Ukranian ‘IT Army’: A Cyber Levée en Masse or Civilians Directly Participating in Hostilities?

Written by and

In the days following Russia’s invasion of Ukraine, Ukraine’s Deputy Prime Minister and Minister for Digital Transformation Mykhaylo Fedorov announced in a tweet the creation of an ‘IT Army’. According to reports, as many as 400, 000 people from across the world have joined. A list of targets has been published and it includes a range of governmental departments, businesses and banks in Russia and Belarus. The list has been translated into English to help foreign IT specialists conduct cyber attacks. Since the beginning of the war, the IT Army has launched a number of DDOS attacks against Russian targets and knocked offline websites belonging to the Kremlin, Foreign Ministry and Ministry of Defence. DDOS attacks have also been directed against Russian companies and banks including the Moscow Stock Exchange. Belarus’s railway network has been hacked and was taken offline with the apparent aim of disrupting Russia’s transport of troops and equipment to Ukraine. The IT Army has also defaced multiple public and private sector websites in Russia and Belarus.

The immediate question is how to classify the participants in this IT Army under international humanitarian law (IHL). This is critical because of the different consequences that follow. If they are combatants, they can lawfully participate in the armed conflict, use lethal force and be targeted and are entitled to prisoner of war (POW) status if captured (but they remain liable for crimes committed under international criminal law). If civilians, they are protected from attacks unless and for such time as they directly participate in hostilities (Article 51(3) of Additional Protocol I). If captured, they are not entitled to POW status (which means they can be prosecuted for participating in the armed conflict and for any crimes they commit according to national and international criminal law) but they can be detained (Article 5 of Geneva Convention IV). Civilians are defined negatively in IHL as those who are not combatants (Article 5 of Geneva Convention III); consequently defining who is combatant is important. According to Article 4(A) of Geneva Convention III and read in conjunction with Articles 43 and 44 of Additional Protocol I, combatants are members of the regular armed forces of a party to the armed conflict or of militias and volunteer groups incorporated into the armed forces (Article 4(A)(1) of Geneva Convention III); members of militias or volunteers groups who belong to a party to the armed conflict and are commanded by a person responsible for their subordinates; have a fixed distinctive sign; carry arms openly; and conduct their operations in accordance with IHL (Article 4(A)(2) of Geneva Convention III); and individuals who participate in a levée en masse (Article 4(A)(6) of Geneva Convention III).

It may be the case that, after applying these tests, the IT Army comprises a mixture of combatants and civilians and that, of those who are combatants, they fall into different combatancy categories. Be that as it may, our focus in this post is on this latter category and, more specifically, we examine the question of whether any of the participants in the IT Army fulfil the requisite criteria to qualify as a cyber levée en masse and what consequences flow from such a designation. We deal with this category of combatants because the participants in the IT Army are, on the basis of the available information, unlikely to meet the criteria of combatancy under Article 4(A)(1) and (2) of Geneva Convention III and because this category represents a special case of civilians who are treated as combatants while remaining unorganised and with no de jure membership of, or a de facto link with, a party to the armed conflict. We also examine the legal category of levée en masse because it is understudied in IHL. The creation of the IT Army therefore provides a good opportunity to enhance our understanding of how levée en masse applies generally and how it applies to cyber warfare specifically (on the latter see Rule 88 of the Tallinn Manual 2.0).

Levée en Masse

According to Article 4(A)(6) of Geneva Convention III, participants in a levée en masse are ‘inhabitants of a non-occupied territory, who on the approach of the enemy spontaneously take up arms to resist the invading forces, without having had time to form themselves into regular armed units, provided they carry arms openly and respect the laws and customs of war’.

We will now unpack these conditions. In doing so, we explain how they apply to cyber warfare and explore whether any of the participants in the IT Army can constitute a levée en masse. Our underlying premise is that Russia has physically invaded Ukraine; that an international armed conflict between Russia and Ukraine exists; and that participants in the IT Army are participating in the conflict.

The first condition for a levée en masse is spontaneity, which means its participants must react spontaneously to forestall an invasion. Some commentators have claimed that a levée en masse cannot form where the resistance is at the ‘instigation’ of the invaded State (Crawford, here). Instigation implies a causal link with the particular conduct through the exertion of strong compulsion. Instigation can be therefore contrasted with encouragement or invitation by the government, which lack the requisite level of compulsion or persuasive effect –  as the 1960 Commentary explains, levée en masse is also ‘applicable to populations which act in response to an order by their Government’. Thus, even if there was an invitation, encouragement or order by the Ukrainian government, these do not prevent the formation of a levée en masse.

In our view, the critical question is whether the group has been organised by the invaded government. The available information is too sketchy but an invitation, encouragement or order, even when combined with the provision of a list of targets, does not amount to organising the participants.

The second condition is that participants in a levée en masse must be inhabitants of the invaded territory. The question is whether ‘inhabitants’ means citizens/nationals of the invaded State or any person living in the invaded territory. It is submitted that the category of ‘inhabitants’ is not defined on the basis of citizenship/nationality but according to one’s relationship with the invaded territory which needs to be of a fixed and permanent character. Moreover, if citizenship or nationality are required, Geneva Convention III would have explicitly said so as it is the case with other provisions such as Article 4 of Geneva Convention IV. It follows from this that Ukrainian as well as non-Ukrainian citizens/nationals who are inhabitants (but not for example temporary residents) of the invaded territory and decide to resist the invading force can participate in a levée en masse. Ukrainians or non-Ukrainians who are inhabitants of other States are excluded.

The next question is whether non-inhabitants of Ukrainian territory can become inhabitants by joining the IT Army and using Ukrainian infrastructure to conduct cyber attacks. In our opinion, even if Ukrainian cyber infrastructure falls within the definition of Ukrainian territory, the length and nature of their involvement does not have the fixed and permanent character required to designate them as inhabitants.   

This leads to the third condition, which concerns the geographic scope of levée en masse. The locus of levée en masse is unoccupied territory and, for participants in the IT Army to form a levée en masse, their cyber attacks must be designed to forestall the invasion of Russian forces into areas not under Russian occupation. Whether territory is occupied depends on whether Russian forces have substituted their own authority for that of the Ukrainian government over the territory in question, that is, whether the territory is under the effective authority and control of Russian forces (Article 42 of Hague Convention IV; ICJ, Armed Activities, para. 173; Naletilic and Martinovic, paras 217-218). Applying this test to Ukraine, at the time of writing Russian forces have reportedly gained control of Ukrainian territory such as the city of Kherson and, consequently, Russia’s occupation of this territory would prevent its inhabitants from qualifying as a levée en masse. At present, however, the majority of Ukrainian territory is unoccupied. Thus, those participants in the IT Army who are inhabitants of unoccupied territory and who resist the invasion can constitute a levée en masse but since the situation has stabilised one can say that the window of the levée en masse has lapsed. However, if Russia loses control over territory that it has occupied and tries to regain control, a levée en masse can still arise.

Related to the geographical scope is the question of whether cyber attacks on mainland Russia can be justified under levée en masse. In principle, such attacks will not be justified because the traditional and indeed historical rationale of a levée en masse is to forestall the advance of invading forces by confronting them on the frontline. But in order for a cyber levée en masse to prevent the invasion (and taking into consideration the interconnected nature of networks), attacks may need to be directed at cyber infrastructure – for example, command and control systems – on the frontline but also on the mainland if such infrastructure is used to coordinate the invasion. Moreover, even if cyber infrastructure is attacked on the frontline, it may have reverberating effects on the mainland. That said, attacks on Belarusian infrastructure are not permitted. Even if Belarus is complicit in the invasion and its assistance may even render it a co-belligerent, it has not invaded Ukraine.

The fourth condition is that participants should carry their weapons openly. This raises two questions in the context of cyber weapons. First, can the use of computer hardware and software to attack an enemy be a ‘weapon’ for the purposes of levée en masse? This question can be answered in the positive since a weapon can be any instrument that causes harmful effects (ICJ, Nuclear Weapons, para. 39). Second, can cyber weapons be carried ‘openly’? According to the 2020 Commentary to Geneva Convention III (para 1067) which refers back to the commentary on Article 4(A)(2)(c) (paras 1021-1023), ‘openly’ means that combatants must not conceal their weapons during an attack or during the preparation of an attack with a view to feigning civilian status (see also Dinstein, p. 54). However, there are important differences between levées en masse and militias. Militias should satisfy more stringent criteria in order to distinguish them from civilians and be recognised as combatants compared to participants in a levée en masse. For this reason, ‘openly’ in the case of a levée en masse should mean visibly as the 1960 Commentary also states because this is the main (and perhaps only) way to distinguish its participants from protected civilians. How this criterion can be fulfilled with respect to cyber weapons is difficult to say. Laptops, tablets and mobile phones can be carried visibly but not malware, unless it is presumed that they are part of the laptop, tablet or mobile phone. Even then, would this be sufficient to meaningfully distinguish participants of a levée en masse from civilians, given that most civilians are in possession of laptops, tablets and mobile phones? But even if ‘openly’ means that weapons should not be concealed, again it is difficult to see how it can apply to cyber weapons.  

The fifth condition is for participants in the levée en masse to respect the laws and customs of war. The 2020 Commentary to Geneva Convention III again refers back to Article 4(A)(2)(d) (paras 1068 and 1024-1028) concerning militias which should conduct their operations in accordance with the laws and customs of war. Article 4(A)(6) of Geneva Convention III does not, however, mention ‘operations’. Military operations is a broad concept which includes attacks but also other acts. It is also an operational concept which requires a level of organisation. If the unorganised nature of levée en masse is taken into consideration as well as its aim to forestall an ongoing invasion, this condition should be interpreted to mean attacks specifically (Article 49 of Additional Protocol I) rather than operations generally and it will be met if the participants’ cyber attacks cause death, injury or destruction. They will thus fulfil this condition if their attacks are directed against military objectives. Regarding the reported cyber attacks launched by participants in the IT Army, to date they seem to be below the threshold of attack for IHL purposes – for example, DDoS attacks and the defacement of governmental websites do not cause death, injury or destruction. Also, if the published list of targets has any bearing, it includes civilian objects such as banks and businesses and attacking them will breach this condition unless these objects are dual use and the relevant requirements are fulfilled when attacked. Even in this case, however, it is not evident how attacking them can halt or repel the invasion. Furthermore, even if we accept the view that war sustaining objects are legitimate targets (such as banks financing the war), the narrow window within which a levée en masse operates will not justify such attacks.

The preceding discussion demonstrates that participants in the IT Army are unlikely to satisfy the criteria of levée en masse. On this basis, these participants do not enjoy combatant privilege and are not entitled to POW status.

Participants in the IT Army: civilians directly participating in hostilities?

Participants in the IT Army who do not qualify as combatants will be treated as civilians and, as such, they cannot be directly targeted unless and for such time as they directly participate in hostilities. Three criteria determine whether the acts undertaken by civilians constitute direct participation in hostilities: (i) threshold of harm; (ii) direct causation; and (iii) belligerent nexus (see ICRC Interpretive Guidance). The reported attacks – for example, knocking offline websites of the Russian Ministry of Defence – do not fulfil the first criterion because they do not cause death, injury or destruction or adversely affect Russia’s military operations. Cyber operations aimed a collecting intelligence on Russia, or which disrupt its communications or the coordination of personnel and equipment, would perhaps fulfil this criterion, as would acts of cyber sabotage that impair Russia’s military operations. Even if the reported attacks could potentially affect Russia’s military operations, their direct causal link to obstructing the invasion is difficult to establish. While attacks by civilians may cause nuisance and attract criminal charges, this does not make them targetable. If captured, they may be detained for security purposes according to Article 5 of Geneva Convention IV but acting remotely reduces the risk of being captured.

What is the legal situation if civilians are incorporated into the Ukrainian army, or are organised according to the criteria of Article 4(A)(2) of the Geneva Convention III, with the explicit or implicit consent of the Ukrainian government? If this happens, they can lawfully participate in the armed conflict and use lethal force but they can also be directly targeted. They will also be entitled to POW status if captured. What would be the benefit of this state of affairs? The possibility of POW status may be inapplicable since they operate remotely but the main benefit is that they will be clearly distinguished from civilians who would thus be protected from the dangers arising from hostilities. The current ambiguity in status is quite precarious and risky.


Participants in the IT Army will be designated as combatants for the purpose of IHL if they are regular members of the Ukrainian armed forces, irregular forces (such as volunteer groups or militia) or are part of a levée en masse. This post has focused on levée en masse and revealed the difficulties in applying this legal category to participants in cyber groups such as Ukraine’s IT Army. The vast majority of participants in the IT Army will not meet the threshold for levée en masse (or indeed combatancy status more generally) and are thus civilians. As civilians, the crucial question is whether their cyber operations amount to direct participation in hostilities. Cyber attacks that cause death, injury or destruction (for example, causing fighter planes to crash by disabling critical operating systems), or cyber attacks that adversely affect Russia’s military operations (for example, preventing the deployment and movement of troops by disabling communications systems), will constitute direct participation in hostilities. But cyber attacks that do not cause the required level of harm, do not cause direct harm to Russia, or do not have a nexus with the armed conflict do not amount to direct participation in hostilities, with examples being the DDOS attacks against Moscow Stock Exchange and defacing the website of the Russian Space Research Institute.

Print Friendly, PDF & Email

Leave a Comment

Comments for this post are closed