In 2017, hospital workers across the entire National Health Service of England stared helplessly at malfunctioning screens: unable to access patient records, authorize treatments, or even dispense medication. The enemy? Not a bomb or a bullet, but a system bug, a packet of malware. The WannaCry ransom attack transcended large-scale computer vulnerabilities into tangible physical harm: patients went undiagnosed, surgeries were cancelled, and ambulances rerouted to hospitals already over capacity.
Today, wars spill out of trenches and onto fiber optic cables, and the consequences for ordinary people are as far-reaching in scope as any conventional conflict, if not more personally intrusive. The generation living through cyber warfare is threatened by declining public trust, degraded personal dignity, and destabilized communities. Without intervention, the line between conflict and daily life will dissolve entirely; digital infrastructure will fuel kinetic attacks and social media platforms will continue to serve as tools for intelligence operations.
When Cyber Becomes Catastrophic for Civilians
Over the past decade, cyber operations have increasingly targeted critical civilian infrastructure (e.g., energy grids, hospitals, communication networks), blurring traditional distinctions between military and civilian domains. The WannaCry attack exemplifies this trend: cyberattacks trigger psychological distress at levels comparable to conventional warfare by targeting symbols of stability in society, generating cascading harms that ripple far beyond affected systems. When millions of NHS patient records went dark, the British public didn’t just lose access to healthcare– they lost faith that the systems undergirding daily emergencies could be trusted. The pixels on a nurse’s frozen screen became, for millions of people, proof that the infrastructure they depend on is fragile enough to be weaponized.
When government systems collapse or personal data spills online, the resulting fear and institutional distrust create political pressure for retaliation and expanded operations. This produces a vicious cycle: governments respond by tightening control for security reasons but further erode the public trust they were attempting to restore. Civilians caught between escalating tensions bear the cumulative psychological burden — anxiety that breeds cynicism, resentment, and political polarization.
The Gamification Problem: When War Becomes Sport
The emergence of remote and automated warfare has collapsed the distance between operator and consequence. In Ukraine, FPV drone pilots stream their kill feeds on Telegram — footage scored with music, overlaid with crosshairs, and shared like highlight reels. The interface looks indistinguishable from a video game, but the explosions are real, and the fatalities are real. What begins as pixels on a screen lands as a projectile in someone’s trench.
This same dynamic extends into cyberspace, where the normalization of civilian hacktivism has fundamentally altered who wages war. Ukraine’s IT Army — a largely decentralized, volunteer-driven operation — recruited over 200,000 digital participants to disrupt Russian financial and military networks. Volunteers launched denial-of-service attacks against Russian banks, probed critical infrastructure control systems, and breached satellite and surveillance companies, all from their living rooms, all tracked on leaderboards. On one level, this represents technological democratization. On another, it signals something deeply troubling: when warfare is gamified — tracked like scores and celebrated as trophies — perpetrators build psychological distance from the human wreckage on the other side of the screen.
For victims, however, the impact of war grows larger as cyber operations now entangles everyday users as both targets and potential participants. The International Committee of the Red Cross warns that “an unprecedented number of civilians is becoming involved in armed conflicts through digital means”. The line between civilian and combatant is increasingly ambiguous in this domain, and if that distinction collapses entirely, civilian protections collapse with it. Victims suffer not only infrastructure failures but also breaches of trust—knowing their systems, data, and digital lives have been targeted and exploited for sport. Such attacks deepen mistrust beyond what is seen in kinetically justified warfare, acting as powerful tools of psychological warfare and propaganda.
Surveillance and the Weaponization of Privacy
Mass data collection has become a tool of statecraft. In Xinjiang, Uyghurs pass through checkpoints every few hundred meters where police scan their phones against a government master list of 50,000 files deemed “extremist”, a category broad enough to include a downloaded copy of the Quran. Between 2017 and 2018, police in Urumqi alone conducted nearly 11 million searches of 1.2 million mobile phones. This is what mass surveillance looks like at the individual level: not an abstract policy debate, but a person handing their unlocked phone to an officer and hoping today’s search will end in a subjective interrogation. Privacy is foundational to human autonomy and dignity, yet governments now conduct indiscriminate cyber-espionage at scales that fundamentally erode personal autonomy. When states access, profile, and target individuals based on digital footprints, they chill political dissent, marginalize minority groups, and structurally reshape social relationships.
Ilia Siatitsa of Privacy International succinctly describes the dynamic as: “Mass surveillance gives governments unprecedented power over us. Knowledge is power”. Once governments possess comprehensive knowledge of citizens’ digital lives, they gain the ability to influence behavior without overt repression. Autonomy withers not through dramatic suppression, but through quiet self-surveillance, the slow internalization of the knowledge that someone, somewhere, may be watching.
This erosion of privacy is not merely a civil liberties concern; it is a security paradox. The ICRC cautions that “when civilian digital infrastructure becomes instrumental to military operations, it may also become a military objective”. The more governments integrate civilian digital systems into their intelligence and military apparatus, the more those systems — and the people who depend on them — become legitimate targets. Policymakers must confront this paradox directly: the pursuit of security through mass surveillance may ultimately make civilians less safe.
Response
The scale of these violations demands a legal response, but the frameworks proposed so far have largely recycled the institutional machinery that failed to prevent the crisis in the first place. Three developments, however, suggest the contours of a more adequate approach.
First, international humanitarian law must expand its definition of harm. Legal scholar Solon Solomon of Brunel University argues that psychological suffering inflicted by cyberattacks must be incorporated into IHL’s proportionality calculations — the legal standard that weighs anticipated military advantage against expected civilian harm. Under current interpretations, a cyberattack that causes widespread psychological trauma, institutional paralysis, and erosion of public trust but no physical casualties may not technically violate proportionality at all. Solomon’s argument is that this gap renders the law blind to the most characteristic harms of cyber conflict. If psychological damage counts in proportionality assessments, states can no longer launch disruptive cyber operations and claim they caused “no real harm.”
Second, the attribution problem must be addressed. Without reliable mechanisms for identifying who launched a cyberattack, legal accountability remains theoretical. Albania’s response to Iranian cyber operations in 2022 illustrates both the potential and the limitations of existing tools. Prime Minister Edi Rama compared the attack to “bombing a country”, ninety-five percent of Albania’s government services were delivered online, and when Iranian state hackers took them down, daily operations halted at government offices across the entire nation. After an investigation attributed the attacks to Iranian state actors, Albania severed diplomatic ties, the first time any nation had done so over a cyberattack, and internally weighed invoking NATO’s Article 5 collective defense clause. Although, Albania chose not to trigger Article 5, in part because the attacks caused no deaths or permanent destruction of systems, it is a matter of time. The episode underscores a critical gap: the threshold for collective response remains undefined, and nations suffering severe but non-lethal cyber harm have few established avenues for proportional recourse.
Third, civilian digital infrastructure needs affirmative protection, not just legal prohibition. The International Committee of the Red Cross has proposed the creation of digital emblems — cyber analogs to the physical Red Cross — that would mark the digital infrastructure of hospitals, humanitarian organizations, and other protected entities as off-limits during armed conflict. Working with ETH Zurich and Johns Hopkins University, the ICRC has developed a prototype system called the Authenticated Digital Emblem (ADEM), which uses certificate chains to signal protected status across internet protocols. In 2024, the 34th International Conference of the Red Cross and Red Crescent adopted by consensus a resolution encouraging continued development of the digital emblem, and the project is now under discussion at the Internet Engineering Task Force. These emblems matter because they make explicit what cyber operations obscure: that civilian infrastructure deserves sanctuary, and that the obligation to distinguish between military and civilian targets applies as much in cyberspace as on any battlefield.
No single reform will be sufficient. But taken together — expanding the legal definition of harm, building credible attribution capacity, and creating visible markers of civilian protection in digital space — these developments represent a coherent shift from treating cyberattacks as technical anomalies to recognizing them as humanitarian crises.
If the global community fails to make this shift, the accumulated psychological damage will compound silently — spreading through institutions and communities until the underlying fabric of civic life is too weakened to hold. Societies risk hollowing from within: not through dramatic collapse, but through the gradual erosion of trust, the quiet death of civic participation, and the internalization of fear.
The cost of inaction should not be measured in lost data or downtime. It will be measured in lost confidence in institutions, fractured communities, and the normalization of a world in which the digital backbone of modern life can be weaponized at will. The choice is stark: implement nuanced international frameworks that preserve the distinction between military necessity and civilian rights, or accept a future where the price of conflict is the decay of digital civilization itself.