When shells fall and servers flicker at the same moment, the temptation to treat code as a shortcut around the law grows strongest, yet the hard-earned logic of international humanitarian law (IHL) remains the surest compass for military planners faced with alluring but risky digital options. The fresh pitch to be “responsibly irresponsible” in wartime cyber operations has gained attention by suggesting that more aggressive, less constrained hacking would produce decisive battlefield advantages. That claim asks governments to accept legal risk, widen target sets to include civilian infrastructure, and enlist civilians and volunteers for offensive tasks. A closer look at law, strategy, and the empirical record tells a different story: IHL already governs cyber operations in armed conflict, the principle of distinction still holds online, and turning civilians into combatants by keyboard invites harm without delivering commensurate payoff. A responsibly responsible path exists—one that uses cyber power within legal limits, avoids ad hoc civilian mobilization, and, when civilian expertise is essential, brings it inside accountable command structures.
Cyber’s Real Value in High-Intensity War
Calls to loosen legal limits often lean on the premise that cyber operations can tip the scales in protracted, high-intensity conflict, but recent research has cut against that assumption by finding cyber effects frequently marginal in attritional wars. Matthew Calabria’s 2025 study crystallized an emerging view across military scholarship: against entrenched, adaptive adversaries, bursts of disruption rarely translate into lasting operational advantage, and often degrade under the pressure of redundancy, repair, and analog fallback. That does not make cyber irrelevant; it narrows its utility. Intelligence collection, deception, and precise interference against clearly military systems can matter. Yet the idea that victory requires pushing past legal boundaries conflates ambition with evidence and invites overreach that a disciplined force may later regret.
This reassessment aligns with a broader trend among practitioners who have watched initial cyber impacts dissipate as conflicts drag on and logistics, artillery, and manpower reassert primacy. Moreover, cyber operations carry opportunity costs: tasking scarce specialists, burning expensive accesses, and risking sensitive tools for effects that may be short-lived. When the marginal gain is small, legal risk becomes harder to justify, especially if compliance already permits a range of useful actions. The pragmatic conclusion is straightforward. If cyber’s decisive value in high-intensity warfare is contested, the case for diluting legal norms to chase speculative advantage weakens, not strengthens, and strategy should adjust to that reality rather than wish it away.
IHL Is Built for War, Not Fantasy
The suggestion that IHL is utopian or detached from battlefield realities misunderstands its pedigree and purpose, because the law of armed conflict was forged by states and soldiers to reconcile military necessity with humanitarian protection. Far from a peacetime abstraction, its rules grew out of wartime experience, tested and refined to preserve combat effectiveness while constraining needless suffering. The digital domain does not erase that lineage. Principles like distinction, proportionality, and precautions in attack translate to cyber, even if the technical assessment of effects requires new methods and better intelligence. The old claim that necessity overrides law—the notorious Kriegsraison—failed in earlier eras and fares no better online.
Importantly, IHL is not an operational straitjacket for cyber forces. Many effective actions already fit comfortably within the rules: disrupting software directly integral to weapons systems, degrading battlefield communications of a military unit, or accessing surveillance cameras to improve targeting and force protection. These operations target military objectives and can be planned with proportionality and precaution in mind. Portraying compliance as an obstacle ignores that tailored, lawful cyber operations can support maneuver, protect troops, and shape the fight without dragging civilian systems into the line of fire. The choice is not between impotence and illegality; it is between disciplined effectiveness and strategically costly shortcuts.
Civilian Infrastructure Remains Off-Limits
Pressure to expand target sets to include banks, internet service providers, supermarkets, and online platforms runs headlong into black-letter law, because the principle of distinction bars attacks against civilian objects under Article 52(1) of Additional Protocol I and customary IHL. The semantics of what counts as an “attack” in cyberspace continue to be debated at the margins, but operations that disable, destroy, or otherwise produce harmful effects meeting the attack threshold are plainly captured. A cyber operation that wipes financial records, cuts power distribution to homes, or disables logistics software for civilian supply chains cannot be laundered into lawfulness by pointing to its digital means. The rules are technology-neutral: harmful consequences to civilian objects are prohibited, regardless of whether the vector is a shell or a script.
The human costs make the legal logic concrete. A malicious data wipe that erases savings deepens poverty overnight; a corrupted inventory system prevents pharmacies from dispensing medication; a disrupted payment processor stalls wages and food deliveries; an ISP outage severs access to emergency services. These harms cascade across vulnerable populations, including children, the elderly, and the sick, foiling evacuation plans, medical care, and basic subsistence. Cyber’s intangible veneer can obscure very tangible suffering, which is why professional and legal communities have insisted that civilian infrastructure remains protected in both code and steel. Turning civilian networks into fair game would not only flirt with war crimes; it would normalize a form of warfare that exacts high civilian tolls for dubious military return.
Compliance as a Strategic Asset
Adherence to IHL does more than avoid prosecution; it builds disciplined forces that perform better under stress, because law internalized through training and command practice sharpens judgment, reduces friction, and curbs counterproductive excess. Units that respect rules of engagement tend to plan more precisely and execute more reliably, preserving scarce accesses and minimizing noisy mistakes that telegraph intent. In the cyber realm, where stealth and timing are often central, that discipline translates into operational dividends. Moreover, compliance enhances legitimacy at home and abroad, bolstering political support, coalition cohesion, and the credibility needed to counter adversary propaganda and disinformation in contested information environments.
Strategically, lawful conduct also shapes the postwar terrain. Violations fuel grievances, empower spoilers, and complicate transitional justice, while a record of restraint eases reconciliation and reconstruction. States that keep cyber operations within legal limits preserve reputational capital and reduce the risk that commanders, operators, or policymakers face personal legal exposure. These are not abstract benefits. They affect access to intelligence sharing, interoperability with partners, and influence in setting international norms. The choice to comply becomes part of grand strategy: it helps win the peace even as it guides the fight, paying returns that often outweigh the fleeting gains offered by unlawful shortcuts.
Civilians in the Fight: Legal Risks, Duties, and Pitfalls
The proposal to mobilize hacktivists and civilian volunteers for offensive cyber operations brings significant legal danger, because under IHL civilians are protected “unless and for such time as” they directly participate in hostilities. Encouraging civilians to conduct intrusions, disruptive attacks, or destructive actions can qualify as direct participation, stripping them of protection and making them lawful targets for the adversary. The International Committee of the Red Cross and the Geneva Academy have warned, after multiyear consultations, that such mobilization creates serious risks that responsible states should avoid. The problem compounds when children or students are incentivized to join online campaigns, given clear legal prohibitions on involving them in hostilities.
Beyond status, states owe positive duties that contradict calls to recruit civilians into offensive roles. The duty of constant care to spare the civilian population from the effects of hostilities, obligations to respect the right to life of persons under their jurisdiction, and responsibilities to prevent children from taking direct part in hostilities sit uneasily with any plan to unleash ad hoc volunteer battalions online. Practicalities magnify the legal issues. Volunteers operating outside formal command tend to generate operational noise, collide with ongoing covert efforts, and ignore rules of engagement. Skill levels vary widely, compliance is untested, and accountability is thin. These weaknesses increase collateral risk and escalation potential, while creating a post-conflict hazard that civilian groups habituated to unlawful activity morph into cybercriminal networks.
Responsible Integration and Policy Priorities
Rejecting ad hoc mobilization does not mean wasting civilian talent, because responsible pathways exist to harness expertise without sacrificing law or control. The most credible models integrate specialists into reserve, auxiliary, or affiliated units subject to military discipline, clear status, and legal training. Estonia’s Cyber Defence Unit has offered one example: vetted professionals embedded under defined command relationships, operating within legal boundaries, and focused on missions aligned with national defense. Similar structured approaches have emerged or been explored in Italy and Ukraine. These arrangements clarify rights and obligations, ensure oversight, and reduce the risk that well-meaning volunteers stumble into direct participation without understanding the consequences.
Policy should reflect these realities. Governments should codify IHL’s application to cyber in doctrine and targeting processes; train operators to distinguish military from civilian objects in networks; and adapt proportionality and precaution assessments to account for reverberating digital effects. If civilian expertise is indispensable, authorities should vet recruits, define roles, provide IHL instruction, and enforce chains of command and accountability. At the international level, states should continue supporting expert processes refining shared understandings of what constitutes an attack in cyberspace and how to assess incidental harm across borders. As for the counterargument, frustration with lawless adversaries is understandable, and some celebrated cyber actions will already be lawful. But expanding target sets to civilian infrastructure or rallying hacktivists courts civilian harm, legal exposure, and strategic blowback that far outweigh any supposed gains.
Charting a Lawful Cyber Posture
The most sustainable response to contemporary cyber conflict had been to double down on law, not to abandon it, because civilian infrastructure remained protected, and civilians were not to be pushed into direct participation in hostilities by keyboard or code. The practical way to tap scarce expertise had been through structured integration under formal command, with vetting, training, oversight, and accountability built in from the start. Forces that internalized these principles performed with more precision, retained legitimacy under scrutiny, and entered post-conflict transitions with fewer liabilities. The task ahead had involved refining targeting methodologies for complex networks, improving intelligence on cascading effects, and investing in operator education that fused technical mastery with legal rigor, so that speed and restraint could coexist.
Actionable priorities had followed: align cyber doctrine with IHL at every echelon; reinforce legal review of cyber capabilities and plans; stand up or strengthen auxiliary structures for vetted civilian specialists; and resist political pressures to treat banks, ISPs, or retail platforms as fair game. Internationally, states had gained from deepening consultations with the ICRC and academic partners to clarify contested points and solidify confidence-building measures that reduced miscalculation. The debate had shifted from romanticizing “responsibly irresponsible” gambits to building responsibly responsible institutions. That shift preserved strategic advantage without sacrificing the rule-of-law identity that distinguished lawful states from the lawlessness they opposed, and it offered a credible roadmap for cyber power that protected civilians while still serving military necessity.
