Scenario 10: Legal review of cyber weapons

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Reeh. Licensed from Shutterstock.

State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by IHL.

Scenario[edit | edit source]

Keywords[edit | edit source]

Article 36, cyber weapons, indiscriminate attack, international humanitarian law, malware, methods and means of warfare, weapons review, Stuxnet

Facts[edit | edit source]

[F1] State A develops new sophisticated malware designed to weaken the military capacity of its adversaries in times of armed conflict. The software is capable of replicating itself through cyber infrastructure.

[F2] Once installed in a host system, the malware assesses it for the presence of a specific programmable logic controller (PLC) used by several States for the purposes of automated maintenance of military equipment. If it does not detect this specific PLC in a given host system, it attempts to further spread through any connected networks and then it shuts itself down in that particular host system. However, if the detection is positive, the malware uses a vulnerability in the PLC to slightly alter the maintenance process.

[F3] The effect of this alteration is that instead of servicing the equipment in question, the maintenance machines damage it and thus render it unusable. Tests in controlled environment show that whenever the malware is installed in a host system, it causes it to significantly slow down for a short period of time. However, it is not expected to cause physical damage unless the target PLC is detected in a specific host system.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario examines State obligations to conduct a legal review with respect to cyber capabilities they may develop or acquire. In the first place, it considers whether malware capable of physical destruction qualifies as a weapon, means or method of warfare. This is especially significant because classifying a capability as a weapon, means or method of warfare means that its employment must comply with the relevant rules of IHL. The analysis then focusses on the question whether such malware would be considered as inherently indiscriminate and therefore prohibited by IHL.

Legal review of cyber weapons, means and methods of warfare
The requirement that the legality of all new weapons, means and methods of warfare be systematically assessed is arguably one that applies to all States. It flows logically from the truism that States are prohibited from using illegal weapons, means and methods of warfare or from using weapons, means and methods of warfare in an illegal manner.[1] It is also widely considered, including by the ICRC, that a requirement to carry out legal reviews of new weapons, means and methods of warfare also flows from the obligation to ensure respect for IHL.[2] In addition, with respect to State parties to Additional Protocol I, Article 36 of that instrument mandates that “[i]n the study, development, acquisition or adoption of a new weapon, means or method of warfare,” States must determine whether its employment would, in some or all circumstances, be prohibited under IHL or any other applicable rule of international law.[3] It has been argued that the Article 36 obligation represents customary international law,[4] but this view is not universally accepted.[5]

The mere fact of a weapon’s novelty or its reliance on new technology does not automatically mean that the weapon is illegal.[6] Similarly, the lack of general practice by States in using the new weapon is irrelevant as to its legality under IHL.[7] In determining the weapon’s lawfulness, the State in question must therefore assess those rules of IHL, which are binding on the State – be they treaty-based or customary.[8] Additionally, all States remain subject to the so-called Martens Clause,[9] which reinforces the notion that the lawfulness of a new weapon must be assessed under customary international law according to the principles of humanity and the requirements of public conscience.[10] It is unsettled whether this consideration must take the form of a formal legal review.[11] Nevertheless, legal review of new weapons conducted at the earliest possible stage is a critical measure to ensure compliance with the applicable IHL rules. It also helps prevent the costly consequences of approving and procuring a weapon the use of which is likely to be restricted or prohibited.[12]

Although the precise definition of a “cyber weapon” is unsettled as yet,[13] at the very least, all cyber tools capable of conducting “attacks” as understood in IHL, that is, acts of violence against the adversary whether in offence or in defence,[14] should be considered to qualify as cyber weapons,[15] thus falling under the principle that IHL applies to “all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.[16] For State parties to Additional Protocol I, the obligation extends to the early stages of studying and developing a new cyber capability, be it a cyber weapon, means or method of warfare; these States must conduct a legal review; and the scope of the applicable legal framework includes the entirety of international law, not just the rules of IHL.[17]

In reviewing the lawfulness of a new weapon, means or method of warfare, States must first consider whether its employment is specifically prohibited or restricted by treaty-based or customary IHL.[18] Although no prohibitions of this kind exist at present with respect to cyber capabilities, this may well change in the future. In particular, there is recurring talk of States entering into “cyber arms control treaties” or agreeing to specific limitations on the development and use of cyber offensive capabilities. If formulated as binding prohibitions, these may prevent States from utilizing capabilities falling under the remit of such rules.

If no specific prohibition or restriction is found to apply, the cyber weapon, means or method of warfare in question must be assessed in light of the general prohibitions or restrictions under IHL that bind the State, be they treaty-based or customary. These include, in particular, the prohibition of weapons, means and methods of warfare that are of a nature to cause superfluous injury or unnecessary suffering[19] and the prohibition of means and methods of warfare that are by nature indiscriminate.[20] In addition, a weapon or means of warfare cannot be assessed in isolation from the manner in which it is expected to be used in the battlefield. States should therefore determine if the employment of a weapon for its normal or expected use would be prohibited by IHL under some or all circumstances.[21]

Publicly available national positions that address this issue include: National position of Brazil (2021) (2021), National position of Brazil (2021) (2022), National position of Costa Rica (2023) (2023), National position of the Czech Republic (2024) (2024), National position of Germany (2021) (2021), National position of Switzerland (2021) (2021), National position of the United States of America (2012) (2012),

[L2] In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”.[22] State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a legal review to determine if the employment of the malware would be in compliance with all applicable rules of international law.

[L3] There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering.[23]

[L4] By contrast, the fact that the malware is not designed to distinguish between civilian and military infrastructure while en route to its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means and methods of warfare. A weapon is inherently indiscriminate if it is of a nature to strike military objectives and civilian objects without distinction, because it either (1) cannot be directed at a specific military objective,[24] or (2) its effects cannot be limited as required by IHL.[25]

[L5] State A’s malware appears not to fall into the first category given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.[26]

[L6] However, with respect to the second category, it is material that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess the extent of the effects on the civilian cyber infrastructure caused by the malware if it was used in a normal way, as anticipated at the time of the evaluation.[27] Overall, the assessment must take into account all relevant circumstances and the reasonable expectations of the deploying State.[28]

[L7] What is crucial is whether these effects would, if considered on their own, amount to attacks against the affected cyber infrastructure. As long as they do not exceed mere inconvenience or annoyance to the users, from the perspective of IHL they would remain below the threshold of attack.[29] Consequently, the normal and expected use of the weapon would not involve attacks against civilian objects, and therefore the weapon would not be of a nature to strike military objectives and civilian objects without distinction.[30] By contrast, if the spread of the malware would inevitably cause harm exceeding the threshold of attack in the civilian networks through which it propagates, it would violate this prohibition.[31]

[L8] In addition, the State should assess the effectiveness of safeguards built into the malware that would enable it to control its spread once deployed. For example, the malware could be designed to include a “kill switch” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker remains capable of limiting the effects of the malware in particular circumstances if the need arises—for instance, if the malware starts spreading in a way that was not anticipated by its authors. In other words, such a safeguard will enable the attacker to limit the indiscriminate effects of the cyber weapon in case it malfunctions or operates in an unexpected manner.[32] Its presence may further bolster the conclusion that the malware developed by State A is not indiscriminate by nature.[33]

Checklist[edit | edit source]

  • Is the State in question a State party to Additional Protocol I?
  • Does the malware qualify as a weapon under IHL?
  • Does the malware violate any specific international law prohibition on its use?
  • Is the malware capable of causing injury to persons? If so, is it of a nature to cause superfluous injury or unnecessary suffering?
  • Is the malware by nature indiscriminate?
  • What is the probability that the target PLC would be accidentally discovered in a non-military host system?
  • Does the malware contain a “kill switch” which, if activated, would stop the malware from spreading further?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 4.
  2. ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts: Recommitting to Protection in Armed Conflict on the 70th Anniversary of the Geneva Conventions (October 2019) 34 (“In the ICRC’s view, the requirement to carry out legal review of new weapons also flows from the obligation to ensure respect for IHL under Article 1 common to the Geneva Conventions.”). This view is shared by a number of States. See, Australia, The Australian Article 36 review process, working paper submitted to the Group of Government Experts of the High Contracting Parties to the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May be Deemed to be Excessively Injurious or to Have Indiscriminate Effects (CCW), 2018, para. 3; The Netherlands and Switzerland, Weapons review mechanisms, working paper submitted to the CCW, 2017, para. 17. See also Tallinn Manual 2.0, commentary to rule 110, para 2.
  3. Article 36 AP I.
  4. See, eg, Duncan Blake and Joseph S. Imburgia, ‘“Bloodless Weapons”? The need to conduct legal review of certain capabilities and the implications of defining them as “weapons”’, (2010) 66 AFLRev 157, 163–64; see also, William H Boothby, Weapons and the Law of Armed Conflict (2nd edn, OUP 2016) 342–43 (“For states that are not party to AP1, the implied obligation should not necessarily be expressed in the same terms as article 36, but its existence is attested to by the practice of certain states before the adoption of AP1”).
  5. See Tallinn Manual 2.0, commentary to rule 110, para 2; see also Natalia Jevglevskaja, ‘Weapons Review Obligation under Customary International Law’ (2018) 94 International Law Studies 186, 220.
  6. See, eg, US DoD Law of War Manual, para 6.2.1.
  7. David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (2018) Tallinn Paper No. 11, 9.
  8. ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 10.
  9. For a modern formulation of the Martens Clause, see Art 1(2) AP I (“In cases not covered by this Protocol or by other international agreements, civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from dictates of public conscience.”). See also ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 17 para 1.2.2.3.
  10. David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (2018) Tallinn Paper No. 11, 9.
  11. See Tallinn Manual 2.0, commentary to rule 110, para 4. According to the majority of the International Group of Experts, it would suffice for the State to seek the advice of a legal advisor at the relevant level of command.
  12. ICRC, International Humanitarian Law and the Challenges of Contemporary Armed Conflicts: Recommitting to Protection in Armed Conflict on the 70th Anniversary of the Geneva Conventions (October 2019) 34-35; see also ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 11.
  13. See, eg, Gary D. Brown and Andrew O. Metcalf, ‘Easier Said Than Done: Legal Reviews of Cyber Weapons’ (2014) 7 JNSLP 115, 135 (defining a kinetic and/or a cyber weapon as “an object designed for, and developed or obtained for, the primary purpose of killing, maiming, injuring, damaging or destroying”); Tallinn Manual 2.0, rule 103, para 2 (“cyber weapons are cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects”); Air Force Instruction 51-401 (3 August 2018) 13 (defining a cyber capability as “any device, computer program or computer script, including any combination of software, firmware or hardware intended to deny, disrupt, degrade, destroy or manipulate adversarial target information, information systems, or networks”).
  14. Art 49 AP I.
  15. Tallinn Manual 2.0, rule 103, para 2; but see Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 218 (arguing that “code used in hostile cyber operations does not qualify as a means of warfare”) and 219 (characterizing “cyber operations as a method of warfare”) (emphasis added). See further Scenario 22: Cyber methods of warfare (discussing the implications of these different views from an IHL perspective).
  16. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 86.
  17. ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 5, 10-11, 20, and 23-24; see also Tallinn Manual 2.0, commentary to rule 110, para 6.
  18. Examples of such specific prohibitions include the general ban on the use of chemical or biological weapons.
  19. Art 23(e) Hague Regulations; Art 35(2) AP I; ICRC CIHL Study, rule 70; Tallinn Manual 2.0, rule 104. See also ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 15-16, paras 1.2.2.1-1.2.2.2.
  20. Art 51(4)(b) AP I; ICRC CIHL Study, rules 12 and 71; Tallinn Manual 2.0, rule 105; see also ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 15-16, paras 1.2.2.1-1.2.2.2; and US DoD Manual, para 16.6 (“a legal review of the acquisition or procurement of a weapon that employs cyber capabilities likely would assess whether the weapon is inherently indiscriminate”).
  21. ICRC, A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977 (Kathleen Lawand ed.) (ICRC 2006) 10.
  22. Art 49(1) AP I.
  23. Although it is unusual for cyber capabilities to implicate the prohibition of superfluous injury or unnecessary suffering, it is not wholly inconceivable. Cf. Tallinn Manual 2.0, commentary to rule 104, para 6 (proposing, in this regard, the example of remotely taking control of a target’s pacemaker device to stop his “heart and then reviving him multiple times before finally killing him”).
  24. Art 51(4)(b) AP I.
  25. Art 51(4)(c) AP I.
  26. See Art 52(2) AP I (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).
  27. Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (ICRC 1987) 423 para 1466.
  28. Tallinn Manual 2.0, commentary to rule 104, para 5.
  29. See Humanitarian Policy and Conflict Research, Manual on International Law Applicable to Air and Missile Warfare (CUP 2013) rule 1(e), commentary para 7 (‘the term “attack” does not encompass [cyber operations] that result in an inconvenience’); Michael N Schmitt, ‘Wired Warfare: Computer Network Attack and Jus in Bello (2002) 84 IRRC 365, 377 (arguing that “inconvenience, harassment or mere diminishment in quality of life” does not qualify as a violent consequence that would bring an act within the ambit of “attack” under IHL); Cordula Droege, ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’ (2012) 94 IRRC 533, 560 (acknowledging the merits of the argument according to which a cyber operation that causes mere inconvenience cannot amount to an attack).
  30. See also Tallinn Manual 2.0, commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).
  31. Tallinn Manual 2.0, commentary to rule 105, para 4.
  32. See also ICRC, Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts (ICRC 2021) 30 (recommending the use of kill switches in the development of military cyber capabilities to reduce the risk of civilian harm posed by such capabilities).
  33. Cf. also Tallinn Manual 2.0, commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).

Bibliography[edit | edit source]


Contributions[edit | edit source]

Previous: Scenario 09: Economic espionage Next: Scenario 11: Surveillance tools