Blurring the lines: when does a civilian hacker become a combattant?
Civilians are conducting cyber operations in armed conflicts around the globe. In doing so, they expose themselves to being attacked and can endanger other civilians.
For centuries, civilians have been part of hostilities during wars. For example, during the Second World War, British volunteers phoned in early warning of air raids.
Today, these actors are primarily hackers. Civilian hackers have increasingly been or are active in armed conflicts in Ukraine, Syria, Armenia and Azerbaijan, India and Pakistan, as well as between Israel and Iran and between Israel and Hamas. In a modern battlefield, anyone with a smartphone is a potential source of military information that can collect and send data in seconds.
With strategies that aim to mobilise “the whole of society” to defend a country, civilian involvement in warfare could become increasingly direct and far-reaching, warn the International Committee of the Red Cross (ICRC) and the Geneva Academy of International Humanitarian Law and Human Rights in a joint report.
This raises many questions and creates its own set of problems. Not only are civilians exposing themselves to danger, but their involvement in conflicts raises the question of whether they classify as combatants or non-combatants under international humanitarian law – and benefit from protection.
The more civilians actively participate in hostilities, the more the line between civilians and combatants becomes blurred, says the ICRC.
“In several of today’s armed conflicts, the ICRC has documented cases in which civilians were shot or detained because they were suspected of using their mobile phones to spy for parties to the conflict,” Tilmann Rodenhäuser, a legal adviser at the ICRC and co-author of the report, told Swissinfo.
More
Cyberwar brings frontline to heart of European infrastructure
One example where civilian hackers are most active is in Ukraine, which was invaded by Russia in February 2022. The war in Ukraine has transformed civilian participation. They’ve shifted from being isolated informants to networked, real-time intelligence contributors. In March 2022, Ukraine’s Ministry of Digital Transformation introduced the chatbot eVorog (“e-Enemy”), allowing civilians to report troop movements, the location of unexploded ordnance, or the transport of materiel by Russian forces.
Some groups of civilian hacktivists use distributed denial-of-service (DDoS) operations to weaken their opponents. In such attacks, perpetrators attempt to overwhelm a website with traffic to prevent its normal operation. A well-known example is the civilian group IT Army of Ukraine, which was created and encouraged by the Ukrainian government to attack Russian targets. According to its own statements, the IT Army aims to help Ukraine win by “paralysing the aggressor’s economy and blocking key financial, infrastructure, and government services.”
Blurred lines between civilians and combatants
International humanitarian law (IHL) does not prohibit “hacking” as such, nor does it forbid civilians from conducting cyber operations against military targets. But as the line between civilian and military hackers blurs, the question of whether they should benefit from non-combatant protection is harder to answer.
The issue of civilian hackers and the protection of civilians in war is also of concern to the United Nations. In his report to the UN Security Council on the protection of civilians, UN Secretary-General António Guterres stated in May 2025: “The way in which information and communication technologies (ICT) are used in armed conflicts continues to raise concerns regarding compliance with international humanitarian law and the protection of civilians.” Cyber operations, he added, could damage or disrupt critical infrastructure and services such as energy, transport, water supply, communications, or healthcare.
More
Inside Geneva: who controls landmines and drones?
A case that raises many questions is the access last February of Russian military accounts by Ukrainian civilians. Dozens of Russian military accounts were hacked, giving the hackers access to monitoring systems used by Russian drone operators.
The hackers then passed the data on to the Ukrainian army. This improved the effectiveness of defenses against Russian drone attacks, particularly due to information about drone routes and flight missions, according to the international intelligence community InformNapalm, which was involved in the operation.
An analysis of the intercepted chats between drone pilots indicated that Russia used Belarusian civilian infrastructure — especially mobile phone towers — to plan drone routes.
The ICRC says that civilian hacking can also lead to harming the population because civilian targets are either directly attacked or incidentally damaged. In addition, civilian hackers risk exposing themselves and people around them to military operations.
Rules of international humanitarian law
Civilian hackers must comply with IHL, says the ICRC. In autumn 2023, the ICRC, which is responsible for monitoring and promoting compliance with IHL, set out eight rules for civilian hackers in wartime. These include the prohibition of attacks on civilians and hospitals, the prohibition of hacking tools that spread automatically, and the prohibition of threats that spread fear among the civilian population.
Several organisations subsequently declared publicly that they would not attack civilian targets. In December 2023, the IT Army stated that it supported any Ukrainian hacktivist group that complied with ICRC rules and cooperated only with groups that did the same. The group Anonymous posted on X: “We condemn attacks on citizens who are not combatants.”
“Hacker groups may lose their legal protection as civilians if they are considered part of a state’s armed forces or if their members directly participate in hostilities,” said Anna Greipl, a co-author of the ICRC and Geneva Academy report.
However, a group that operates independently or in which members are loosely connected via open online channels without a clear command structure would most likely not be considered as such, she added. In her assessment, both members of the IT Army of Ukraine and the group reported on by InformNapalm would retain their civilian status, provided they are not officially part of the Ukrainian armed forces. But individuals within these groups can still lose protection if they directly participate in hostilities.
Duties of governments
Governments also have responsibilities, say the authors. States should avoid involving civilians in activities that bring them close to hostilities. States are also obliged to prevent violations of IHL by civilians within their territory — including civilian hackers and technology companies — and to prosecute those who commit war crimes.
When technology companies provide services in wartime such as cybersecurity, communication infrastructure, or cloud storage, their activities have legal and practical consequences, the report states. For example, defending military networks against cyberattacks may constitute direct participation in hostilities by employees. In some cases, their facilities may become military targets. The authors therefore call on companies to separate the parts of their infrastructure used by the military from those used for civilian customers.
The risks faced by civilian hackers, as well as concerns that they may not be aware of legal limits and consequences, were also addressed in a 2024 resolution of the International Conference of the Red Cross and Red Crescent. Further clarification by states and experts is taking place, in other forums, within the framework of the “Global IHL Initiative,” which aims to reinforce international humanitarian law.
Many experts warn against setting the threshold too low when determining whether civilian hacker groups lose their protection. This risks exposing a broad range of civilian cyber activities to lawful attack. “There is general agreement that merely downloading an app to support a DDoS campaign is not enough to constitute direct participation in hostilities,” said Greipl.
Edited by Virginie Mangin/gw
More
International Geneva
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here . Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.