Discover more from PwnAllTheThings
No, Tech Companies and Cybersecurity Firms Aren't Close to Becoming Direct Participants in the Conflict by Helping Ukraine
And it's not particularly close. But here's what the Laws of Armed Conflict have to say about it.
Over at Zero Day, the fantastic cybersecurity journalist Kim Zetter has a great article with a warning: cybersecurity firms working to help Ukraine need to be careful if they want to avoid being direct participants in the war in Ukraine.
It’s a great article because it serves as a useful reminder: International law applies to individuals and organizations, not just states, and that getting involved in a war without real care and attention can be problematic in all sorts of unexpected ways.
The natural question that arises for executives and individuals working in Western companies reading Zetter’s article will probably be: am I at risk of being a participant in the conflict?
The correct answer to this question, of course, is “I am not your lawyer; hire someone who is, and then take their advice”.
But with that caveat aside, the answer is almost certainly no.
The unhappy news is that not being a direct participant probably does less for you than you might think. For example, it doesn’t provide immunity against Russian government reprisals against you or your company in a whole variety of different forms, ranging from Russian sanctions, Russian domestic criminal liability, or Russian cyberattacks against your own firm.
It also doesn’t prevent Russia simply ignoring IHL and attacking your buildings and employees anyway. In practice, Russia is more likely to be constrained by its own practical limitations and the international consequences of doing so than by the IHL consequences; it has a pretty poor record of respecting civilian protected status so far in its war in Ukraine.
But that all said, it’s a great excuse for a discussion on what it actually means to be a direct participant in hostilities, and why it’s very unlikely that you’ll become one by accident through your ordinary work at a US technology or cybersecurity vendor, even if you are helping Ukraine.
While we’re at it, we can also have a little discussion about why even if someone in the US tips over that line, it’s not going to drag the US (or any other country) into a direct hot war with Russia too.
Direct participation in hostilities
First of all, what is “direct participation in hostilities” all about? It’s a term that is derived from the principle of distinction—a central notion under International Humanitarian Law (IHL). As the ICRC explains:
In international humanitarian law the concept of “direct participation in hostilities” refers to conduct which, if carried out by a civilian, suspends his protection against the dangers arising from military operations. Most notably, for the duration of his direct participation in hostilities, a civilian may be directly attacked as if he were a combatant.
The principle of distinction requires that military forces at war only directly target the armed forces of the opposing side. Direct attacks on civilian people or objects are prohibited. But this is not a blanket rule; there are exceptions. If a civilian becomes a direct participant in the hostilities, they may be freely targeted as if they belonged to the military and the opposing side may purposely directly target and kill them as part of the war.
Parsing out when those protections are suspended is not always clear cut—IHL evolves over time out of a variety of principles, texts, prior cases, and formal and informal agreements between states—but the ICRC has you covered with the basics: To qualify as being a direct participant in hostilities, the individual must generally be engaged in specific acts that meet all three of the following criteria:
The act must be likely to adversely affect the military operations or military capacity of a party to an armed conflict or, alternatively, to inflict death, injury, or destruction on persons or objects protected against direct attack (threshold of harm);
There must be a direct causal link between the act and the harm likely to result either from that act, or from a coordinated military operation of which that act constitutes an integral part (direct causation); and
The act must be specifically designed to directly cause the required threshold of harm in support of a party to the conflict and to the detriment of another (belligerent nexus).
In other words, civilians, whether Ukrainian or foreign, are at risk of losing their IHL civilian protected status and could be directly targeted as if they were the Ukrainian military if they do something that meets all of these three criteria. For most cybersecurity firms working in Ukraine, all three will not be met, and meeting all three by accident is vanishingly unlikely.
The “threshold of harm” test
It’s tempting when looking at the three tests to come up with scenarios where a cybersecurity firm might trip over the line and qualify. For example, a cybersecurity company catches Russian malware deployed by the Russian military, and then patches it in order to stop them. This self-evidently harms Russian military capability by stopping the hack; it does so directly; and you’re doing this to help Ukraine. So does that make you a direct participant in the hostilities?
The key thing about the “degrading military capacity” test here is the “threshold of harm” test. Importantly it’s not any harm, it’s harm meeting or exceeding that threshold.
So what is the threshold? Let’s take a look:
For a specific act to qualify as direct participation in hostilities, the harm likely to result from it must attain a certain threshold. This threshold can be reached either by causing harm of a specifically military nature or by inflicting death, injury, or destruction on persons or objects protected against direct attack
Note the two key phrases here. To reach the threshold of harm, your company would need to be doing something that either:
Causes harm of a specifically military nature
Inflicts death, injury or destruction on persons or objects
Most cybersecurity firms will not be particularly close to this threshold on either count. Virtually all ordinary defensive cybersecurity work will not get close. Providing network security equipment or end-point security software for Ukrainian networks—even military networks—doesn’t get you there.
This might be obvious, but I’ll call it out anyway: failing to assist Russia doesn’t count as a harm either. As the ICRC notes:
It the same time, the conduct of a civilian cannot be interpreted as adversely affecting the military operations or military capacity of a party to the conflict simply because it fails to positively affect them. Thus, the refusal of a civilian to collaborate with a party to the conflict as an informant, scout or lookout would not reach the required threshold of harm regardless of the motivations underlying the refusal.
In other words, rejecting Russian clients in favor of Ukrainian ones does not come close to meeting this threshold. If your company could materially help Russia, but chooses not to, you are not causing a harm within this “threshold of harms” definition. It’s not a requirement that civilians be neutral in the conflict, and having Ukrainian customers but not Russian ones doesn’t jeopardize your IHL civilian status.
So if most cybersecurity company actions don’t get close to meeting this threshold, what circumstances could? Here’s a few:
Wiretapping (passively, or through hacking) Russian military communications
Transmitting targeting coordinates to the Ukrainian military for use in strikes
Certain forms of CNE against Russian networks if they are of a “military nature”, for example, by directly degrading military logistics, command and control, or causing kinetic effects that are designed to inflict death, injury, or destruction on persons or objects.
Be careful here: even most computer network exploitation (CNE) does not automatically meet this threshold:
Acts that neither cause harm of a military nature nor inflict death, injury, or destruction on protected persons or objects cannot be equated with the use of means or methods of “warfare” or, respectively, of “injuring the enemy”, as would be required for a qualification as hostilities. For example, […] the manipulation of computer networks, […] may have a serious impact on public security, health, and commerce, and may even be prohibited under IHL. However, they would not, in the absence of adverse military effects, cause the kind and degree of harm required to qualify as direct participation in hostilities.
For most tech companies and cybersecurity firms, the question of whether they meet this threshold isn’t a close call: they’re not.
Organizations and individuals that are closer to the line would be those closely involved in analyzing the on-the-ground military operations, such as satellite imagery firms and some OSINT providers that track the physical war closely, or when engaging in CNA or CNE type activities. As an example that probably did cross this line, the Belarusian hacking group “Cyber Partisans” probably exceeded this harms threshold when targeting Russian and Belarussian military rail logistics earlier in the year.
But for those organizations and individuals that get close to the line, meeting this threshold isn’t sufficient; this is only one of three tests. Instead, they’ll be looking to rely on the direct causation test.
The “direct causation” test
This test is relatively straightforward: there must be a direct causal link between the act and the harm in order to justify losing IHL civilian protected status, and moreover that harm must have been likely given the act.
This directness test is quite strict. Examples that don’t meet the directness test include the design, shipment, production, or repair of military equipment. Nor does financial support to Ukraine, or even financial or equipment support given directly to the Ukrainian military suffice.
Notice that this is an additional test to the earlier “harm” test. And it’s important to see how high the bar is to meet them. For example, American civilians working on, say, the design, construction, and logistics for delivering HIMARS to Ukraine easily meet the harm standard in the previous definition, but their support is too indirect to meet the directness standard; even those civilian defense contractors do not qualify as direct participants in the conflict.
So how direct do you have to be to meet this directness standard? The ICRC provides two concrete examples: a truck driver delivering ammunition supplies to the front-lines, or a voluntary human shield would both quality.
For most tech and cybersecurity companies—and most defense companies for that matter—in the West, this directness test isn’t a close call either. Plausibly a US company that themselves hacks Russian military communications; or which itself engages in CNE against Russian military networks or CNA; or which itself derives and transmits targeting coordinates directly to the Ukrainian military would qualify. But those that merely provide the capability to do it, but sell it to Ukraine for them to use themselves probably don’t.
If you’re doing any of that and you haven’t already found yourself a lawyer, then first of all yikes, and second of all go and do that immediately.
But most cybersecurity companies are not close to meeting this standard, and are certainly much further away from meeting it than, say, the US Department of Defense and its many large defense contractors who are providing high volumes of material support to Ukraine across the spectrum, and who have still avoided crossing this line.
Belligerent Nexus Standard
This final standard is used to recognize that it’s possible to meet the harm and directness standards, but nevertheless still be clearly distinguishable from a combatant in the war. This is what the belligerent nexus standard is for. This standard requires that the action has to be directly connected to the war itself—it must have a nexus to one of the principal belligerents.
A good example of this is self-defense. A civilian who defends themselves—even lethally—against rape, looting, or attempted murder by occupation forces does not become a combatant of the other side; it does not remove that civilian’s IHL protected status in the war, even if the act otherwise meets the directness and harm thresholds discussed earlier.
Another example is that a civilian does not lose their ordinary IHL civilian status by being involved in ordinary criminality, such as a shoot-out with police. This may cause direct harms against the occupation force, but if this is occurring tangential to the conflict, then it falls to domestic criminal law (or more likely, occupation martial law) to resolve the issue; the civilian does not automatically lose their IHL protected civilian status because of it.
For the purposes of technology, cybersecurity (and other defense) companies outside of Ukraine, this standard is probably the least interesting. Their support to Ukraine will fail to meet the direct participant standard on the other two metrics long before we reach this one. But it is included for completeness.
What about handling Ukrainian military data?
Where life gets a bit more complicated is—as Zetter rightly calls out in her article—when companies store and process Ukrainian military data on their behalf. For example, if the Ukrainian military upload military registration forms into Microsoft Azure or Amazon AWS to keep it safe from physical attacks in Ukraine. For example, as Zetter notes in her piece:
Likewise, if any Ukrainian data transferred to Microsoft and Amazon cloud servers during the current war includes Ukrainian military data, that infrastructure and the data stored on it could be considered a legitimate military target and draw attack from Russia. And if cloud providers are hosting the data of other customers on the same infrastructure, they could be affected by such an attack too.
Let’s take a look at this question, and also the separate risk that Zetter doesn’t call out but we should interrogate anyway—whether handling Ukrainian military data might come with personal risks beyond the infrastructure itself to the foreign contractors handling it.
The question of what this means for the tech company is a bit complicated, because we need to distinguish what it means for the US employees, the US datacenter, and the Ukrainian military data. They are all different entities here.
Of these, the status of the data itself is relatively simple: Russia targeting it for destruction is basically fair game; it is a military object, even if it is a virtual one.
For the US employees of AWS or Azure, the question of whether they become a direct participant in the hostilities by helping Ukraine to store the data requires us to go back to the three principles described earlier. At a bare minimum, their involvement would fail the directness test, if not the other two as well. The storage or processing of Ukrainian military data does not, by itself, make them a direct participant in hostilities.
But just because the datacenter engineers retain their IHL civilian status doesn’t necessarily mean handling this data is completely safe. After all, if the data is a military object, can Russia attack the US datacenter that houses it?
In theory, maybe. In practice, no.
Here, LOAC requires Russia perform three tests: necessity, proportionality and distinction to determine if it’s lawful to attack the datacenter. The last of these is our principle of distinction, but Russia’s real problem here would come from the proportionality test. Getting into these in detail is too much for this article, so I’ll leave it for now, other than to say I think it would be a high—but not impossible—bar to meet, and would be highly fact-dependent. If it did meet them, then yes, in principle, it could lawfully attack the datacenter, even if doing so caused civilian collateral harms.
But while that might be the theoretical answer, in real life Russia is not going to launch missiles against the United States. And it’s certainly not going to do it just to destroy an Amazon or Microsoft datacenter. So the civilians working in the datacenter can all heave a big sigh of relief on that front. Not only will they not lose their civilian protected status, but also they’re also very unlikely to end up as civilian collateral for doing their jobs safe inside the United States or Europe either.
Cyberattacks are a more serious concern. Russia would be technically obliged to do a LOAC analysis on these too, although I doubt they would in practice. But supposing they would, targeting the Ukrainian military’s user accounts on AWS in order to delete the data would likely be permissible. It’d be an obvious thing to target, and I can think of no particularly strong reasons why it would be illegitimate as a target for the Russian military—even if I hope they would fail at it.
Targeting Amazon more broadly with, say, wipers to disrupt Amazon’s users beyond the Ukrainian military’s own data, gets a lot more messy. That once again gets into a long and fact-dependent argument over proportionality, given the volume of civilian co-located data that’s there. That conversation is too long to have here, other than to say I think that would be a very high barrier to meet and would be very fact-dependent.
But the important thing in all of this is that while interacting with Ukrainian military data has all sorts of ways that it might make your networks and computers outside of Ukraine a valid target for cyberattacks, it would not, by itself, make the civilian employees of the company direct participants in the hostilities.
That’s a really good thing. Because otherwise it’d get really messy for the US.
If a US company or individual becomes a direct participant, could it drag the United States into war?
In theory, maybe, in practice no.
Companies that are playing very close to the line do need to be careful not to step into the armed conflict themselves for a whole bunch of self-interested reasons. If you’re providing direct support to Ukraine in the forms of arms or logistics (whether physical or software-based), or CNE/CNA against Russia and don’t already have a legal team then (a) wtf are you doing and (b) get on that immediately.
But if you become a direct participant in the conflict does that drag your country into war with Russia?
As Zetter mentions over at Zero Day, companies becoming direct participants do cause neutrality problems for the countries in which they reside. Michael Schmitt explains in the article:
“If [the U.S.] allows Microsoft to engage in activities that are assisting the Ukrainians, Microsoft doesn’t violate neutrality, it’s a violation of the United States by permitting its territory to be used in an un-neutral manner,” says Schmitt. “The Russians have a legal right under international law…to prevent that from occurring.”
It’s true. Although to be clear: I don’t think Microsoft is anywhere remotely close to meeting the threshold here.
But as Schmitt rightly calls out in Zetter’s article, the United States’ neutrality in the war is based, in part, on the United States ensuring that its territory is not used to harbor belligerents attacking Russia’s territory. Failure to do so undermines the United States’ neutrality in the conflict.
On this point, however, we need to be a bit careful in two regards. Firstly, the United States’ neutrality is not automatically undermined just because a direct participant in hostilities attacks another country from inside of it. The United States can act to stop the ongoing attacks against Russia from its territory to maintain its neutrality. For example, Russia could alert the United States of the ongoing attacks coming from within the US, and the US could intervene to stop them through its own domestic criminal law powers. Those laws are purposely designed to ensure that the United States retains that capacity.
Only if the United States failed to do so—either because it was unwilling or unable—would Russia be able to credibly make the claim that the United States is no longer neutral in the conflict.
But again, this is not automatic. It would give Russia the option to cite it as a LOAC justification to declare war against the United States. But it certainly does not oblige Russia to declare war on the United States over it.
Direct hot war between Russia and the United States is extraordinarily unlikely. Both have gone to enormous lengths to avoid it. And while it’s true that events in war are complex and fast, and have an annoying habit of making fools out of predictors, at least on this, I think it’s a safe bet: The United States and Russia aren’t going to be “dragged” into war against their will by anyone or anything. And definitely not because a US cybersecurity or tech company just got out over their skis.
If you enjoyed this post, feel free to share with others!
If you’d like to receive future articles directly to your email in-box, you can subscribe for free or become a paid subscriber to help support my work if you find it valuable
Update: the piece has been updated to be more clear that Zetter did not write that foreign employees handling Ukrainian military data could become direct participants in the conflict; this article explores that possibility separately, not in response to Zetter’s article.