Scenario 10: Legal review of cyber weapons

State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by IHL.

Keywords
Article 36, cyber weapons, indiscriminate attack, international humanitarian law, malware, methods and means of warfare, weapons review, Stuxnet

Facts
[F1] State A develops new sophisticated malware designed to weaken the military capacity of its adversaries in times of armed conflict. The software is capable of replicating itself through cyber infrastructure.

[F2] Once installed in a host system, the malware assesses it for the presence of a specific programmable logic controller (PLC) used by several States for the purposes of automated maintenance of military equipment. If it does not detect this specific PLC in a given host system, it attempts to further spread through any connected networks and then it shuts itself down in that particular host system. However, if the detection is positive, the malware uses a vulnerability in the PLC to slightly alter the maintenance process.

[F3] The effect of this alteration is that instead of servicing the equipment in question, the maintenance machines damage it and thus render it unusable. Tests in controlled environment show that whenever the malware is installed in a host system, it causes it to significantly slow down for a short period of time. However, it is not expected to cause physical damage unless the target PLC is detected in a specific host system.

Examples

 * Industroyer – Crash Override (2016)
 * Stuxnet (2010)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The analysis in this scenario examines State obligations to conduct a legal review with respect to cyber capabilities they may develop or acquire. In the first place, it considers whether malware capable of physical destruction qualifies as a weapon, means or method of warfare. This is especially significant because classifying a capability as a weapon, means or method of warfare means that its employment must comply with the relevant rules of IHL. The analysis then focusses on the question whether such malware would be considered as inherently indiscriminate and therefore prohibited by IHL.

[L2] In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”. State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a legal review to determine if the employment of the malware would be in compliance with all applicable rules of international law.

[L3] There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering.

[L4] By contrast, the fact that the malware is not designed to distinguish between civilian and military infrastructure while en route to its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means and methods of warfare. A weapon is inherently indiscriminate if it is of a nature to strike military objectives and civilian objects without distinction, because it either (1) cannot be directed at a specific military objective, or (2) its effects cannot be limited as required by IHL.

[L5] State A’s malware appears not to fall into the first category given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL. [L6] However, with respect to the second category, it is material that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess the extent of the effects on the civilian cyber infrastructure caused by the malware if it was used in a normal way, as anticipated at the time of the evaluation. Overall, the assessment must take into account all relevant circumstances and the reasonable expectations of the deploying State.

[L7] What is crucial is whether these effects would, if considered on their own, amount to attacks against the affected cyber infrastructure. As long as they do not exceed mere inconvenience or annoyance to the users, from the perspective of IHL they would remain below the threshold of attack. Consequently, the normal and expected use of the weapon would not involve attacks against civilian objects, and therefore the weapon would not be of a nature to strike military objectives and civilian objects without distinction. By contrast, if the spread of the malware would inevitably cause harm exceeding the threshold of attack in the civilian networks through which it propagates, it would violate this prohibition.

[L8] In addition, the State should assess the effectiveness of safeguards built into the malware that would enable it to control its spread once deployed. For example, the malware could be designed to include a “kill switch” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker remains capable of limiting the effects of the malware in particular circumstances if the need arises—for instance, if the malware starts spreading in a way that was not anticipated by its authors. In other words, such a safeguard will enable the attacker to limit the indiscriminate effects of the cyber weapon in case it malfunctions or operates in an unexpected manner. Its presence may further bolster the conclusion that the malware developed by State A is not indiscriminate by nature.

Checklist

 * Is the State in question a State party to Additional Protocol I?
 * Does the malware qualify as a weapon under IHL?
 * Does the malware violate any specific international law prohibition on its use?
 * Is the malware capable of causing injury to persons? If so, is it of a nature to cause superfluous injury or unnecessary suffering?
 * Is the malware by nature indiscriminate?
 * What is the probability that the target PLC would be accidentally discovered in a non-military host system?
 * Does the malware contain a “kill switch” which, if activated, would stop the malware from spreading further?

Contributions

 * Scenario by: Kubo Mačák
 * Analysis by: Kubo Mačák
 * Reviewed by: Jakub Harašta; David Wallace; Wen Zhou