Cyber-attacks have become increasingly common and are an integral part of contemporary armed conflicts. With that premise in mind, the question arises of whether or not a civilian carrying out cyber-attacks during an armed conflict becomes a legitimate target under international humanitarian law. This paper aims to explore this question using three different analytical and conceptual frameworks while looking at a variety of cyber-attacks along with their subsequent effects. One of the core principles of the law of armed conflict is distinction, which states that civilians in an armed conflict are granted a set of protections, mainly the protection from direct attacks by the adversary, whereas combatants (or members of armed groups) and military objectives may become legitimate targets of direct attacks. Although civilians are generally protected from direct attacks, they can still become victims of an attack because they lose this protection “for such time as they take direct part in hostilities.” In other words, under certain circumstances, if a civilian decides to engage in hostile cyber activities (or “hacktivities”), they may well become a target of a direct lethal attack. I will argue that although the answer is highly nuanced and context dependent, the most salutary doctrinal revision that can be made in this area is that the threshold of harm must adapt to the particular intricacies of cyberspace.
Ido Kilovaty, ICRC, NATO and the U.S. – Direct Participation in Hacktivities – Targeting Private Contractors and Civilians in Cyberspace Under International Humanitarian Law, 15 Duke Law & Technology Review 1-38 (2016)