The present Thesis proposed to examine whether Patriotic Hackers were a tacit method of cyber warfare at the disposal of States during armed conflicts. Although Patriotic Hackers potentially can take the role of fighting wars for the States the answer to the question cannot be given peremptorily in the form of a yes or no.
Patriotic Hackers has been defined as those individuals who having ties of allegiance towards a certain country (of nationality or ethnic related) conduct politically motivated cyber-attacks against perceived enemies of that country, in name of a sense of patriotism, against threats or attacks by perceived enemies of that country.
But such common motivation is sufficient to conclude that Patriotic Hackers are fighting wars for the States? History shows – aside from others that could be named - a number of confronts for instance between US and China Hackers, and Russian Hackers and States of the former USSR – such Georgia and Estonia. So far, the attacks have been limited to so far they have typically been limited to Web Defacements, Distributed Denial of Service Attacks and Malware Attacks with reduced level of harm.
A first question that arises is whether abstractly standalone Patriotic Hacking can reach the threshold of a cyber armed conflict. In this regard given what has been said above it should be concluded that cyber operations conducted by Patriotic Hackers will only rise to a cyber IAC when state sponsored, thus being the attacks attributable to the State. On the other hand - and dependent of the observance of the requirements of Common Article 3 -, Patriotic Hacking may meet the threshold of a NIAC when the cyber operations are conducted against a rebel armed group and when Patriotic Hackers attack another country and don’t act in behalf of their homeland country – because otherwise the conflict would be internationalized
In practice two categories of Patriotic Hackers can be devised: Sate sponsored Patriotic Hackers and Non State Sponsored Hackers.
The first category comprises the assumedly state sponsored Patriotic Hackers. An example of this group would be the one where, for instance, Chinese authorities recruit civilians from the hacker community and high tech companies. Regarding this group and insofar the conditions provided by article 13(2) of Geneva Convention I, they have combatant status.
46 The second category would include non-state actors non-state sponsored. Under this category may be distinguished organized armed groups and unorganized groups or individuals.
The subcategory of organized armed groups is of extremely relevance within NIAC where a State could be facing the opposition of an organized armed group. In NIAC, although there is no combatant status, organized armed groups are understood as the armed forces of the non-state actor. Thus Patriotic Hackers who are members of an organized armed group, who are involved in the cyber-attacks amounting to DPH, assume a continuous combat function. But not only in NIAC are organized armed groups relevant. In this case, Patriotic Hackers would not be assumed as armed forces of the Parties to the conflict retaining their civilian status. Thus insofar the conditions are met Patriotic Hackers engaging in the hostilities would be in DPH.
A third category would involve non-sate sponsored unorganized armed groups and individuals. Here the legal status – when engaging in hostilities - would always be DPH. It should be stated however that this category is of residual value because potentially they lack the capability to meet the threshold of cyber armed conflict given that individually (at least theoretically) they would not have the technological capability to engage in cyber operations causing sufficient harm.
One of the biggest problems that Patriotic Hackers pose is the attribution. On one hand, and not disregarding the development on this field, the technical attribution reveals as one difficult task. But even after being able to disclose the origin of the attack, another problem arises: the legal attribution.
In this regard it should be concluded that the cyber operation can be attributable to a state when they were: (i) conducted by a state of the organ; (ii) conducted by persons or private entities exercising governmental authority; (iii) conducted by person or group of persons that were under direct and control of the state; (iv) acknowledged and adopted by the State as their own; (v) conducted by an organized armed group that successfully overthrow the country and became government.
The states nevertheless have an obligation – given the principle of sovereignty - to prevent or avoid cyber operations being conduct from its territory with adverse effects on other states. If the state has knowledge of such and does not act with the due care it can entail the breach of an international obligation.
From what has been said and above exposed, it is possible to conclude that Patriotic Hackers can under some conditions fight wars for the States, avoiding the legal
47 accountability of the former. The fact is that in practice States if it is convenient will always deny any relation whatsoever to the cyber attackers or the cyber-attack. This happened on multiple occasions: Russia denied the attacks on Georgia and having connection to them; the same happened more recently when the Democratic People's Republic of Korea authorities denied any involvement on the attack on Sony.
So far we have not assisted to a cyber-attacked conducted by Patriotic Hackers that reached the threshold of a cyber armed conflict. It is unforeseeable the potential damage that one such attack could reach. Although, International humanitarian law has historically developed following conflicts meaning that the legal evolution has - in most of the cases - been one step back to the historical events that motivate the legal change. It appears to be urgent a legal regulation of the cyber operations, namely the one conducted by Patriotic Hackers. The danger posed by the dependence on technology of our digital era urges such regulation. The Tallinn Manual, although being only an academic work was a first step towards that objective. The Patriotic Hackers phenomenon calls for the necessity of such regulation. And in particular it poses some other questions. Being the interest between State and Patriotic Hackers common – as they are -, the question that arises is whether the linkage between the two of them, for instance in the issue of attribution can be seen in the terms that it was for conventional warfare. Is the actual regime of legal attribution given by the Customary Law, Conventional Humanitarian Law and ILC ARSIWA sufficient to solve the issues raised?
Aside from the urgent necessity of legal regulation of Cyber warfare it appears also conclusive that it is required a much more international cooperation between states. What happens today is that political ideology determines passiveness towards cyber operations being taken from a state’s territory when it is against a recognized adversary. This more political dimension probably of the problem posed by cyber operation has, not only, to be addressed within the framework of the United Nations, but also, through direct cooperation by the states.
49