The Legal Rationale For Killing An Enemy Hacker (or Could You Be The Next Junaid Hussain)?

The Pentagon has confirmed [1] that a British hacker named Junaid Hussain was targeted and killed in a military air strike on August 24, 2015. Pentagon spokesman Air Force Col. Pat Ryder (USCENTCOM) gave the following rationale for targeting Hussain:
  • He was involved in actively recruiting ISIL sympathizers in the West to carry out lone wolf attacks
  • He was responsible for releasing personally identifying information of approximately 1,300 U.S. military government employees
  • He specifically sought to direct violence against U.S. service members and government employees
According to the Wall Street Journal [2], he was a Chief in the Islamic States' electronic army. The U.S. government has been conducting military operations against the Islamic State (ISIL), a group responsible for atrocious war crimes and human rights abuses.

Legal Status (Combatant or Civilian)

When looking at the rationale for the lethal targeting of a hacker, it might help to picture a decision tree. Assuming that there is an armed conflict underway at the time (a requirement for the targeting of a civilian to occur), the first question to ask pertains to the target's legal status. According to Rule 34 of the Tallinn Manual (TM) [3], the following persons may be lawful objects of attack:
  1. members of the armed forces
  2. members of organized armed groups
  3. civilians taking a direct part in hostilities, and
  4. in an international armed conflict, participants in a levee en masse (a military draft or conscription)
In the case of Hussain, his affiliation with ISIL makes him a member of an organized armed group, which makes him a legitimate target regardless of what types of cyber attacks he engaged in. But what if his legal status wasn't so clear cut?

Civilian Status: DPH or IPH

If the target is not a member of the armed forces or of an organized armed group, then the next step is to ascertain whether he was a Direct Participant in Hostilities (DPH) or an Indirect Participant in Hostilities (IPH). Only the former may be attacked.

According to the International Council of the Red Cross (ICRC) [4]:
Persons participate directly in hostilities when they carry out acts, which aim to support one party to the conflict by directly causing harm to another party, either directly inflicting death, injury or destruction, or by directly harming the enemy's military operations or capacity. If and for as long as civilians carry out such acts, they are directly participating in hostilities and lose their protection against attack.
When it comes to cyber attacks, the definition of "causing harm" becomes more fuzzy, which could be problematic for civilian hackers who engage in cyber attacks for reasons of their own. The ICRC specifically calls out interfering with military computer networks and transmitting tactical targeting intelligence for specific attacks as examples of DPH. Hussain took credit for hacking the Twitter account of U.S. Central Command and publishing personally identifiable information for 1,300 government military employees along with inciting personal attacks against those employees from his Twitter account.

Taken in isolation, hacking a social media account is child's play when two-factor authentication hasn't been activated (which it hadn't been in CENTCOM's case). The only result emanating from that hack and others like it is temporary embarrassment of the victim. However, in the Hussain case, it's being used as part of the justification of the attack by the Pentagon [5]. As mentioned above, it isn't the primary justification - that would be Hussain's membership status with an organized armed group (ISIL).

Rule 30 of the TM defines what a cyber attack is for purposes of warfare: 
"A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."
Rule 35 of the TM explicitly states that "civilians enjoy protection against attack unless and for such time as they directly participate in hostilities". The supporting text goes on to state that this rule's application is limited to individuals who engage in hostilities and are not affiliated with a militia or who are affiliated with an "ad hoc group" that lacks the requisite degree of organization. 

Three Conditions Must Be Met

The ICRC has set three conditions that must be met for a civilian to be classified as a DPH[6]:
  1. Threshold of Harm. The act must have the intended or actual effect of negatively affecting the adversary's military operations or capabilities, or inflicting death, physical harm, or material destruction on person' or objects protected against direct attack (threshold of harm).
  2. Causal Link. A direct causal link between the act in question and the harm intended or inflicted must exist.
  3. Belligerent Nexus. The act must be directly related to the hostilities.
If any one of these isn't met, the person cannot be targeted. 


What would it take for a hacker to land on the Pentagon's Disposition Matrix [7] like Junaid Hussain did? If you're a hacker who is conducting any kind of network attack against foreign government entities, especially the United States or its key allies, here are three important tips to keep in mind:
  1. Be careful about who you affiliate with. If you align yourself with a group that the U.S. government eventually considers an organized armed group, you may lose the protection of your civilian status and become a target by virtue of your affiliation alone. The fact that you also have mad hacker skills will just be the icing on the Pentagon's cake.
  2. Don't think that low-level, unsophisticated network and social media attacks will make you less of a target than attacks that actually cause harm to an object or person. Hussain hacked a Twitter feed and posted names and email addresses for government employees, among other things. 
  3. If you decide to support another nation's or group's activities that are deemed hostile to a foreign government, such as a color revolution or something equivalent to the Arab Spring, that government may deem you a legitimate target under these same legal principles. 
Remember that your online activities, no matter how minor you believe them to be, may under the right combination of circumstances, result in a lethal outcome. The Hussain killing should be taken seriously by everyone in information security who's involved in hacking as a profession or a hobby.

[3] Tallinn Manual on the Internal Law Applicable to Cyber Warfare, Cambridge University Press, 2013
[6] The Tallinn Manual, p. 119, footnote 63