Legality & The IT Army Of Ukraine

Hundreds of thousands of infosec professionals signed up for cyberwar without realizing it might make them cyber combatants.

Legality & The IT Army Of Ukraine
Three Wise Monkeys by Aleksei Goferman

When Ukraine issued a plea for help to the cybersecurity industry, hundreds of thousands of information security professionals based in the US, the UK, Canada, and Australia signed up for the IT Army of Ukraine, rushing straight into the cyberwar without stopping to wonder if it is they who might be the cybercriminals now.

The IT Army Of Ukraine

You can think of the IT Army of Ukraine as a temporary cyber group, by this I mean to say that it didn't exist before Russia invaded Ukraine and is unlikely to stay together when the conflict is over. This is because most of its members have real jobs in the real world, the IT Army was where Western information security professionals went to volunteer, all of the grey/black hats were already in their own groups.

Many of the cyber groups participating in the cyberwar against Russia were already operating before the conflict began, but some of them formed up when the call to arms went out and the IT Army of Ukraine falls into that category. These are mostly cybersecurity and technology professionals volunteering their services to a nation state sponsored threat actor, something most would not do under normal circumstances.

The people who signed up for the IT Army of Ukraine are the same people we pay to protect us in the US, UK, Canada, Australia and New Zealand, these are the people who protect our institutions, our banks, our businesses, our families, and even our governments from cyber attacks. These people are what we call our systems administrators, IT managers, cybersecurity engineers, threat intelligence anaylsts, CISO's, developers, software engineers, SOC analyts, infosec students, and any cybersecurity researcher not already affiliated with an existing cyber group.

Nobody made these people sign up to the IT Army, nobody is paying them to volunteer their services, they are doing it because they believe it is the right thing to do and because they have the skills. Many of them signed up to help defend Ukraine against an expected onslaught of crushing Russian cyberattacks, but then accidentally found themselves particpating in offensive cyber operations against Russia.

Can you honestly blame our young for wearing their hearts on their sleeves? For their entire careers we have told them that hacking is a crime, but encouraged them to learn hacking skills in the name of a cybersecurity skills shortage. But then suddenly they are told that hacking is not a crime by the secret whisperers, providing it is directed towards Russia and not financially motivated. Can you blame our younglings for not seeingthe whole thing as a glorious cyber adventure?

A silent majority of participants knew exactly what they were getting into and enthusiastically engaged in offensive cyber operations against high value Russian mil and gov targets, including media platforms used to disseminate pro RU propaganda.

Those who were less technically skilled focused on helping the IT Army launch DDoS attacks on pre-selected targets, using custom built services set up to enable thousands of people to pool their resources together during attacks. The innovation we see in the crowd sourced DDoS on demand space right now is deeply interesting.

Isn't That ILLEGAL Though?

Of course its illegal, this is the reason why we here at Secjuice decided to help missing Ukrainian people instead of attacking Russia, we decided that we probably shouldn't become cybercriminals. Secjuice was recognized as a particpant in the cyber conflict because our team built the missing persons platform over at, which doesn't break the law (we checked) or make the Russians super angry with us.

Most of the brave souls who volunteer their services to the IT Army of Ukraine live and work in countries where hacking is a crime, they are well aware that under normal circumstances nobody would be allowed to hack Russia. The information security industry knows and understands the value of discretion. If you are participating in offensive operations your involvment is definitely criminal. Congratulations small business CISO, you earned a #cybercriminal badge in a glorious cyber crusade!

We Are All Hacktivists Now

Those involved are not just rogue employees, they are volunteers working in their spare time, often supported by their bosses who turn a blind eye but tell them to be careful. These are people who were told by their friends in law enforcement and IC that nobody would come after them for hacktivism as long as it wasn't criminally motivated. In theory the Russian government could issue arrest warrants for those involved, the US regularly issues arrest warrants for Russian hackers after all.

Arrest warrants need to be enforced in order to have value, backed by Western law enforcement agencies willing to act on them. Our adversaries have never respected the arrest warrants we occasionally issue for citizens of their countries engaged in offensive cyber operations against us, something our powers that be do not forget.

Besides, you would have to place half of the cybersecurity industry under investigation, possibly arrest tens of thousands of its members, crippling our own cybersecurity efforts in the process by depriving us of all the veteran cyber warriors. Like it or not we all are hacktivists now, those us who quietly raise a glass to the IT Army of Ukraine.

Unlawful Cyberwar Combatants

You might not forgive information security professionals for not knowing that they were suddenly hacktivists, but you can surely forgive them for not realizing that they had quietly been classified as combatants through their direct particpation in the conflict. The legal status of a participant in the cyber war against Russia is defined as a lawful combatant in the Regulations concerning the Laws and Customs of War on Land:

Article One states that the laws, rights, and duties of war apply to armies, militia and volunteer corps meeting the following conditions:

1.They are commanded by a person responsible for their subordinates.

2.They have a fixed distinctive emblem recognisable at a distance.

3.They carry their arms openly.

4.They conduct operations in accordance with the laws and customs of war.

According to the International Court of Justice, any combatant who does not match these conditions is considered an unlawful combatant, which means that if the enemy captures you engaged in cyber operations against Russia you are not entitled to the customary protections given to prisoners of war by the Geneva Conventions.

It is difficult to square the conditions above with 'cyber combatants' in the cyber war against Russia, many hacker groups do have leaders and many of them do have an emblem, but you would have to squint really hard to confuse them as an armed militia or volunteer corps. If you are a non military combatant in the cyber war against Russia you are almost certainly classed as an unlawful combatant, meaning that international law will protect those holding a rifle more than those of you holding a keyboard.

Hackers Are Targets

Rule twenty nine of the Tallinn Manual On The International Law Applicable To Cyberwarfare states that  "Civilians are not prohibited from directly participating in cyber operations amounting to hostilities, but forfeit their protection from attacks for such time as they so participate".  A clearer way of saying this is that if you are a non military participant in cyber operations against Russia, then you are not protected by international law, you might also be considered a legitimate target.  

To make things worse, according to International Humanitarian Law, "a cyber combatant can be neutralized by a cyberattack, but also "by the use of kinetic force, including lethal force if necessary". Yes, you read that right, the Russians might actually shoot you for hacking them and this is the reason why we at Secjuice take every opportunity to tell others that we built a missing persons platform rather than hack Russia.  

Best Practices For All Concerned

It should be common knowledge that serious threat actors were always going to be a serious threat, but its perhaps worth mentioning again lest we forget.

See no evil, hear no evil, and speak no evil.

Unless you are absolutely certain that you are not engaged in unlawful cyber war activity, illegal activity or criminal activity, you should not be talking to the members of the press right now. The IT Army Of Ukraine has a dedicated Press Officer who deals with media enquiries, if you are contacted by a member of the press please direct all enquiries to the IT Army of Ukraine's official twitter account.

If you are taking part in cyber operations make sure that you are aware of your status and the potential legal consequences of your actions, not just for yourself but also for your family. Think of the personal danger that you may put yourself into by consenting to interviews. This conflict divides people, and some are pro-Russian, while others are pro-Ukrainian, so be aware of the potential risk in your day to day life.

Keep your socks dry.