Legal review of cyber weapons

From International cyber law: interactive toolkit
Revision as of 12:37, 3 July 2019 by Kubomacak (talk | contribs)
Jump to navigation Jump to search


Legal review of cyber weapons
Legal review of cyber weapons.svg
Although IHL is primarily designed to govern situations of armed conflict, some of its rules also apply in times of peace,[1] including the obligation to respect and ensure respect for IHL, codified in Common Article 1 to the Geneva Conventions and generally considered to reflect customary international law.[2] The obligation in turn implies a duty of each State to ensure that means of warfare available to it comply with the relevant rules of IHL.[3] In addition, Article 36 of Additional Protocol I provides that “[i]n the study, development, acquisition or adoption of a new weapon, means or method of warfare,” States must determine whether its employment would be prohibited under any rule of international law.[4] It has been argued that the Article 36 obligation represents customary international law,[5] but this view is not universally accepted.[6]

To begin with, the mere fact of a weapon’s novelty or its reliance on new technology does not automatically mean that the weapon is illegal.[7] Similarly, the lack of general practice by States in using the new weapon is irrelevant as to its legality under IHL.[8] Additionally, all States remain subject to the so-called Martens Clause,[9] which reinforces the notion that the lawfulness of a new means of warfare must be assessed under customary international law according to the principles of humanity and the requirements of the public conscience.[10] In determining the weapon’s lawfulness, the State in question must therefore consider whether there is any specific prohibition under IHL that would bar the State from using it in practice.[11] It is unsettled whether this consideration must take the form of a formal legal review approximating that required by Article 36 or whether it would suffice for the State to seek the advice of a legal advisor at the relevant level of command.[12]

Although the precise definition of a “cyber weapon” is unsettled as yet,[13] at the very least, all cyber means capable of conducting “attacks” as understood in IHL, that is, acts of violence against the adversary,[14] should be considered to qualify as cyber weapons,[15] thus falling under the principle that IHL applies to “all forms of warfare and to all kinds of weapons, those of the past, those of the present and those of the future”.[16] For States Parties to Additional Protocol I, the obligation extends to the early stages of studying and developing a new cyber capability; these States must conduct a formal legal review; and the scope of the review includes the entirety of international law, not just rules of IHL.[17]

Therefore, States must first consider whether the cyber weapon in question would violate an express specific prohibition on its use.[18] Although no prohibitions of this kind exist at present, this may well change in the future. In particular, there is recurring talk of States entering into “cyber arms control treaties” or agreeing to specific limitations on the development and use of cyber offensive capabilities. If formulated as binding prohibitions, these may prevent States from utilizing capabilities falling under the remit of such rules.

States must then consider whether the employment of the cyber weapon in question would be restricted by any of the relevant rules of IHL. These include, in particular, the prohibition of means of warfare that are of a nature to cause superfluous injury or unnecessary suffering[19] and the prohibition of means of warfare that are by nature indiscriminate.[20] However, the requirement that the weapon in question would have to cause the prohibited effects by its “nature” is quite restrictive as most means of warfare can be used in a number of different ways. As long as the weapon can be employed in a lawful way, its use in abstract would not be prohibited by these rules of IHL. Accordingly, Tallinn Manual 2.0 notes that both prohibitions would only rarely be violated by cyber means.[21]


See also

Notes and references

  1. See, eg, Arts 23, 44, 47 GC I; Art 127 GC III; Art 144 GC IV; Arts 6, para 1, and 83, para 1 AP I; Art. 7 AP III.
  2. Robin Geiss, ‘The Obligation to Respect and to Ensure Respect for the Conventions’ in Andrew Clapham, Paola Gaeta and Marco Sassòli (eds), The 1949 Geneva Conventions: A Commentary (OUP 2015) 121-22.
  3. Tallinn Manual 2.0, commentary to rule 110, para 2.
  4. Article 36 AP I.
  5. See, eg, Duncan Blake and Joseph S. Imburgia, ‘“Bloodless Weapons”? The need to conduct legal review of certain capabilities and the implications of defining them as “weapons”’, (2010) 66 AFLRev 157, 163–64; see also, William H Boothby, Weapons and the Law of Armed Conflict (2nd edn, OUP 2016) 342-43 (“For states that are not party to AP1, the implied obligation should not necessarily be expressed in the same terms as article 36, but its existence is attested to by the practice of certain states before the adoption of AP1”).
  6. See, Tallinn Manual 2.0, commentary to rule 110, para 2.
  7. See, eg, US DoD Manual, para 6.2.1.
  8. David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (2018) Tallinn Paper No. 11, 9.
  9. For a modern formulation of the Martens Clause, see Art 1(2) AP I (“In cases not covered by this Protocol or by other international agreements, civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from dictates of public conscience.”).
  10. David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (2018) Tallinn Paper No. 11, 9.
  11. David Wallace, ‘Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis’ (2018) Tallinn Paper No. 11, 10.
  12. See Tallinn Manual 2.0, commentary to rule 110, para 4.
  13. See, eg, Gary D. Brown and Andrew O. Metcalf, ‘Easier Said Than Done: Legal Reviews of Cyber Weapons’ (2014) 7 JNSLP 115, 135 (defining a kinetic and/or a cyber weapon as “an object designed for, and developed or obtained for, the primary purpose of killing, maiming, injuring, damaging or destroying”); Tallinn Manual 2.0, rule 103, para 2 (“cyber weapons are cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects”); Air Force Instruction 51-401 (3 August 2018) 13 (defining a cyber capability as “any device, computer program or computer script, including any combination of software, firmware or hardware intended to deny, disrupt, degrade, destroy or manipulate adversarial target information, information systems, or networks”).
  14. Art 49 AP I.
  15. Tallinn Manual 2.0, rule 103, para 2; but see Jeffrey T Biller and Michael N Schmitt, ‘Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare’ (2019) 95 Int’l L Stud 179, 218 (arguing that “code used in hostile cyber operations does not qualify as a means of warfare”) and 219 (characterizing “cyber operations as a method of warfare”) (emphasis added).
  16. Legality of the Threat or Use of Nuclear Weapons Case (Advisory Opinion) [1996] ICJ Rep 226, para 86.
  17. Tallinn Manual 2.0, commentary to rule 110, para 6.
  18. Examples of such express prohibitions include the general ban on the use of chemical or biological weapons.
  19. Art 23(e) Hague Regulations; Art 35(2) AP I; ICRC CIHL Study, rule 70; Tallinn Manual 2.0, rule 104.
  20. Art 51(4)(b) AP I; ICRC CIHL Study, rules 12 and 71 ; Tallinn Manual 2.0, rule 105; see also US DoD Manual, para 16.6 (“a legal review of the acquisition or procurement of a weapon that employs cyber capabilities likely would assess whether the weapon is inherently indiscriminate”).
  21. Tallinn Manual 2.0, commentary to rule 104, para 6; ibid, rule 105, para 7.

Bibliography and further reading