The ongoing armed conflict in Ukraine has witnessed an escalation of cyber-operations that have been carried out by different “hacking actors”. Suffice to recall the Ukraine's "IT army", that have been called by the representatives of the Ukrainian government to join forces against Russia, as well as the pro-Russian “Conti team” and the “Cyber Partisans” group. While these groups of hackers are allegedly sponsored by states and seemed to act under the relevant states’ instructions, another (non-state sponsored) hacking actor is playing a relevant role in the armed conflict in Ukraine, namely Anonymous.
Anonymous has declared on Twitter to be “in cyber war” against Russia and has carried out several cyber operations targeting Russian networks, like Russian news agencies and online newspapers, the network of the Russian oil giant Gazprom and a number of Russian government websites.
While some media have used the term cyber-war referring to the cyber-operations carried out by Anonymous against Russian networks (i.e. on The Guardian or DailyMail), a(n academic) clarification is needed: we generally talk about cyberwar(fare) when cyber-operations are carried on by states or their proxies against other states. This is not a merely terminological issue, but it is an important qualification that has also legal consequences: indeed, it is in the context of cyber-warfare that the law of armed conflict applies.
Anonymous is not – and does not consider itself – a (cyber-)state, nor an international (non-)governmental organization; rather, it is a decentralized and non-hierarchical group of private individuals. There is no evidence that Anonymous is acting under the instructions of any state. Accordingly, its conducts cannot be qualified as conducts of a state. As such, it cannot engage in a cyberwarfare.
However, this does not mean that no (international) rules apply.
Firstly, each one of the individuals acting as Anonymous is subject to the relevant national (cyber-criminal) lawjurisdiction.
Secondly, also international law plays a role. In particular, under certain circumstances, Anonymous` cyber-conduct can amount to “direct participation in hostilities” under international humanitarian law. According to the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, individuals who engage in hostilities with cyber-operations can be considered as participating directly in the hostilities and can be “liable to be attacked by cyber or other lawful means”.
In order to determine when an act can be considered as a direct participation in hostilities, we should look at the three criteria listed in the International Committee of the Red Cross (ICRC)’s Interpretive Guidance to the additional protocols to the Geneva Convention: “the act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict […]; there must be a direct causal link between the act and the harm […]; and the act must be specifically designed to directly cause […] harm […]”.
In the context of the armed conflict in Ukraine, Anonymous can be considered as taking a direct part in the hostilities. Let’s consider, for example, the case of an individual conducting a DDoS operation against Russia’s computer system network, making it difficult or impossible for Russia to rely on its online network of communication. In these instances, whoever is acting as Anonymous can become a legitimate target under international humanitarian law.
However, it is not always an easy task to identify which cyber-operations can be qualified as direct participation in hostilities. For example, elaborating a malware and making it openly available online for anyone to be used also in the context of a conflict, may not amount as direct participation in hostilities.
According to the law of neutrality, neutral states should not allow belligerents to make use of their territory or resources for military purposes. Though Anonymous is not considered a belligerent party, its acts can amount to direct participation in the hostilities. Accordingly, we should question whether such states should have a duty to intervene to avoid the use of their (cyber-)infrastructures by Anonymous and whether, if they do not intervene in this respect, their neutrality is challenged. This possibility has already been answered in the positive by some scholarswith regard to the intervention of Anonymous in cyber-operations launched against Israel during its 2014 conflict with Hamas.
This can be hold trues also in the case of Ukraine, where neutral states not preventing Anonymous for conducting cyber-operations from their territory that amount to direct participation in the hostility can trigger their co-belligerency status and become a possible target as well.
Al in all, it is quite apparent that Anonymous does not operate in a legal vacuum, and that (international humanitarian) law rules are applicable also to its cyber-conduct. However, legal gaps still exist and (national and international) rules are not very clear when it comes to defining and regulating the different forms of cyber-operations that are carried out by individuals. The current conflict in Ukraine can serve as an (additional) opportunity to address the legal challenges that are still in place and fill in these gaps.