connection to the state.93 Russian authorities denied allegations of linkage. However, regarding the nature of the cyber-attacks conducted, the threshold of a cyber armed conflict was not met. Thus the actions conducted by the RBN were not relevant under International Humanitarian Law.

3.5.2. Unorganized Armed Groups or individuals

A third category comprises armed groups that do not satisfy the organization criteria and hackers that act individually

As matter fact, Patriotic Hackers may also act and conduct cyber operations, individually or by unorganized armed group, only on the basis of their beliefs, namely, the defence of their homeland or ethnic origins and without any support or cooperation with other individuals or sponsorship by the State.

The participation of those in hostilities has important consequences. For instance if an individual participates in hostilities and as long as that participation takes place the targetability protection is lost.

But when should be qualified the actions conducted by patriotic hackers during armed conflicts? As already stated above94, three requirements must be met: a threshold of harm; there must be a relation of direct causality between the act and the harm; and, there must also be belligerent nexus. In practice this means that cyber operations conducted by unorganized armed groups or individuals will be qualified as DPH

93_{John Markoff, Before the Gunfire, Cyberattacks, The New York Times [online via}

http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0]

(34)

34 whenever, they conducted cyber operations, on behalf of one party of the conflict, that either were intended to or affected the enemy military capabilities or operations (not being necessary that the act causes injury or death to persons or destructions to objects) or alternatively, the attacks must be conducted against protected objects or persons and result, respectively, destruction or injury and death; being the resulted harm consequence of the cyber-attack.

Such would be the case, if an unorganized group conducted a cyber-attack, within a NIAC, against a rebel armed group aimed at destroying those communications equipment that way disrupting them.

(35)

35

4. Attribution and legal responsibility for cyber

attacks

Attribution of cyber operations is of extreme relevance for states. For instance the exercise of self-defence by a victim State is dependent upon determining who conducted the cyber-attack, meaning the individualization of the group (state sponsored) or the State that conducted such operation.

While in conventional armed conflicts involving kinetic attacks such attribution is easier - given for instance that weapons and military personnel are clearly identified - within the cyber realm attribution poses a real problem. As a matter of fact, the anonymity potential of internet activity – as well as the constant development of technologies – makes the task of determining accurate attribution very difficult.

Furthermore, even when some certainty can be ascertained regarding the origin of an attack, it remains questionable whether an individual acted alone or if there was any state involvement; and thus who should be considered as legally responsible?

Attribution encompasses two dimensions: technical attribution and legal attribution.

4.1. Technical attribution

Technical attribution is the way by which computer forensic techniques are employed to determine the “identity or location of an attacker or an attacker’s

intermediary.”95 In terms of location it may be physical, or an IP96 or MAC address97.

Many problems arise in pinpointing technical attribution. For instance in the DDoS kind of attack, a network of bot computers – which are computers infected by, for example, Trojan horses - are used and thus an attack will appear to have multiple (intermediary) origins and determining the actual origin is complex. Additionally,

95_{Wheeler, D. A., Techniques for Cyber Attack Attribution, Institute for Defense Analyses, October 2003}

[1]

96_{IP address consists of four sets of numbers from 0 to 255, separated by three dots assigned by the}

Internet Service Provider (ISP). IP address can be static (which is always the same) or dynamic (which changes everytime the system is logged on).

97_{MAC Address stands for "Media Access Control Address," and is a hardware identification number}

that uniquely identifies each device on a network. The MAC address is manufactured into every network card, such as an Ethernet card or Wi-Fi card, and therefore in principle cannot be changed. See <http://techterms.com/definition/macaddress>

“PATRIOTIC HACKERS” : NON-STATE ACTORS FIGHTING WARS FOR THE STATES?