Patriotic Hackers”: Non-State Actors Fighting Wars for States?

“PATRIOTIC HACKERS”: NON-STATE ACTORS FIGHTING WARS FOR STATES?

Nuno Jorge Carvalho Barata Student Number 10763376 Supervisor: Professor Terry Gill

Table of Contents 1. Introduction ...... 7 2. Cyber Armed Conflict ...... 11 2.1. Jus ad bellum ...... 11 2.2. Jus in bello ...... 14 2.2.1. International and non-international cyber armed conflict ...... 15 2.2.2. Personal status ...... 16 2.2.3. Direct participation in hostilities ...... 17 2.2.4. Possibility of stand-alone cyber-attacks? ...... 19 3. Patriotic Hackers...... 23 3.1. Characterization ...... 23 3.2. Patriotic Hacking attacks ...... 25 3.3. Standalone Patriotic Hacking reaching the level of armed conflict? ...... 27 3.3.1. International Armed Conflict...... 27 3.3.2. Non-International Armed Conflict ...... 28 3.4. State sponsored Patriotic hackers...... 29 3.5. Non-State sponsored Patriotic Hackers ...... 31 3.5.1. Organized Armed Groups ...... 31 3.5.2. Unorganized Armed Groups or individuals ...... 33 4. Attribution and legal responsibility for cyber attacks ...... 35 4.1. Technical attribution ...... 35 4.2. Legal attribution ...... 36 4.2.1. State Sponsored ...... 37 4.2.2. Non-State Sponsored ...... 41 4.3. The Principle of Sovereignty: a duty of prevention ...... 43 5. Conclusions ...... 45 6. Bibliography ...... 49 6.1. Literature ...... 49 6.2. Table of Cases ...... 53

Abbreviations

AP I Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I) of 8 June 1977 AP II Protocol Additional to the Geneva Conventions of 12 august 1949, and relating to the Protection of Victims of non-International Armed Conflicts (Protocol II) of 8 june 1977 ARSIWA Articles on Responsibility of States for Internationally Wrongful Acts DDoS Distributed Denial of Service DPH Direct Participation in Hostilities IAC International Armed Conflict ICJ International Court of Justice ICRC International Committee of the Red Cross ICSCERT Industrial Control Systems Cyber Emergency Response Team ICTY International Criminal Tribunal for the Former Yugoslavia IHL International Humanitarian Law ILC International Law Commission ISIS Islamic State of Iraq and Syria PLA People’s Liberation Army NATO North Atlantic Treaty Organization NIAC Non-International Armed Conflict NSA National Security Agency OAG Organized Armed Group RBN Rusian Business Network UK United Kingdom US United States of America UN United Nations UNC United Nations Charter UNSC United Nations Security Council

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

1. Introduction

Cyber-attacks are emerging as one of the biggest concerns for governments, corporations, and individuals. The numbers show some reason to worry. For instance, focusing only on Distributed Denial of Service (DDoS) type of attack, during 2014 alone an estimated 3 to 4 million attacks were conducted.1 The motivation for the attacks varies. They may be perpetrated to obtain a financial gain (cyber-crime), intellectual property (cyber espionage), or other reasons. For the present work not all kind of cyber-attacks are relevant. Actually, this thesis will focus only on cyber-attacks conducted within, or that rise to the status of, armed conflict: cyber warfare. A number of cyber-attack definitions can be found throughout the relevant literature. For instance, cyber-attack has been defined as an attack by a hostile nation against the networks of another to cause disruption or damage.2 In the 2006 United States National Military Strategy for Cyberspace Operations3, cyberwar was termed as “computer network operations” (CNO) which comprises computer network attacks4 (CNA), computer network defence5 (CND) and “related computer network exploitation enabling operations”6 (CNE). The Tallinn Manual provides a more accurate and comprehensive definition of cyber-attack considering it as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”7 One important note to consider is that although the wording only refers to objects and persons, the International Expert Group on the Commentaries states that cyber operations against data are also included in the scope of cyber-attack, at least

1 2015 Internet Security Threat Report, April 2015 Volume 20, Symantec, p. 44 [online via https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report- volume-20-2015-social_v2.pdf] 2 Shackelford, S. & Andres, R. State responsibility for cyber attacks: competing standards for a growing problem, Georgetown Journal of International Law, 2010-, p. 971-1016 [online via HeinOnline] 3 United States Department of Defense (DoD), The National Military Startegy for Cyberspace Operations, 2006, GL-1 < http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf> 4 “Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”, See note 2 5 “Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks”, See note 2 6 “Enabling operations and intelligence collection to gather data from target or adversary automated information systems or networks”, see note 2 7 Rule 30 of the Tallinn Manual

“Patriotic Hackers”: Non-State Actors fighting wars for the states? whenever such attack results in the injury or death of individuals or damage or destruction of physical objects. One of the first examples of cyber warfare occurred in 1999, during the Kosovo conflict when pro-Serbian groups of hackers, such as the so-called “Black Hand” conducted cyber-attacks against NATO, US and UK computers with the goal of disrupting their military operations.8 Another example of such kind of attack occurred in August 2008, during the conflict that opposed the Russian Federation and Georgia over South Ossetia. During the same time a traditional armed conflict occurred, Georgia was the target of cyber- attacks. According to what is publicly known, the cyber-attacks were not conducted by the Russia government (namely its armed forces), but rather by Russian civilian hackers. Several Distributed Denial of Service (DDoS) attacks were carried out against Georgian network servers, disrupting many (governmental and media) websites. More recently, within the Russia-Ukraine conflict it has been reported that pro- Russian groups (for instance, the CyberBerkut) have, allegedly without official support, been conducting cyber operations against the Ukraine.9 One singularity follows as common from the given examples: the individuals that are conducting cyber-attacks are generally not part of the armed forces. These individuals are sometimes called “Patriotic Hackers”. Holt and Schell advance a definition of Patriotic Hackers, considering them as “citizens and expatriates engaging in cyber-attacks to defend their mother country or country of ethnic origin. Typically, patriotic networks attack the websites and email accounts of countries whose actions have threatened or harmed the interests of their mother country”10 Thus the “hackers” are not (or at least don’t appear to be) regular armed forces. Nonetheless, as seen in the examples mentioned above, the non-state led cyber-attacks often serve State interests even without having any (official) linkage between them.

8 Geers, K., Cyberspace and the Changing Nature of Warfare, Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia, [online via https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08- Geers/BlackHat-Japan-08-Geers-Cyber-Warfare-Whitepaper.pdf] 9 Boulet, G., Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From Cyber War to Cyber Security, American Society of International Law, Volume 19, Issue 1, January 07, 2015 [online via http://www.asil.org/insights/volume/19/issue/1/cyber-operations-private-actors-ukraine-russia-conflict- cyber-war-cyber] 10 Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, New York: Information Science Reference, 2011 [online via New York: Information Science Reference, 2011]

Introduction

Chapter 2 will start by focusing on the definition of cyber armed conflict (both international and non-international), the law applicable and the status of persons involved in such conflicts. After having set a clear definition of cyber armed conflict and of the applicable legal framework, the legal consequences of Patriotic Hacking will be surveyed, including those arising from International law applicable to cyber warfare (namely if their actions are to be considered as Direct Participation in Hostilities, hereafter DPH). Thus Chapter 3 will address the legal consequences of cyber-attack activities conducted by patriotic hackers within a cyber armed conflict. But how and when can a cyber-attack be attributable to an individual or group? The answer to this question is twofold: on one hand there is the question of technical attribution, meaning that first it is necessary to identify the person or group that conducted the attack by technical means; on the other hand it has to be determined whether the attack can be legally attributed to the person (or eventually to a state). Chapter 4 will be dedicated to the question of attribution of attacks to individuals in the cyber realm and the (possible) connection with the state. Given the potential for anonymity with internet use – as well as the constant development of relevant technologies - the task of pinpointing the cyber-conflict source can pose substantial difficulty. Nevertheless, the feat of determining the responsible parties (attribution) is not impossible. After examining the dynamics of cyber-attack attribution, Chapter 5 will review the nature of the responsibility that arises from cyber-attacks conducted by Patriotic Hackers. In this context I shall also assess whether the conduct of patriotic hackers can be attributed and whether this can originate state responsibility. The research and subsidiary questions shall be addressed on the basis of applicable international law, in particular the legal framework given by IHL and academic literature such as The Tallinn Manual on International Law Applicable to Cyber Warfare and doctrine and other leading publications.

2. Cyber Armed Conflict

2.1. Jus ad bellum Jus ad bellum is the set of rules that govern “when resort to armed force is permissible”11 as opposed to jus in bello which is “the law applicable to the conduct of hostilities that applies once a party has entered into armed conflict”. The most important provisions of jus ad bellum are found on the United Nations Charter: Article 2(4) and the Chapter VII. Article 2(4) provides that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Being - as it is – a rule of customary international law12, both UN members and non-state members are bound by the principle. Furthermore, given the ICJ stated that “These provisions do not refer to specific weapons. They apply to any use of force, regardless of the weapons employed”13, it seems accurate to conclude that cyber-attacks are not excluded from the scope of the mentioned provision. Rule 10 of the Tallinn Manual states a similar principle of prohibition on the use of force. But what is “use of force” and “threat of the use of force” within cyber warfare? According to the view expressed on the Tallinn Manual “a cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”14 For an action to be qualified as a use of force, it does not need to be conducted by the State armed forces.15 But when and how can it be assessed whether a cyber-attack reaches the threshold of use of force? The dominant approach bases the assessment on the effects of the action, according to which a cyber operation qualifies as a use of force when its outcome results in physical damage and/or human injury or death. This latter approach seems to have been the one adopted by the International Expert Group on the Tallinn Manual. The Expert Group advanced a non-

11 O’Connell, M. E., Historical Development and Legal Basis, in The Handbook of International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [1] 12 ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, § 190 [online]. 13 ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 39 [online] 14 Rule 11 of the Tallinn Manual 15 as infra will be seen, cyber operations can also be conducted by other state organs and – under certain conditions - even by private actors can be qualified as use of force by the state.

“Patriotic Hackers”: Non-State Actors fighting wars for the states? exhaustive list of factors that could help on the use of force assessment, namely: severity, immediacy, and directness, and invasiveness, measurability of effects, military character, state involvement and presumptive legality.16 Regarding the threat of the use of force, Rule 12 of the Tallinn Manual advances that “a cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force.” Regarding this rule, the International Experts Group devised two situations of the threat of the use of force: “a cyber operation that is used to communicate a threat to use force” and “a threat conveyed by any means (…) to carry out cyber operations qualifying as a use of force.”17 The prohibition on the use of force knows two exceptions: military action authorized by the UN Security Council and the right to self-defence.18 According to article 39 of the UNC in conjunction with articles 41 and 42, when the UN Security Council determines a “threat to the peace, breach of the peace, or act of aggression” and in order to “maintain or restore international peace and security” it may decide to employ measures not involving the use of force19, such as economic sanctions; or, depending on the circumstances and severity of certain situations, it may authorize the use of force20. Article 51 of the UNC also provides Member states with the right of individual or collective self-defence “if an armed attack occurs against a Member of the United Nations, until the Security Council has taken the measures necessary to maintain international peace and security”. First of all, the right of self-defence requires the existence of an armed attack. According to the ICJ “an armed attack must be understood as including not merely action by regular armed forces across an international border, but also "the sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to" (inter alia) an actual armed attack conducted by regular forces, "or its substantial involvement therein”.21 Also, according to the ICJ the

16 Commentary on Rule 11 of the Tallinn Manual 17 Commentary on Rule 12 of the Tallinn Manual 18 Self-Defence shall be dealt infra on Chapter 5.3 19 Article 41 UNC 20 Article 42 UNC 21 ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, § 195 [online].

Cyber Armed Conflict important criteria to assess whether an operation amounts to an armed attack are its “scale and effects”22, meaning its gravity. The International Experts Group, in the Tallinn Manual, seem to have followed the ICJ reasoning accepting that sometimes self- defence can be direct against armed groups23 and using the same criteria to assess the concept of armed attack. Secondly, the wording of the quoted provision establishes a temporal limit by which the right of self-defence only lasts until the Security Council takes measures to restore or maintain peace and security. Related reporting obligations also result from the Tallinn Manual.24 A state is obligated to report to the Security Council any time it exercises its right of self-defence. Notwithstanding, even though not expressly indicated in the abovementioned provision, the measures adopted in self-defence must also observe the conditions of necessity and proportionality.25 The Tallinn Manual also contains a rule conditioning self-defence to necessity and proportionality. Regarding necessity it should be assessed whether there are (or not) alternative courses of action that do not rise to the level of a use of force, that are sufficient to repeal the attack.26 Once concluded necessary the use of force, proportionality permits assessing how much force is permissible. Rule 15 of the Tallinn Manual goes further than article 51 of UNC and seems to expressly allow anticipatory self-defence.27 Finally, it should be highlighted that private individuals and armed groups are excluded from the scope of article 2(4) of the UNC. In such case, cyber operations may be unlawful (domestically or even internationally) but won’t amount to a violation of the use of force. Nevertheless, article 2(4) will be applicable when the cyber operations conducted by such actors is attributable – under law of state responsibility - to a state given that it would be accountable for the violation. This would be the case – which will be examined below – where an organized group of Patriotic Hackers conducts cyber operations under the direction and control of the State.

22 Ibid 23 For instance when acting on behalf of a state 24 Rule 17 of the Tallinn Manual 25 Ibid, § 194 26 Commentaries on Rule 14 of the Tallinn Manual 27 Gill, T. D. and Ducheine, P. A. L. also consider that there can be anticipatory self-defence and this can take the form of simultaneous cyber operations and kinetic conventional attack or one of each. See Gill, T. D. and Ducheine, P. A. L., Anticipatory Self-Defense in the Cyber Context, International Law Studies, Vol 89, 2013 [438-471]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

2.2. Jus in bello Regarding jus in bello, one first question arises regarding which law is applicable to cyber armed conflicts. As a matter of fact, none of the international humanitarian law treaties foresee application to cyber warfare operations, which can be easily explained by the fact that cyber warfare is a very recent phenomenon. Here, it seems adequate to follow the reasoning of the ICJ according to which the Court found that the Law of Armed Conflict principles apply “to al1 forms of warfare and to al1 kinds of weapons, those of the past, those of the present and those of the future.”28 Thus it should be concluded that cyber armed conflict in the absence of a specific legal instrument with binding force, such as an international treaty, is regulated by the International Humanitarian law rules and principles. Therefore this thesis shall recall important principles of the IHL and International Customary law. Aside from that, in 2012 an International Group of Experts – at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence – prepared an important document regarding the subject discussed in the present work: the “Tallinn Manual on the International Law Applicable to Cyber Warfare.” Although being doctrine and non-legally binding it addresses comprehensively the question on the applicability of law within the cyber operations context, hence it will also serve as basis for the present work. One final note should be added regarding the question on the law applicable to cyber armed conflict. Even if it was not possible to conclude that IHL rules and principles were applicable de jure to cyber warfare that would not imply some kind of legal vacuum. In that case the “Martens Clause” would always be applicable, according to which “Until a more complete code of the laws of war has been issued, the High Contracting Parties deem it expedient to declare that, in cases not included in the Regulations adopted by them, the inhabitants and the belligerents remain under the protection and the rule of the principles of the law of nations, as they result from the usages established among civilized peoples, from the laws of humanity, and the dictates of the public conscience.”29

28 ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion, § 86 [online] 29 Preamble of the 1907 Hague Convention IV. See also article 63 of the Geneva Convention I, article 62 of the Geneva Convention II, article 142 of the Geneva Convention III and article 158 of the Geneva Convention IV.

Cyber Armed Conflict

2.2.1. International and non-international cyber armed conflict Armed conflicts have historically been classified as international or non- international. According to Rule 22 of the Tallinn Manual, “an international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more states.”30 This definition follows closely to the one provided by Common Article 2 of the 1949 Geneva Conventions and customary law. From the mentioned definition thus two conditions are required for an international armed conflict to exist. First, it must be international in the sense that two different States must be party to the conflict in opposing sides.31 Aside from this an armed conflict can also be international when “peoples are fighting against colonial domination and alien occupation and against racist régimes in the exercise of their 32 right of self-determination” , provided that the State is a party to the AP I. Second, an international armed conflict must also be “armed”, which means that there must be hostilities between the states involved, with kinetic, and cyber or stand-alone cyber operations. Regarding the threshold of required violence that must be attained in order to classify the conflict as such, evaluation of the incidents must be made on a case-by- case basis. The Tallinn Manual provides in Rule 23 that “A non-international armed conflict exists whenever there is protracted armed violence, which may include or be limited to cyber operations, occurring between governmental armed forces and the forces of one or more armed groups, or between such groups. The confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum degree of organization.” The rule closely follows customary international law and the Common Article 3 of the 1949 Geneva Conventions. Accordingly, non- international armed conflicts are protracted armed violence between governmental authorities and organized armed groups or between such groups within a State. Note two basic requirements for the existence of a non-international armed conflict: the “armed violence must be of sufficient intensity and the parties must be sufficiently

30 This definition follows closely the definition provided by common article 2 of the 1949 Geneva Conventions and customary law. 31 The required stateness opposition does not mean that non-state actors cannot, under certain conditions, participate in international armed conflicts. This will be dealt further. See Chapter 3.2 32 Article 1(4) of the Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977.

“Patriotic Hackers”: Non-State Actors fighting wars for the states? organized.”33 The ICTY case law established some indicative factors of intensity34 and organization35 criteria. As to the geographical scope of non-international armed conflicts, also note that “the fact that an armed conflict is not limited to the territory of a single state does, not mean, without more, that a non-international armed conflict changes its character and is to be considered international.”36 That may be the case of the so-called transnational armed conflicts. The distinction between international and non-international armed conflicts “rests on the question who the parties to the armed conflict are.”37 Thus a cyber operation may be conducted by an organized group from the territory of other State without this fact alone, meaning a change of the classification of the conflict.

2.2.2. Personal status There is no prohibition of anyone participating in hostilities. The Tallinn Manual restates this customary law principle in its Rule 25. Nevertheless the law of armed conflicts stipulates consequences on the participation, namely combatant immunity, prisoner of war status and targetability. International Humanitarian Law devises different personae status, depending on the nature of the armed conflict.

33 Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [49] 34 In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals Chamber, Judgement, 3 April 2008, para. 49 as to intensity included such factors as “the number, duration and intensity of individual confrontations; the type of weapons and other military equipment used; the number and calibre of munitions fired; the number of persons and type of forces partaking in the fighting; the number of casualties; the extent of material destruction; and the number of civilians fleeing combat zones” 35 In Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals Chamber, Judgement, 3 April 2008, para. 60 as to organization included such factors as “indicative factors include the existence of a command structure and disciplinary rules and mechanisms within the group; the existence of a headquarters; the fact that the group controls a certain territory; the ability of the group to gain access to weapons, other military equipment, recruits and military training; its ability to plan, coordinate and carry out military operations, including troop movements and logistics; its ability to define a unified military strategy and use military tactics; and its ability to speak with one voice and negotiate and conclude agreements such as cease-fire or peace accords.” 36 Jann K. Kleffner. 2014, Scope of Application of International Humanitarian Law, in The Handbook of International Humanitarian Law, ed. Dieter Fleck, Oxford: 3rd Revised Edition, Oxford University Press [50] 37 ibid

Cyber Armed Conflict

In International Armed Conflicts two statuses exist: combatants and civilians. Combatants comprise two groups: (i) the regular armed forces38 - essentially the state armed forces -, and (ii) “members of other militias and members of other volunteer corps, including those of organized resistance movements, belonging to a Party to the conflict and operating in or outside their own territory, even if this territory is occupied”39 provided that they satisfy the conditions prescribed in article 13 (2) of the Geneva Convention I. Qualifying as combatants means the entitlement of combatant immunity and prisoner of war status. Civilians are defined in negative term as “all persons who are neither members of the armed forces of a party to the conflict nor participants in a levée en masse (…) and, therefore, entitled to protection against direct 40 attack unless and for such time as they take a direct part in hostilities.” In the context of non-international armed conflicts there is no combatant status. Civilians are “all persons who are not members of State armed forces or organized armed groups of a party to the conflict … and, therefore, entitled to protection against direct attack unless and for such time as they take a direct part in hostilities.”41 So, as opposed to civilians who do not participate in hostilities, there are state-led armed forces and also non-state organized armed groups which are the non-state actor armed forces.

2.2.3. Direct participation in hostilities 2.2.3.1. Requirements According to the ICRC Interpretive Guidance on the Notion of Direct Participation in Hostilities, “Acts amounting to direct participation in hostilities must meet three cumulative requirements: (1) a threshold regarding the harm likely to result from the act, (2) a relationship of direct causation between the act and the expected harm, and (3) a belligerent nexus between the act and the hostilities conducted between

38 According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to the conflict as well as members of militias or volunteer corps forming part of such armed forces” 39 See article 13 (2) of the Geneva Convention I 40 Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under International Humanitarian Law, ICRC, May 2009, p. 26 41 Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under International Humanitarian Law, ICRC, May 2009, p. 26

“Patriotic Hackers”: Non-State Actors fighting wars for the states? the parties to an armed conflict.”42 The Commentaries on Rule 35 of the Tallinn Manual show the International Group of Experts agreed to such requirement criteria. As to meeting the first requirement – threshold of harm – two alternatives are possible. The cyber operation must (or be intended to) affect the enemy military capabilities or operations, not being necessary that the act causes injury or death to persons or destruction to objects. Alternatively, the threshold of harm may also be met when the attacks are conducted against protected objects or persons and result, respectively, in destruction or injury and death.43 In practice whenever a cyber-attack causes (or is likely to potentially) cause destruction or damage on military infrastructure by that way diminishing military capabilities of the adversary will meet the threshold. As mentioned previously there must also exist a relation of direct causality between the act and the harm. For this second requirement to be met the harm must be the consequence of the particular cyber-attack.44 Finally, for an action to qualify as direct participation in hostilities there must also be belligerent nexus. This means that the operation must be linked to hostilities in benefit of one party and consequently in detriment of the other. Once the three abovementioned requirements are met the conduct of an individual can be qualified as direct participation in hostilities. On the other hand, cyber operations that do not meet all of the defining requirements may have a criminal nature, but have no relevance in the framework of the law of armed conflicts. As a consequence of qualification of conduct as direct participation in hostilities, individuals lose protection against direct attack entitled to civilians, insofar and as long as the participation lasts.

2.2.3.2. Temporal extension As mentioned above, the suspension of protection from direct attack lasts for as long as civilians participate in hostilities. The question that arises is when does participation start and end?

42 Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international humanitarian law, May 2009, ICRC [50] 43 Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international humanitarian law, May 2009, ICRC [51] 44 The Commentary on rule 35 of Tallinn Manual gives as an example “the disruption to the enemy’s command and control is directly caused by the cyber attack”

Cyber Armed Conflict

First, it should be considered the nature of cyber-attacks having “delayed effects”, where the action may not coincide with the moment when the related damage occurs. As such, it makes sense to follow the position (of the majority) of the International Experts Group expressed in the Commentaries of Rule 35 of the Tallinn Manual, according to which “the duration of an individual’s direct participation extends from the beginning of his involvement in mission planning to the point when he or she terminates an active role in the operation.”45 Another question surrounds a situation of multiple and repeated cyber-attacks conducted by an individual, whether the entire period of the attacks or the period of each attack should be considered as direct participation in hostilities. Considering that the direct participation in hostilities is reduced to the temporal extension of each cyber- attack opens the door for civilians to lose and regain civilian protection in between the attacks (the “revolving door” of civilian protection). Such position can be considered opening the door for abuse on the part of civilians. Nonetheless, the conducting of one cyber-attack does not allow a presumption of additional future cyber-attacks and the future conduct of an individual cannot be predicted. Thus the most adequate position seems to be the one considering that direct participation in hostilities only exists for as long as each cyber-attack period takes place.46

2.2.4. Possibility of stand-alone cyber-attacks? As already observed supra, the International Experts Group supported the view that cyber operations alone have the potential of rising to meet the threshold of an armed conflict and thus International Humanitarian law would be applicable. Even so, as of today there has not been such armed conflict wherein a party to the conflict resorted exclusively to the use of cyber weapons. In this regard Sheldon asseverates that “The real threat lies not in stand-alone cyber attacks, but in cyber attacks accompanied by attacks and other actions in the

45 Commentary on rule 35 of Tallinn Manual 46 In this way, Melzer, N., Interpretive guidance on the notion of Direct participation in hostilities under international humanitarian law, May 2009, ICRC [71]

“Patriotic Hackers”: Non-State Actors fighting wars for the states? physical realm”47 and thus considers cyber-attacks as only “meaningful when coupled with other, more traditional, threats.”48 Given the impossibility of predicting the evolution of cyber weapons and present day society’s increasing dependency on technology, such a position seems quite conservative. A less restrictive approach might perhaps be more open to future possibilities. In line with Terry Gill (et al.), it seems acceptable that while unlikely, “the possibility of a stand-alone cyber attack, that is, one not occurring in conjunction with an attack employing traditional kinetic force, rising to the level of an armed attack cannot be ruled out”49 Meaning that it should not be denied that in so far as a future cyber-operation meets the (abovementioned) conditions, it may rise to the threshold of armed conflict. As an example of a stand-alone cyber operation that could potentially turn into armed conflict, major concern surrounds the threat of cyber-attacks that could disrupt the US electric power grid, resulting in serious economic and national security consequences.50 On a related note, the Industrial Control Systems Cyber Emergency Response Team (ICSCERT) reported 198 cyber incidents against critical infrastructure sectors alone during 2012. From those incidents, 41% were related to the energy sector.51 Even with these recorded instances, no large-scale cyber-operation has yet been carried out (at least none publically known). What have so far been seen are cyber operations in conjunction with conventional kinetic armed attacks? In the previously mentioned case of the Russia-Georgia conflict, the conventional kinetic armed attack was accompanied by cyber operations allegedly conducted by Patriotic Hackers against Georgian governmental and media websites. However, those cyber operations did not meet the threshold of a cyber-attack since they only resulted in defacement of targeted websites. Another situation, as identified by Terry Gill (et al.), does present a case of combined cyber and kinetic force operations having been used: “in Operation Orchard, when Israel carried out an airstrike against the Al-Kibar nuclear facility in northern Syria

47 Sheldon, J. B., State of the Art: Attackers and Targets in Cyberspace, Journal of Military and Strategic Studies, Volume 14, Issue 2, 2012, p. 18 [online via http://ww.w.jmss.org/jmss/index.php/jmss/article/viewFile/462/458] 48 Ibid 49 Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180) 50 Robert Lenzner, Chinese Cyber Attack Could Shut Down U.S. Electric Power Grid [online via http://www.forbes.com/sites/robertlenzner/2014/11/28/chinese-cyber-attack-could-shut-down-u-s- electric-power-grid/] 51 InfoSecurity, National Electric Grid Remains at Significant Risk for Cyber-attack [online via http://www.infosecurity-magazine.com/news/national-electric-grid-remains-at/]

Cyber Armed Conflict in September 2007.”52 Reportedly, Israel conducted cyber operations to disrupt the Syrian national air defence system and thus successfully enabled an Israeli airstrike.53 Therefore, while not ruling out the possibility for stand-alone cyber operations in the future, present expectation is that cyber-attack occurrence will accompany conventional kinetic attacks.

52 Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law Studies, Volume 89, 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180); Daveed Gartenstein-Ross & Joshua D. Goodman, The Attack on Syria's al-Kibar Nuclear Facility, INFOCUS QUARTERLY, Spring 2009, [online via http://www.jewishpolicycenter.org/826/the-attack-on-syrias-al- kibar-nuclear-facility] 53 David A. Fulghum & Douglas Barrie, Israel Used Electronic Attack in Air Strike Against Syrian Mystery Target, AVIATION WEEK, Oct. 8, 2007 [online via http://www.freerepublic.com/focus/f- news/1908050/posts]

3. Patriotic Hackers

3.1. Characterization As indicated in the Introduction chapter Holt and Schell advance a definition according to which Patriotic Hackers are “citizens and expatriates engaging in cyber- attacks to defend their mother country or country of ethnic origin.”54 Similarly, Dinniss qualifies patriotic hackers as those “individuals and groups motivated by national and political aims”55 that conduct cyber-attacks. According to the quoted definitions Patriotic Hackers are therefore individuals who having ties of allegiance towards a certain country (of nationality or ethnic related), conduct politically motivated cyber-attacks against perceived enemies of that country, in the name of a sense of patriotism, against threats or attacks by perceived enemies of that country. While in principle Patriotic Hackers conduct cyber operations independently and by their own will, sometimes there can be – as dealt with below – some sort of connection with the country on the behalf of which the cyber–attacks are conducted. Several examples of Patriotic Hackers can be given: the Nashi Youth from Russia; the Red Hacker Alliance from China; and the Syrian Electronic Army from Syria. Patriotic Hackers are distinguishable from other cyber actors. For instance, while Patriotic Hackers’ main concern is the defence of the country to which its patriotism is devoted, Hacktivists (such as “Anonymous”) are moved by political causes, human rights, and open access to information.56 In practice Hacktivists distinguish themselves from Patriotic Hackers by the absence of a sense of patriotism (at least exclusive); in that their political motivations may actually be aimed at national authorities of the

54 Holt, T. J. and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, New York: Information Science Reference, 2011 [online via New York: Information Science Reference, 2011] 55 Harrison Dinniss, H. 2013, Participants in Conflict – Cyber Warriors, Patriotic Hackers and Laws of War, in International Humanitarian Law and the Changing Technology of War, ed. Dan Saxon, Martinus *Nijhoff [251] 56 For a more profound analysis on the difference between Hacktivists and Patriotic Hackers see Dahan, M. Hacking for the homeland: Patriotic Hackers Versus Hacktivists in Proceedings of the 8th International Conference on Information Warfare and Security (ICIW 2013), ed. Doug Hart, Academic Conferences and Publishing International Limited, 2013 [55]

“Patriotic Hackers”: Non-State Actors fighting wars for the states? country of nationality or ethnic related.57 Hacktivists are essentially activists who hack with a purpose of defending certain social issues. It is questionable whether Cybercaliphate (the Islamic State of Iraq and Syria – hereafter ISIS - cyber arm) should be qualified as a Patriotic Hacker. In some sense Cybercaliphate could be considered as having motivations similar to those of Patriotic Hackers: conducting cyber-attacks against perceived enemies of the State. However, the motivation of Cybercaliphate is mostly (if not totally) the expansion and defence of their religion. Political motivations are relegated to a consequential level. Even though ISIS is a State in terms of International law, is it moreso an organized armed group? From a strictly (more or less) formal perspective – and independent of the question of international recognition - ISIS should not be qualified as a State, at least in the sense of the 1933 Montevideo Convention58, given that the criteria for statehood is not verified. ISIS is an organized armed group. Thus the mentioned cyber arm of ISIS should not be qualified as a Patriotic Hacker group. Denning considers the Cybercaliphate as an entity parallel to Hacktivists and Patriotic Hackers.59 Regarding the organization and execution of cyber operations, Patriotic Hackers can act individually or as a group. The manner of organization of cyber-attacks can have legal consequences, as will be seen below. Regarding the organization and potential damage of attacks, opinions are not consensual. One on hand, while some (probably alarmist60) media claims that one individual alone has the technological ability to bring down the entire network of a country61, according to other entities “the most comprehensive of cyber attacks against a nation would be a substantial operation. The simultaneous targeting of an entire country’s most crucial government and critical

57 A practical example of the difference between Hacktivists and Patriotic Hackers is the one when th3j35t3r (the jester) – a known US Patriotic Hacker -, attacked Wikileaks, following the release of a collection of secret U.S. government documents. See, Neil J. Rubenking, Wikileaks Attack: Not the First by th3j35t3r, PCMAG, [online via http://www.pcmag.com/article2/0,2817,2373559,00.asp] 58 For instance ISIS lacks a defined territory and it’s very dubious whether it has capability to enter in relations with other countries. 59 Denning, D. E., Cyber Conflict as an emergent Social Phenomenon in Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, (ed. Thomas J. Holt et al.) New York: Information Science Reference, 2011 [172] 60 At least given what we have assisted so far. 61 Cristen Conger, Could a single hacker crash a country’s network? [online via http://computer.howstuffworks.com/hacker-crash-country-network1.htm]

Patriotic Hackers infrastructure networks would be enormously complicated, and would likely require the type of resources only a state could leverage.”62 Assessing the organization of cyber operations and attacks, the sections to follow will review the scenarios in which Patriotic Hackers have, or do not have, relationship with the home State. . In the case where Patriotic Hackers lack state sponsorship, further review will evaluate two subgroups: organized armed groups, and individuals and unorganized armed groups.

3.2. Patriotic Hacking attacks Regarding the kind of attacks conducted by Patriotic Hackers, so far they have typically been limited to Web Defacements63, Distributed Denial of Service Attacks64 and Malware Attacks65. The following non exhaustive list gives some examples of attacks politically motivated conducted by Patriotic Hackers.

Nationality of Victim Type of Hacker (or Description State Attack Group) In 1999, following the US accidental bombing of the Chinese embassy in Belgrade, Web sites at the departments of U.S.A. Chinese DDoS Energy and the Interior and the National Park and www.whitehouse.gov were object of attack.66

62 Alexander Klimburg (ed.), National Cyber Security Framework Manual, NATO Cooperative Cyber Defence Centre of Excelence, Talllinn, Estonia, 2012 63 Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. 64 A DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to its customers. When this attempt derives from a single host of the network, it constitutes a DoS attack. When it derives simultaneously from multiple malicious hosts coordinated to flood the victim with an abundance of attack packets is called a Distributed DoS or DDoS attack. 65 Malware is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks. It comprises viruses, worms, Trojans, and bots. 66 Ellen Messmer, Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites, government says, CNN [online via http://edition.cnn.com/TECH/computing/9905/12/cyberwar.idg/]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Honkers Following an incident involving a US spy Union of Web US/China plane and a Chinese Jet Fighter, 80 US and China/US (or Defacement 100 Chinese web sites were defaced.67 ally) Hackers Following a decision of the Estonian Authorities to relocate the Bronze Soldier Soviet war memorial in Tallinn, allegedly Russian Estonia DDoS Russian Hackers, during a three week period (allegedly) targeted Estonian governmental, private and media websites through a series of DDoS attacks.68 Georgia Russian DDoS and In 2008, simultaneously with the Business Web conventional armed conflict that opposed the Network defacement Russian Federation and Georgia over South Ossetia, Georgia governmental and media websites were object of defacement and DDoS attacks.69 U.S.A. Syrian Web In 2013 the Syrian Electronic Army in face Electronic defacement of the possibility of US Marines potentially Army being drawn to the Civil war in Syria, defaced the US Marines Corps web site.70

The question is whether these attacks qualify as cyber-attacks that reach the threshold of a cyber armed conflict. The answer has - it will be seen below - is negative. But then when do cyber-attacks (alone) reach such threshold?

67 Sarah Left, Chinese and American hackers declare 'cyberwar', The Guardian [online via http://www.theguardian.com/technology/2001/may/04/china.internationalnews] 68 Ian Traynor, Russia accused of unleashing cyberwar to disable Estonia, The Guardian [online via http://www.theguardian.com/world/2007/may/17/topstories3.russia] 69 Jon Swaine, Georgia: Russia 'conducting cyber war', The Telegraph [online via http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyberwar.html] 70 David Gilbert, Syrian Electronic Army Cyber Attacks Continue With US Marines Hack, IBTimes [online via http://www.ibtimes.co.uk/syrian-electronic-army-hacks-marine-website-hacked-503037]

Patriotic Hackers

3.3. Standalone Patriotic Hacking reaching the level of armed conflict? 3.3.1. International Armed Conflict As mentioned above an IAC is an armed conflict that opposes two or more states. In face of that it seems accurate to say that Patriotic Hacking will only trigger an IAC when the cyber operations conducted by them are state sponsored and thus such actions are attributable to the state.71 Additionally, it would be necessary for the cyber-attacks conducted by the Patriotic Hackers to reach a certain degree of violence against the adversary.72 That would be the case where the cyber-attack resulted in damage or physical injury. Another question is the required duration of the violence. In this regard the International Experts Group was divided. While some considered that a single cyber operation that caused “a fire to break out at a small military installation would suffice to initiate an international armed conflict.”, others were of the view that “a single cyber incident that causes only limited damage, destruction, injury or death would not necessarily initiate an international armed conflict”.73 A cyber-attack aimed at the critical national infrastructure – such as the national power grid74 – causing severe damage to it and eventual destruction would suffice to meet the threshold of an armed attack. The fact is that to date no (solely) cyber international armed conflict has happened. As it was mentioned before, none of the listed attacks exemplified on Chapter 3.2 did met such threshold. While DDoS attack in those cases was directed towards taking down websites, they can also be targeted at servers or networks. Some believe that through DDoS attacks it is possible to disrupt “industrial control systems such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs)” or (at least) facilitate secondary attacks (for instance by implanting malware).75 76

71 See Rule 149 of IHL Customary International Law. The attribution to the state of the responsibility for operations conducted by a non-state actor shall also be dealt infra IN Chapter 4.2. 72 Article 49(1) AP I 73 See Commentaries to Rule 22 of Tallinn Manual 74 The NSA Director already manifested that at least China has the ability to take down US power grids. See Ken Dilanian, NSA Director: Yes, China Can Shut Down Our Power Grids, Business Insider [online via http://uk.businessinsider.com/nsa-director-yes-china-can-shut-down-our-power-grids-2014-11?r=US] 75 See Sahba Kazerooni, The Growing Threat of Denial-of-Service Attacks, Electric Light & Power, [online via http://www.elp.com/articles/powergrid_international/print/volume-20/issue-2/features/the- growing-threat-of-denial-of-service-attacks.html]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Notwithstanding what so far has been said, it seems that the assessment on whether a conflict reaches the threshold of a cyber armed conflict has to be made on a case by case basis.

3.3.2. Non-International Armed Conflict Regarding NIAC, one first distinction should be readily established. Under AP II a NIAC is one which taking place in the territory of a High Contracting Party opposes its "armed forces to a dissident armed forces or other organized armed groups which, under responsible command, exercise such control over a part of its territory as to enable them to carry out sustained and concerted military operations”.77 Given that cyber operations alone are insufficient to constitute physical control over a territory, a standalone Patriotic Hacking operation reaching the threshold of a NIAC is not possible under the AP II. However, Common Article 3 does not require physical control of the territory. Two situations can be devised: (i) a NIAC where Patriotic Hacking operations are conducted against a rebel armed group; and (ii) a NIAC where Patriotic Hackers – not acting on behalf of their country or homeland78 -, attack another country. The threshold of Common Article 3 is lower than the one established by AP II. For the former a NIAC exists depending on the level of violence taking place and the degree of organization of the parties to the conflict. For the threshold to be met, as it was developed in the Tadic case it is required protracted armed violence between organized armed groups and/or a State. It should be noted that a sporadic cyber-attack will not meet the threshold, rising only to internal disturbances. A required continuity of violence is also required. The group must also be an organized armed group. For that purpose, armed should be understood as having the ability to conduct cyber-attacks; whereas “organized” implies a certain organizational structure, coordinated acting towards a common objective. The organization criterion has always to be assessed on a case by case basis.

76 ICS are command and control networks and systems designed to support industrial processes – for instance SCADA (Supervisory Control and Data Acquisition) systems. They allow from a remote location to control local field operations such as opening and closing valves and monitoring and controlling the local conditions. 77 Article 1(1) AP II 78 Otherwise – if acting on behalf of – the conflict is internationalized

Patriotic Hackers

In the case of a NIAC where Patriotic Hacking operations are conducted against a rebel cyber armed group, one practical example that could be mentioned would be cyber-attacks directed towards disrupting the communication ability of the rebel groups by for instance destroying the computers or the network communications. On the other hand, on a NIAC where Patriotic Hackers – not acting on behalf of their country or homeland79 -, attack another country a practical example could be the one (already above mentioned regarding IAC) of conducting cyber-attacks against the National Critical Infrastructure (e.g., telecommunications and electrical power grids) with such violence that is able to disrupting or destroying it.

3.4. State sponsored Patriotic hackers As previously mentioned the legal status of combatant essentially comprises two groups: (i) the regular armed forces80 - essentially the state armed forces -, and (ii) “members of other militias and members of other volunteer corps, including those of organized resistance movements, belonging to a Party to the conflict and operating in or outside their own territory, even if this territory is occupied”81 provided that they satisfy the following conditions: “(a) commanded by a person responsible for his subordinates; (b) having a fixed distinctive sign recognizable at a distance; (c) carrying arms openly; and, (d) conducting their operations in accordance with the laws and customs of war.”82 Following, the case of a group of civilian hackers that conduct cyber operations with state sponsorship could be included in the second category of combatants as irregular armed forces. Of course to be considered as such, the abovementioned conditions have to be fulfilled. Insofar as they fulfil the mentioned conditions, one could mention as an example the case of China recruiting unpaid civilians from the hacker community and high tech companies into their cyber militia.83 Another example is the

79 Otherwise – if acting on behalf of – the conflict is internationalized 80 According to article 13 (1) Geneva Convention I, include “Members of the armed forces of a Party to the conflict as well as members of militias or volunteer corps forming part of such armed forces” 81 See article 13 (2) of the Geneva Convention I 82 Ibid 83 Anthony Capaccio, China Most Threatening Cyberspace Force, U.S. Panel Says [online via http://www.bloomberg.com/news/articles/2012-11-05/china-most-threatening-cyberspace-force-u-s- panel-says]; Shannon Tiezzi, China (Finally) Admits to Hacking [online via http://thediplomat.com/2015/03/china-finally-admits-to- hacking/?utm_content=buffer5af99&utm_medium=social&utm_source=facebook.com&utm_campaign=

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Estonian Cyber Defence League - “an all-volunteer paramilitary force dedicated to maintaining the country's security and preserving its independence.”84 - That includes not only government agencies but also private specialists. Regarding the condition that a group is commanded by a person responsible for the subordinates, this may likely be a somewhat natural consequence of the organization of a group. The fact that the “cyber” group is only virtual and has no physical contact does not necessarily mean that the condition is not fulfilled. Insofar as there is organization85 and a “chain of command” exists, the condition of leader responsibility being fulfilled could be argued. As to the condition of bearing a distinctive sign, this corresponds to the undisputed customary rule of International Humanitarian Law that combatants must distinguish themselves from the civilian population. This requirement is a rule of customary international law, which has been codified in the Geneva Convention III86 and the Additional Protocol I87. The final condition for combatant status is the obligation of conducting operations in accordance with the laws and customs of war. Without prejudice of such obligation there can be cases of violation of the Law or Customary Law by certain individuals within the group – as also may happen within conventional warfare. Failure by individuals to comply with the obligation of respecting the law does not mean that they lose their legal status of combatants, but only that they may be tried for their actions; namely for war crimes. The concept of Civilian Hackers sponsored by the State could at some point be confused with the concept of mercenaries. Article 47 (2) of the Additional Protocol I88 defines the concept of mercenary. Without extending too much on this particular topic, as Patriotic Hackers are individuals who having ties of allegiance towards a certain country (of nationality or ethnic related) conduct politically motivated cyber-attacks buffer]; Mandiant, APT1 Exposing One of China’s Cyber Espionage Units [online via http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf] 84 Tom Gjelten, Volunteer Cyber Army Emerges In Estonia [online via http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends-nation] 85 The concept of organization shall be discussed in detail infra. See Chapter 3.3.1 86 See article 4 (A) 87 See article 44(3) 88 “a mercenary is “any person who: (a) is specially recruited locally or abroad in order to fight in an armed conflict; (b) does, in fact, take a direct part in the hostilities; (c) is motivated to take part in the hostilities essentially by the desire for private gain and, in fact, is promised, by or on behalf of a Party to the conflict, material compensation (…); (d) is neither a national of a Party to the conflict nor a resident of territory controlled by a Party to the conflict; (e) is not a member of the armed forces of a Party to the conflict; and (f) has not been sent by a State which is not a Party to the conflict on official duty as a member of its armed forces.”

Patriotic Hackers against perceived enemies of that country, in name of a sense of patriotism. Given that their motivation is not private monetary gain no such confusion should arise. As will be discussed below the fact that states sponsor the conduct of cyber operations will have important consequences, namely the eventual accountability of those states for wrongful acts resulting from such operations. Based on the information provided, it should be concluded that whenever Patriotic Hackers are conducting cyber operations that are state-sponsored, and insofar as the conditions prescribed in article 13 (2) of the Geneva Convention I are met, the hacker parties should be considered as irregular armed forces. In such case, Patriotic Hackers should be recognized under the legal status of combatants, thus being entitled to all the rights and obligations of such status, for instance prisoner of war status. In cases where the conditions of the abovementioned provision are not met, the Patriotic Hacker, even if state-sponsored, does not attain combatant status.

3.5. Non-State sponsored Patriotic Hackers 3.5.1. Organized Armed Groups The concept of organized armed groups (hereafter, OAG) is of utmost importance within non-international armed conflicts; which exist when there is protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.89 The threshold of a NIAC is met with certain intensity of hostilities and involvement of an organized armed group As previously noted, the ICTY jurisprudence identifies some factors that can help assess the required intensity and organization of the armed group.90 In assessing required intensity of hostilities, within the cyber realm has yet to occur any stand-alone cyber operations conducted by non-State actors that rise to the level of triggering a non-international armed conflict; although the future possibility of such should not be ruled out. Certainly, governmental website defacements – as those that have been carried out thus far - do not suffice to meet the requirements of intensity. Regarding the required organization criteria, hackers who work individually (or autonomously) can immediately be dismissed from consideration. Remaining, the

89 Prosecutor v. Tadic, IT-94-1, ICTY Appeals Chamber, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, 2 October 1995, para. 70 90 See supra chapter 2.2.1

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

International Experts Group devised two categories: groups of individuals that operate “collectively” and those that operate “cooperatively”. The former would be the case of those who lack coordination in conducting attacks despite acting simultaneously and with a shared purpose. The latter would be the case of those who have such coordination or as the International Experts Group describe : “a distinct online group with a leadership structure that coordinates its activities by, for instance, allocating specified cyber targets amongst themselves, sharing attack tools, conducting cyber vulnerability assessments, and doing cyber damage assessment to determine whether ‘reattack’ is required”.91 Although it seems that this described situation would be the only case in which the organization criteria were satisfied, the collective conclusion appears to be that evaluation of meeting the organization criteria must be done on a case-by-case basis. The organization of cyber armed group is to differ from the one of conventional organized armed groups. In the Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj Case, the ICTY stated as indicative factors of organization – aside from others -, the existence of a headquarter and control of territory. Such factors are irrelevant on the qualification of the level of organization of cyber armed group. Another important difference: no physical presence and meeting is required for the existence of the organization. Nevertheless it appears that the conclusion on the satisfaction of the organization criteria depends on an evaluation on a case-by-.case basis. Within a NIAC, organized armed groups are understood as the armed forces of the non-state actor. Thus, Patriotic Hackers who are members of an organized armed group, “whose continuous function involves the preparation, execution, or command of acts or operations amounting to direct participation in hostilities are assuming a continuous combat function”.92 Therefore in the case of organized armed groups the participation in hostilities does not qualify as DPH. But it is not only in NIAC that organized armed groups may have relevance while conducting cyber operations. During an IAC, Patriotic Hackers as an organized armed group not belonging to a party of the conflict could conduct cyber-attacks against another party to the conflict. In such scenario, given that they didn’t belong to any of

91 Commentary on Rule 23 of the Tallinn Manual 92 Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under International Humanitarian Law, ICRC, May 2009, p. 34

Patriotic Hackers the parties in the conflict, they would not be seen as part of those armed forces. Therefore they would retain a civilian status. Thus, insofar as the conditions are met, civilians involved with an organized armed group that does not belong to a party of the conflict, but engages in hostilities, would be in DPH. As earlier discussed in the Introduction chapter, during the conflict that opposed the Russian Federation and Georgia over South Ossetia – simultaneously with a conventional armed conflict conducted by both States, that qualifying as an IAC – several Distributed Denial of Service (DDoS) cyber-attacks conducted against Georgian network servers consequently disrupting many (governmental and media) websites. These cyber-attacks – according to public reports - were carried out by groups of hackers (namely the RBN) without any connection to the state.93 Russian authorities denied allegations of linkage. However, regarding the nature of the cyber-attacks conducted, the threshold of a cyber armed conflict was not met. Thus the actions conducted by the RBN were not relevant under International Humanitarian Law.

3.5.2. Unorganized Armed Groups or individuals A third category comprises armed groups that do not satisfy the organization criteria and hackers that act individually As matter fact, Patriotic Hackers may also act and conduct cyber operations, individually or by unorganized armed group, only on the basis of their beliefs, namely, the defence of their homeland or ethnic origins and without any support or cooperation with other individuals or sponsorship by the State. The participation of those in hostilities has important consequences. For instance if an individual participates in hostilities and as long as that participation takes place the targetability protection is lost. But when should be qualified the actions conducted by patriotic hackers during armed conflicts? As already stated above94, three requirements must be met: a threshold of harm; there must be a relation of direct causality between the act and the harm; and, there must also be belligerent nexus. In practice this means that cyber operations conducted by unorganized armed groups or individuals will be qualified as DPH

93 John Markoff, Before the Gunfire, Cyberattacks, The New York Times [online via http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0] 94 See chapter 2.2.3

“Patriotic Hackers”: Non-State Actors fighting wars for the states? whenever, they conducted cyber operations, on behalf of one party of the conflict, that either were intended to or affected the enemy military capabilities or operations (not being necessary that the act causes injury or death to persons or destructions to objects) or alternatively, the attacks must be conducted against protected objects or persons and result, respectively, destruction or injury and death; being the resulted harm consequence of the cyber-attack. Such would be the case, if an unorganized group conducted a cyber-attack, within a NIAC, against a rebel armed group aimed at destroying those communications equipment that way disrupting them.

4. Attribution and legal responsibility for cyber attacks

Attribution of cyber operations is of extreme relevance for states. For instance the exercise of self-defence by a victim State is dependent upon determining who conducted the cyber-attack, meaning the individualization of the group (state sponsored) or the State that conducted such operation. While in conventional armed conflicts involving kinetic attacks such attribution is easier - given for instance that weapons and military personnel are clearly identified - within the cyber realm attribution poses a real problem. As a matter of fact, the anonymity potential of internet activity – as well as the constant development of technologies – makes the task of determining accurate attribution very difficult. Furthermore, even when some certainty can be ascertained regarding the origin of an attack, it remains questionable whether an individual acted alone or if there was any state involvement; and thus who should be considered as legally responsible? Attribution encompasses two dimensions: technical attribution and legal attribution.

4.1. Technical attribution Technical attribution is the way by which computer forensic techniques are employed to determine the “identity or location of an attacker or an attacker’s intermediary.”95 In terms of location it may be physical, or an IP96 or MAC address97. Many problems arise in pinpointing technical attribution. For instance in the DDoS kind of attack, a network of bot computers – which are computers infected by, for example, Trojan horses - are used and thus an attack will appear to have multiple (intermediary) origins and determining the actual origin is complex. Additionally,

95 Wheeler, D. A., Techniques for Cyber Attack Attribution, Institute for Defense Analyses, October 2003 [1] 96 IP address consists of four sets of numbers from 0 to 255, separated by three dots assigned by the Internet Service Provider (ISP). IP address can be static (which is always the same) or dynamic (which changes everytime the system is logged on). 97 MAC Address stands for "Media Access Control Address," and is a hardware identification number that uniquely identifies each device on a network. The MAC address is manufactured into every network card, such as an Ethernet card or Wi-Fi card, and therefore in principle cannot be changed. See

“Patriotic Hackers”: Non-State Actors fighting wars for the states? attackers may spoof their IP address, obscuring actual location thus blocking the discovery of the attack’s origin. Complexities aside, attribution is of utmost importance. As Glennon stated, attribution is the “ability to say “who did it” (…) that makes law work. When a transgressor can be identified, penalties can be assessed, and retaliation and deterrence are possible―and so is legal regulation. Attribution permits the target to assign responsibility. It provides the rules’ ultimate enforcement mechanism―the ever-present threat of retaliation and punishment.”98 Despite the constant evolution of attack techniques, governments and some private security corporations do seem to have at least some ability to trace the origins of cyber-attacks. As a matter of fact, the development of means to determine cyber-attack attribution appears of major concern.99 As an example, recently SONY was targeted with cyber-attacks reportedly because of a movie where Kim Jon-un and the North Korean regime were satirized. 100 In this case, the evolution of cyber-attack attribution capability was evident, where the US (voiced by President Barack Obama) was able to attribute the attack to the Democratic People's Republic of Korea on the basis of information gathered by the NSA.101

4.2. Legal attribution Provided the possibility to establish, via technical attribution, the authority of a certain cyber-attack, the next step is legal attribution. In some situations even though cyber operations are conducted by private actors, they may still be attributable to the

98 Glennon, M. J., The Road Ahead: Gaps, Leaks and Drips, International Law Studies, Volume 89, 2013 [380] 99 Department of Defense, Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934, November 2011 [online via http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Re port_For%20webpage.pdf] [(…) the Department seeks to increase our attribution capabilities by supporting innovative research and development in both DoD and the private sector. This research focuses on two primary areas: developing new ways to trace the physical source of an attack, and seeking to assess the identity of the attacker via behavior-based algorithms. In the near future, the Department intends to expand and deploy applications that detect, track, and report malicious activities across all DoD networks and information systems on a near real-time basis.)] 100 James Cook, Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far Business Insider [online via http://uk.businessinsider.com/the-sony-hackers-still-have-a-massive- amount-of-data-that-hasnt-been-leaked-yet-2014-12?r=US]. However it should be noted that this cyber- attack does meet the threshold of cyber armed attack. 101 David E. Sanger and Martin Fackler, N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say, The New York Times [online via http://www.nytimes.com/2015/01/19/world/asia/nsa- tapped-into-north-korean-networks-before-sony-attack-officials-say.html]

Error! Reference source not found.

State. Having identified that the core aim of Patriotic Hackers is conducting cyber operations to defend the country (to which they relate) from threats of perceived enemies, a connection to the State may exist in some circumstances. Following, situations in which a Patriotic Hacker acts in connection with the State should be examined to determine if responsibility for the cyber operation should be attributed to the State. Legal examination has to be made within the adequate legal framework. Of particular relevance to legal framework are Article 3 of the Hague Convention IV102, Article 91 of AP I103, Rules 149104 and 150105 of Customary IHL, the ILC Articles on State Responsibility and, finally, Rule 6 of Tallinn Manual106. Expanding on the subject of legal examination, the tripartite groupings of Patriotic Hackers will be addressed: state sponsored organized armed groups; non-state sponsored organized armed groups; and, finally, non-state sponsored unorganized groups and individuals.

4.2.1. State Sponsored A few scenarios in which cyber operations are conducted by Patriotic Hackers that are sponsored by the state must be devised. First could be the case of Patriotic Hackers being recruited by the State. As previously mentioned China reportedly recruits from the hacker community and high tech companies to its cyber militia.107 One such example is the PLA Unit 61398. Another example is the Estonian Defence League which although composed of volunteers, is “part of the Defence Forces, a voluntary militarily organised national

102 “A belligerent party which violates the provisions of the said Regulations shall, if the case demands, be liable to pay compensation. It shall be responsible for all acts committed by persons forming part of its armed forces.” 103 “A Party to the conflict which violates the provisions of the Conventions or of this Protocol shall, if the case demands, be liable to pay compensation. It shall be responsible for all acts committed by persons forming part of its armed forces.” 104 “A State is responsible for violations of international humanitarian law attributable to it, including: (a) violations committed by its organs, including its armed forces; (b) violations committed by persons or entities it empowered to exercise elements of governmental authority; (c) violations committed by persons or groups acting in fact on its instructions, or under its direction or control; and (d) violations committed by private persons or groups which it acknowledges and adopts as its own conduct.” 105 “A State responsible for violations of international humanitarian law is required to make full reparation for the loss or injury caused.” 106 “A state bears international legal responsibility for a cyber operation attributable to it and which constitutes a breach of an international obligation” 107 See supra footnotes 60

“Patriotic Hackers”: Non-State Actors fighting wars for the states? defence organisation operating in the area of government of the Ministry of Defence.”108 Article 13 (1) of the Geneva Convention I provides that armed forces include “members of the armed forces of a Party to the conflict as well as members of militias or volunteer corps forming part of such armed forces.” Therefore any Patriotic Hackers recruited under such circumstance would be considered as part of the armed forces and cyber operations conducted would be attributable to the State. Supporting such notion would apply Article 3 of the Hague Convention IV, Article 91 of AP I, Rule 149 (a) of Customary IHL and Rule 4 of the ILC ARSIWA. Another case is when a private actor is not part of a state entity (such as the armed forces) for the purpose of Article 4 of ILC ARSIWA, but under domestic law is empowered to exercise governmental authorities. In the Phillips Petroleum Co. Iran v. Islamic Republic of Iran case, the tribunal stated that “international law recognizes that a State may act through organs or entities not part of its formal structure. The conduct of such entities is considered an act of the State when undertaken in the governmental capacity granted to it under the internal law. See article 7(2) of the draft articles on State responsibility adopted by the International Law Commission, Yearbook International Law Commission 2 (1975), at p. 60. The 1974 Petroleum Law of Iran explicitly vests in NIOC “the exercise and ownership right of the Iranian nation on the Iranian Petroleum Resources”. NIOC was later integrated into the newly-formed Ministry of Petroleum in October 1979.”109 Of note, the ILC admits that Article 5 may be applied to “public corporations, semi-public entities, public agencies of various kinds”110 Accordingly, offensive cyber operations would be attributable to the state when conducted by Patriotic Hackers recruited by entities that were granted power to exercise governmental authorities. A third scenario to be considered is the situation when the conduct of individuals or groups of individuals was directed or controlled by the state. Article 8 of the ILC

108 See online http://www.kaitseliit.ee/en/edl 109 Iran-United States Claims Tribunal, [Phillips Petroleum Co. Iran] v. Islamic Republic of Iran, Award No. 326–10913–2, 3 November 1987, Iran-United States Claims Tribunal Reports, vol. 21 (1989), p. 79, § 89, footnote 22. 110 United Nations, Draft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries 2001, [13] [online via http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf]

Error! Reference source not found.

ARSIWA prescribes that “The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.” The situation of entity acting under the instruction of the State is apparently easier to identify. The ILC suggests that “cases of this kind will arise where State organs supplement their own action by recruiting or instigating private persons or groups who act as “auxiliaries” while remaining outside the official structure of the State. These include, for example, individuals or groups of private individuals who, though not specifically commissioned by the State and not forming part of its police or armed forces, are employed as auxiliaries or are sent as “volunteers” to neighbouring countries, or who are instructed to carry out particular missions abroad.” But in what case would an entity’s conduct be considered as “controlled” by the State? In other words, what is the threshold degree of “control” necessary to be met? The ICJ had the opportunity to analyse this concept of control during the judgement of the case of Military and Paramilitary Activities in and against Nicaragua (hereafter, Nicaragua case). The question posed to the Court was whether the Contra’s conduct was attributable to the US and thus the latter was to be held responsible for IHL breaches. The Court took the view that “United States participation, even if preponderant or decisive, in the financing, organizing, training, supplying and equipping of the contras, the selection of its military or paramilitary targets, and the planning of the whole of its operation, is still insufficient in itself (…), for the purpose of attributing to the United States the acts committed by the contras in the course of their military or paramilitary operations in Nicaragua”111 and concluded that “For this conduct to give rise to legal responsibility of the United States, it would in principle have to be proved that that State had effective control of the military or paramilitary operations in the course of which the alleged violations were committed.”112 According to the “effective control” test, for the act to be attributable it has to be proven that the

111 ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, § 115 [online]. 112 Ibid

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

State had participation in the planning, direction, support and execution of the armed operations.113 In the Tadic Case, the ICTY was confronted with a similar situation. The question was whether the Bosnian Serbs were or were not agents of the (now) Former Republic of Yugoslavia. Firstly to note, the case ruling distinguished between military and non-military organized armed groups and individuals.114 The ICTY rejected the “effective control” test and ruled that the “overall control” over the armed group was sufficient for the attribution of its action to a State. According to the ICTY ruling “an organised group differs from an individual in that the former normally has a structure, a chain of command and a set of rules as well as the outward symbols of authority. Normally a member of the group does not act on his own but conforms to the standards prevailing in the group and is subject to the authority of the head of the group. Consequently, for the attribution to a State of acts of these groups it is sufficient to require that the group as a whole be under the overall control of the State.”115 Furthermore the ruling establishes that “In order to attribute the acts of a military or paramilitary group to a State, it must be proved that the State wields overall control over the group, not only by equipping and financing the group, but also by coordinating or helping in the general planning of its military activity. Only then can the State be held internationally accountable for any misconduct of the group. However, it is not necessary that, in addition, the State should also issue, either to the head or to members of the group, instructions for the commission of specific acts contrary to international law.”116 Thus the ICTY “overall control” test broadens the scope of state responsibility further than for “effective control”. In the Application of the Convention on the Prevention and Punishment of the Crime of Genocide Case (hereafter, Genocide Case), the ICJ was again confronted with the question of degree of control required for an action of a group to be attributable to State. In the end the ICJ ruled against “overall control” and was of the opinion that “effective control” should prevail given that the former had “the major drawback of broadening the scope of State responsibility well beyond the fundamental principle governing the law of international responsibility: a State is responsible only for its own

113 See Grosswald, L., Cyberattack Attribution Matters under Article 51 of the U.N. Charter, Brooklyn Journal of International Law, Vol. 36, 2010-2011, [1160] [via HeinOnline] 114 The consideration of the ICTY over non-organized armed groups shall be dealt infra in Chapter 4.2.3 115 Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July 1999, § 120 116 Ibid, § 131

Error! Reference source not found. conduct, that is to say the conduct of persons acting, on whatever basis, on its behalf (…) the “overall control” test is unsuitable, for it stretches too far, almost to breaking point, the connection which must exist between the conduct of a State’s organs and its international responsibility”117 Conclusion can be made that whenever Patriotic Hackers engage in cyber operations under the direction or control of the State or by being issued specific instructions by the State then those operations will be attributable to the State. Conversely, whenever Patriotic Hackers engage in cyber operations in their own initiative, state responsibility will be logically excluded. As previously discussed, during the Georgia-Russia conflict cyber-attacks were conducted against Georgia; reportedly by the RBN. Although involvement of the Russian authorities was unclear, and officially denied,118 if it were to be proven that the Russian authorities indeed had effective control over such cyber-operations, then the attacks would be attributable to Russia.

4.2.2. Non-State Sponsored 4.2.2.1. Organized Armed Groups Article 1(1) of the AP II restates the customary rule notion that armed groups shall operate under responsible command. However, the AP II was only signed by 168 States and thus only applies to conflicts that take place in the territories of those State parties. But, on another point, Article 1(1) of the AP II presupposes physical control over part of the territory of one of the State parties. Given that cyber operations cannot in principle grant such physical control, then the AP II is not likely applicable to stand-alone cyber warfare.119 Nonetheless, under customary law, non-state organized armed groups are obliged to respect IHL.120 As a principle, a State cannot be held responsible for the acts of non-State organized armed groups. Given that an NIAC involves (non-State) organized armed groups acting against the (State) government forces, it would be odd for the State to be

117 ICJ, 26-02-2007, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgement, § 406 [online]. 118 John Markoff, Before the Gunfire, Cyberattacks, The New York Times [online via http://www.nytimes.com/2008/08/13/technology/13cyber.html] 119 Of course that if those cyber operations are simultaneously with conventional kinetic attacks and there is in fact control over part of the territory by the organized armed group, then the applicability of AP II could not be questioned. 120 Rule 139 of IHL Customary International Law

“Patriotic Hackers”: Non-State Actors fighting wars for the states? held responsible for the actions of those organized armed group at least in so far and as long as the government stays in function. The Sambaggio Case provides an example of the application of such principle where it was considered that “from the standpoint of general principle, that, save under the exceptional circumstances indicated, the Government should not be held responsible for the acts of revolutionists because — 1. Revolutionists are not the agents of government, and a natural responsibility does not exist. 2. Their acts are committed to destroy the government, and no one should be held responsible for the acts of an enemy attempting his life. 3. The revolutionists were beyond governmental control, and the Government cannot be held responsible for injuries committed by those who have escaped its restraint.”121 In the event that operations conducted by an organized armed group succeed in overthrowing the government or eventually a new state is formed by secession, then it makes sense that the State would be assigned responsibility for the actions of the organized armed group. Continuity exists between the armed group and the new government which explains the legal responsibility for the operation that otherwise would not exist. During an armed conflict a non-State armed group may engage in cyber operations that would not in any way be attributable to the State, but the State expresses its support for the operations by acknowledging and adopting them as its own. In such cases, the operations would be considered as an act of that State and therefore the State will have indirect responsibility.122 Such was the situation in the Tehran Hostages Case. In this case after a group of Iranian students took over the US embassy and held embassy personnel hostage, (action which would not be attributable to Iran) the Ayatollah Khomeini on November 17, 1979 issued a decree approving the actions by expressing that “the premises of the Embassy and the hostages would remain as they were until the United States had handed over the former Shah for trial and returned his property to Iran.”123 Following ILC Commentaries, not just any level of support will suffice to deem State responsibility: “the term “acknowledges and adopts” in article 11 makes it clear that what is required

121 Sambaggio Case (Italy v. Venezuela) (Mixed Claims Commission Italy-Venezuela)(1903) 10 Reports of International Arbitral Awards, Vol. X [513] [online via http://legal.un.org/riaa/cases/vol_X/477- 692.pdf] 122 See Article 11 of the ILC ARSIWA 123 ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States of America v. Iran), Judgement, § 73 [online].

Error! Reference source not found. is something more than a general acknowledgement of a factual situation, but rather that the State identifies the conduct in question and makes it its own.”124

4.2.2.2. Unorganized Armed Groups or individuals As previously stated, regarding the degree of control by a State for an act practiced by a non-state actor to be attributable to it, the ICTY in the Tadic Case followed the case law of other international courts distinguishing between military groups and individuals or non-organized groups.125 The Court expressly stated that International law imposed a different degree of control whether it concerned actions taken by military groups and individuals or non-organized groups.126 The ICTY concluded that in order for the actions taken by individuals or unorganized armed groups to be attributable to the State “it is necessary to ascertain whether specific instructions concerning the commission of that particular act had been issued by that State to the individual or group in question”.127 Thus, in comparison to the criteria required for organized armed groups, a much higher threshold has to be met for the acts of individuals are unorganized groups to be attributable to the State. Alternatively, a case may arise where an act carried out by an individual or unorganized armed group, although not attributable to the State, is then considered as an act of the State following the State’s acknowledgement and adoption of the action as its own.128

4.3. The Principle of Sovereignty: a duty of prevention The Tallinn Manual Rule 1 establishes that a State may “exercise control over cyber infrastructure and activities within its sovereign territory.” Acknowledging sovereignty gives rise to an obligation of all States to respect each other’s authority and autonomy. Such obligation was included in the Tallinn Manual as Rule 5 prescribes that “A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be

124 United Nations, Draft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries 2001, [24] [online via http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf] 125 Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July 1999, § 132 126 Ibid, § 137 127 Ibid 128 See what has been said regarding this issue supra Chapter 4.2.2

“Patriotic Hackers”: Non-State Actors fighting wars for the states? used for acts that adversely and unlawfully affect other States.” The requirement to not knowingly allow sovereign territory to be used in a way that affects other States’ rights means that individual States have a positive duty to take action and protect those rights.129 This means that if a State has knowledge of the use of cyber infrastructures – within its territory or outside but over which it has de facto control - that have negative effects on other States, then unless it takes appropriate measures to avoid such usage, that State violates its international obligations. This rule does pose challenge to countries less developed technologically and with less cyber capabilities. Those countries will probably have less ability to track cyber-attacks that are being conducted from within its territory. Such passiveness and inability to maintain the development of technology may turn those countries into sanctuary states, from where cyber-attacks could be safely conducted. One practical problem is the required degree of knowledge of cyber infrastructure and attack capability. The International Group of Experts agreed that the Rule (5) applies if the State had “actual knowledge”, that is, if the State knows that a cyber-attack has been made or has information that an attack will take place. In conclusion, whenever a State’s controlled cyber infrastructure is being used with a negative effect on other countries, the State has to take appropriate measures to prevent or avoid such usage. In case of State passiveness that results in damage to another, the victim-state may be entitled to resort to, under certain circumstances, countermeasures or self-defence.

129 See ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States of America v. Iran), Judgement, § 67-68 [online].

5. Conclusions

The present Thesis proposed to examine whether Patriotic Hackers were a tacit method of cyber warfare at the disposal of States during armed conflicts. Although Patriotic Hackers potentially can take the role of fighting wars for the States the answer to the question cannot be given peremptorily in the form of a yes or no. Patriotic Hackers has been defined as those individuals who having ties of allegiance towards a certain country (of nationality or ethnic related) conduct politically motivated cyber-attacks against perceived enemies of that country, in name of a sense of patriotism, against threats or attacks by perceived enemies of that country. But such common motivation is sufficient to conclude that Patriotic Hackers are fighting wars for the States? History shows – aside from others that could be named - a number of confronts for instance between US and China Hackers, and Russian Hackers and States of the former USSR – such Georgia and Estonia. So far, the attacks have been limited to so far they have typically been limited to Web Defacements, Distributed Denial of Service Attacks and Malware Attacks with reduced level of harm. A first question that arises is whether abstractly standalone Patriotic Hacking can reach the threshold of a cyber armed conflict. In this regard given what has been said above it should be concluded that cyber operations conducted by Patriotic Hackers will only rise to a cyber IAC when state sponsored, thus being the attacks attributable to the State. On the other hand - and dependent of the observance of the requirements of Common Article 3 -, Patriotic Hacking may meet the threshold of a NIAC when the cyber operations are conducted against a rebel armed group and when Patriotic Hackers attack another country and don’t act in behalf of their homeland country – because otherwise the conflict would be internationalized In practice two categories of Patriotic Hackers can be devised: Sate sponsored Patriotic Hackers and Non State Sponsored Hackers. The first category comprises the assumedly state sponsored Patriotic Hackers. An example of this group would be the one where, for instance, Chinese authorities recruit civilians from the hacker community and high tech companies. Regarding this group and insofar the conditions provided by article 13(2) of Geneva Convention I, they have combatant status.

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

The second category would include non-state actors non-state sponsored. Under this category may be distinguished organized armed groups and unorganized groups or individuals. The subcategory of organized armed groups is of extremely relevance within NIAC where a State could be facing the opposition of an organized armed group. In NIAC, although there is no combatant status, organized armed groups are understood as the armed forces of the non-state actor. Thus Patriotic Hackers who are members of an organized armed group, who are involved in the cyber-attacks amounting to DPH, assume a continuous combat function. But not only in NIAC are organized armed groups relevant. In this case, Patriotic Hackers would not be assumed as armed forces of the Parties to the conflict retaining their civilian status. Thus insofar the conditions are met Patriotic Hackers engaging in the hostilities would be in DPH. A third category would involve non-sate sponsored unorganized armed groups and individuals. Here the legal status – when engaging in hostilities - would always be DPH. It should be stated however that this category is of residual value because potentially they lack the capability to meet the threshold of cyber armed conflict given that individually (at least theoretically) they would not have the technological capability to engage in cyber operations causing sufficient harm. One of the biggest problems that Patriotic Hackers pose is the attribution. On one hand, and not disregarding the development on this field, the technical attribution reveals as one difficult task. But even after being able to disclose the origin of the attack, another problem arises: the legal attribution. In this regard it should be concluded that the cyber operation can be attributable to a state when they were: (i) conducted by a state of the organ; (ii) conducted by persons or private entities exercising governmental authority; (iii) conducted by person or group of persons that were under direct and control of the state; (iv) acknowledged and adopted by the State as their own; (v) conducted by an organized armed group that successfully overthrow the country and became government. The states nevertheless have an obligation – given the principle of sovereignty - to prevent or avoid cyber operations being conduct from its territory with adverse effects on other states. If the state has knowledge of such and does not act with the due care it can entail the breach of an international obligation. From what has been said and above exposed, it is possible to conclude that Patriotic Hackers can under some conditions fight wars for the States, avoiding the legal

Error! Reference source not found. accountability of the former. The fact is that in practice States if it is convenient will always deny any relation whatsoever to the cyber attackers or the cyber-attack. This happened on multiple occasions: Russia denied the attacks on Georgia and having connection to them; the same happened more recently when the Democratic People's Republic of Korea authorities denied any involvement on the attack on Sony. So far we have not assisted to a cyber-attacked conducted by Patriotic Hackers that reached the threshold of a cyber armed conflict. It is unforeseeable the potential damage that one such attack could reach. Although, International humanitarian law has historically developed following conflicts meaning that the legal evolution has - in most of the cases - been one step back to the historical events that motivate the legal change. It appears to be urgent a legal regulation of the cyber operations, namely the one conducted by Patriotic Hackers. The danger posed by the dependence on technology of our digital era urges such regulation. The Tallinn Manual, although being only an academic work was a first step towards that objective. The Patriotic Hackers phenomenon calls for the necessity of such regulation. And in particular it poses some other questions. Being the interest between State and Patriotic Hackers common – as they are -, the question that arises is whether the linkage between the two of them, for instance in the issue of attribution can be seen in the terms that it was for conventional warfare. Is the actual regime of legal attribution given by the Customary Law, Conventional Humanitarian Law and ILC ARSIWA sufficient to solve the issues raised? Aside from the urgent necessity of legal regulation of Cyber warfare it appears also conclusive that it is required a much more international cooperation between states. What happens today is that political ideology determines passiveness towards cyber operations being taken from a state’s territory when it is against a recognized adversary. This more political dimension probably of the problem posed by cyber operation has, not only, to be addressed within the framework of the United Nations, but also, through direct cooperation by the states.

6. Bibliography

6.1. Literature Boulet, G., Cyber Operations by Private Actors in the Ukraine-Russia Conflict: From Cyber War to Cyber Security, American Society of International Law Volume 19 Issue 1 2015 [online via http://www.asil.org/insights/volume/19/issue/1/cyber-operations- private-actors-ukraine-russia-conflict-cyber-war-cyber]

Capaccio, A. China Most Threatening Cyberspace Force, U.S. Panel Says, Bloomberg [online via http://www.bloomberg.com/news/articles/2012-11-05/china-most- threatening-cyberspace-force-u-s-panel-says]

Conger, C., Could a single hacker crash a country’s network? [online via http://computer.howstuffworks.com/hacker-crash-country-network1.htm]

Cook, J. Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far Business Insider [online via http://uk.businessinsider.com/the-sony- hackers-still-have-a-massive-amount-of-data-that-hasnt-been-leaked-yet-2014- 12?r=US]

Dan Saxon (ed.), in International Humanitarian Law and the Changing Technology of War, Martinus Nijhoff Publishers 2013

Danchev, D., Coordinated Russia vs Georgia cyber attack in progress, ZDNET [online via http://www.zdnet.com/article/coordinated-russia-vs-georgia-cyber-attack-in- progress/]

Dieter Fleck (ed.), The Handbook of International Humanitarian Law, Oxford University Press 2013 (3rd Revised ed)

Dilanian, K., NSA Director: Yes, China Can Shut Down Our Power Grids, Business Insider [online via http://uk.businessinsider.com/nsa-director-yes-china-can-shut-down- our-power-grids-2014-11?r=US]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Doug Hart (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (ICIW 2013), Academic Conferences and Publishing International Limited 2013

Fulghum, D. A. & Barrie, D., Israel Used Electronic Attack in Air Strike Against Syrian Mystery Target, AVIATION WEEK, Oct. 8, 2007 [online via http://www.freerepublic.com/focus/f-news/1908050/posts]

Gartenstein-Ross, D. & Goodman, J. D., The Attack on Syria's al-Kibar Nuclear Facility, INFOCUS QUARTERLY, Spring 2009, [online via http://www.jewishpolicycenter.org/826/the-attack-on-syrias-al-kibar-nuclear-facility]

Geers, K., Cyberspace and the Changing Nature of Warfare, Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia

Gilbert, D., Syrian Electronic Army Cyber Attacks Continue With US Marines Hack, IBTimes [online via http://www.ibtimes.co.uk/syrian-electronic-army-hacks-marine- website-hacked-503037]

Gill, T. D. and Ducheine, P. A. L, Anticipatory Self-Defense in the Cyber Context, International Law Studies Volume 89 2013, p. 459-460 [online via http://dare.uva.nl/document/2/135180)

Gjelten, T. Volunteer Cyber Army Emerges In Estonia, NPR [online via http://www.npr.org/2011/01/04/132634099/in-estonia-volunteer-cyber-army-defends- nation]

Glennon, M. J., The Road Ahead: Gaps, Leaks and Drips, International Law Studies, Volume 89, 2013 p. 380 [online via https://www.usnwc.edu/getattachment/2d451822- f2d7-4556-b975-3186ba404060/The-Road-Ahead--Gaps,-Leaks-and-Drips.aspx]

Grosswald, L., Cyberattack Attribution Matters under Article 51 of the U.N. Charter, Brooklyn Journal of International Law Vol. 36 2010-2011, p.1160 [via HeinOnline]

Bibliography

Holt, T. J. (ed) and Schell, B. H., Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, IGI Global Publishers, 2010 (1st ed.) InfoSecurity, National Electric Grid Remains at Significant Risk for Cyber-attack [online via http://www.infosecurity-magazine.com/news/national-electric-grid-remains- at/]

Kazerooni, S., The Growing Threat of Denial-of-Service Attacks, Electric Light & Power, [online via http://www.elp.com/articles/powergrid_international/print/volume- 20/issue-2/features/the-growing-threat-of-denial-of-service-attacks.html]

Klimburg, A (ed.), National Cyber Security Framework Manual, NATO Cooperative Cyber Defence Centre of Excelence, Talllinn, Estonia, 2012

Left, S. Chinese and American hackers declare 'cyberwar', The Guardian [online via http://www.theguardian.com/technology/2001/may/04/china.internationalnews]

Lenzner, R., Chinese Cyber Attack Could Shut Down U.S. Electric Power Grid [online via http://www.forbes.com/sites/robertlenzner/2014/11/28/chinese-cyber-attack-could- shut-down-u-s-electric-power-grid/]

Markoff, J. Before the Gunfire, Cyberattacks, The New York Times [online via http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0]

Melzer, M., Interpretive guidance on the notion of Direct Participation in Hostilities under International Humanitarian Law, ICRC 2009

Messmer, E., Kosovo cyber-war intensifies: Chinese hackers targeting U.S. sites, government says, CNN [online via http://edition.cnn.com/TECH/computing/9905/12/cyberwar.idg/]

Rubenking, N. J., Wikileaks Attack: Not the First by th3j35t3r, PCMAG, [online via http://www.pcmag.com/article2/0,2817,2373559,00.asp]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Sanger, D. E. and Fackler, M., N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say, The New York Times [online via http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean- networks-before-sony-attack-officials-say.html]

Schmitt, M. N. (Ed.), Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge University Press 2013

Shackelford, S. & Andres, R. State responsibility for cyber attacks: competing standards for a growing problem, Georgetown Journal of International Law 2010, p. 971-1016

Sheldon, J. B., State of the Art: Attackers and Targets in Cyberspace, Journal of Military and Strategic Studies Volume 14 Issue 2 2012, p. 18 [online via http://ww.w.jmss.org/jmss/index.php/jmss/article/viewFile/462/458]

Swaine, J., Georgia: Russia 'conducting cyber war', The Telegraph [online via http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia- conducting-cyber-war.html]

Symantec, 2015 Internet Security Threat Report, Volume 20, 2015

Tiezzi, S., China (Finally) Admits to Hacking, The Diplomat [online via http://thediplomat.com/2015/03/china-finally-admits-to- hacking/?utm_content=buffer5af99&utm_medium=social&utm_source=facebook.com &utm_campaign=buffer];

Traynor, I., Russia accused of unleashing cyberwar to disable Estonia, The Guardian [online via http://www.theguardian.com/world/2007/may/17/topstories3.russia]

United Nations, Draft articles on Responsibility of States for Internationally Wrongful Acts, with commentaries 2001

Bibliography

United States Department of Defense (DoD), The National Military Strategy for Cyberspace Operations, 2006

United States Department of Defense (DoD), Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934, 2011

Wheeler, D. A., Techniques for Cyber Attack Attribution, Institute for Defense Analyses, October 2003 p. 1 [online via http://handle.dtic.mil/100.2/ADA468859]

6.2. Table of Cases ICJ, 24-05-1980, United States Diplomatic and Consular Staff in Tehran (United States of America v. Iran), Judgement [online].

ICJ, 27-06-1986, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits [online].

ICJ, 8-07-1996, Legality of the threat or use of nuclear weapons, Advisory Opinion [online]

ICJ, 26-02-2007, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgement [online].

Prosecutor v. Tadic, IT-94-1, ICTY Appeals Chamber, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, 2 October 1995 [online]

Prosecutor v. Tadic, IT-94-1-A, ICTY Appeals Chamber, Judgement, 15 July 1999[online]

Prosecutor v. Ramush Haradinaj, Idriz Balaj and Lahi Brahimaj, IT-04-84-T, ICTY Appeals Chamber, Judgement, 3 April 2008 [online]

“Patriotic Hackers”: Non-State Actors fighting wars for the states?

Sambaggio Case (Italy v. Venezuela) (Mixed Claims Commission Italy- Venezuela)(1903) 10 Reports of International Arbitral Awards, Vol. X [online via http://legal.un.org/riaa/cases/vol_X/477-692.pdf]

Iran-United States Claims Tribunal, [Phillips Petroleum Co. Iran] v. Islamic Republic of Iran, Award No. 326–10913–2, 3 November 1987, Iran-United States Claims Tribunal Reports, vol. 21 (1989)