Editing Scenario 10: Legal review of cyber weapons

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
  +
[[File:Cyberweapon.jpg|thumb|]]<!-- Photo free for commercial use, no attribution required, CC0 creative commons source: https://pixabay.com/en/hacker-theft-security-computer-3641937/ -->
__NUMBEREDHEADINGS__
 
 
State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by IHL.
[[File:Cyberweapon.jpg|thumb|© Reeh. Licensed from Shutterstock.]]
 
State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by IHL.
 
   
 
== Scenario ==
 
== Scenario ==
   
 
=== Keywords ===
 
=== Keywords ===
Article 36, cyber weapons, indiscriminate attack, international humanitarian law, malware, methods and means of warfare, weapons review, Stuxnet
+
Article 36, cyber weapons, indiscriminate attack, international humanitarian law, malware, methods and means of warfare, weapons review, Stuxnet
   
 
=== Facts ===
 
=== Facts ===
 
'''[F1]''' State A develops new sophisticated malware designed to weaken the military capacity of its adversaries in times of armed conflict. The software is capable of replicating itself through cyber infrastructure.
 
'''[F1]''' State A develops new sophisticated malware designed to weaken the military capacity of its adversaries in times of armed conflict. The software is capable of replicating itself through cyber infrastructure.
   
'''[F2]''' Once installed in a host system, the malware assesses it for the presence of a specific [[Glossary#PLC|programmable logic controller (PLC)]] used by several States for the purposes of automated maintenance of military equipment. If it does not detect this specific PLC in a given host system, it attempts to further spread through any connected networks and then it shuts itself down in that particular host system. However, if the detection is positive, the malware uses a vulnerability in the PLC to slightly alter the maintenance process.
+
'''[F2]''' Once installed in a host system, the malware assesses it for the presence of a specific [[Glossary|programmable logic controller (PLC)]] used by several States for the purposes of automated maintenance of military equipment. If it does not detect this specific PLC in a given host system, it attempts to further spread through any connected networks and then it shuts itself down in that particular host system. However, if the detection is positive, the malware uses a vulnerability in the PLC to slightly alter the maintenance process.
   
 
'''[F3]''' The effect of this alteration is that instead of servicing the equipment in question, the maintenance machines damage it and thus render it unusable. Tests in controlled environment show that whenever the malware is installed in a host system, it causes it to significantly slow down for a short period of time. However, it is not expected to cause physical damage unless the target PLC is detected in a specific host system.
 
'''[F3]''' The effect of this alteration is that instead of servicing the equipment in question, the maintenance machines damage it and thus render it unusable. Tests in controlled environment show that whenever the malware is installed in a host system, it causes it to significantly slow down for a short period of time. However, it is not expected to cause physical damage unless the target PLC is detected in a specific host system.
   
 
=== Examples ===
 
=== Examples ===
  +
* [[Industroyer – Crash Override (2016)]]
 
 
* [[Stuxnet (2010)]]
 
* [[Stuxnet (2010)]]
   
Line 22: Line 21:
 
''For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].''
 
''For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].''
   
'''[L1]''' The analysis in this scenario examines State obligations to conduct a legal review with respect to cyber capabilities they may develop or acquire. In the first place, it considers whether malware capable of physical destruction qualifies as a weapon, means or method of warfare. This is especially significant because classifying a capability as a weapon, means or method of warfare means that its employment must comply with the relevant rules of IHL. The analysis then focusses on the question whether such malware would be considered as inherently indiscriminate and therefore prohibited by IHL.
+
'''[L1]''' The analysis in this scenario examines State obligations to conduct a weapons review with respect to cyber capabilities they may develop or acquire. In the first place, it considers whether malware capable of physical destruction qualifies as a weapon. This is especially significant because classifying a capability as a weapon means that it must comply with the relevant rules of IHL. The analysis then zones in on the question whether such malware would be considered as inherently indiscriminate and therefore prohibited by IHL.
 
{{#lst:Legal review of cyber weapons|Definition}}
 
{{#lst:Legal review of cyber weapons|Definition}}
'''[L2]''' In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”.<ref>Art 49(1) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a legal review to determine if the employment of the malware would be in compliance with all applicable rules of international law.
+
'''[L2]''' In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”.<ref>Art 49(1) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a formal legal review, which would include the assessment of the malware’s compliance with all applicable rules of international law.
 
'''[L3]''' There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering.<ref>Although it is unusual for cyber capabilities to implicate the prohibition of superfluous injury or unnecessary suffering, it is not wholly inconceivable. Cf. [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 6 (proposing, in this regard, the example of remotely taking control of a target’s pacemaker device to stop his “heart and then reviving him multiple times before finally killing him”).</ref>
 
   
 
'''[L3]''' There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering. Means and methods of cyber warfare will only in the rarest cases violate the principle of superfluous injury or unnecessary suffering.<ref>Cf. [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 6 (proposing, in this regard, the example of remotely taking control of a target’s pacemaker device to stop his “heart and then reviving him multiple times before finally killing him”).</ref> By contrast, the fact that the malware does not distinguish between civilian and military infrastructure in order to reach its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means of warfare.
'''[L4]''' By contrast, the fact that the malware is not designed to distinguish between civilian and military infrastructure while en route to its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means and methods of warfare. A weapon is inherently indiscriminate if it is of a nature to strike military objectives and civilian objects without distinction, because it either (1) cannot be directed at a specific military objective,<ref>Art 51(4)(b) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> or (2) its effects cannot be limited as required by IHL.<ref>Art 51(4)(c) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref>
 
   
'''[L5]''' State A’s malware appears not to fall into the first category given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.<ref>See Art 52(2) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I] (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
+
'''[L4]''' A weapon is considered indiscriminate by nature if it either cannot be directed at a specific military objective,<ref>Art 51(4)(b) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> or if its effects cannot be limited as required by IHL and it is thus of a nature to strike military objectives and civilian objects without distinction.<ref>Art 51(4)(c) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A’s malware appears to pass the first condition given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.<ref>See Art 52(2) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I] (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
 
 
'''[L6]''' However, with respect to the second category, it is material that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess the extent of the effects on the civilian cyber infrastructure caused by the malware if it was used in a normal way, as anticipated at the time of the evaluation.<ref>Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Comment.xsp?action=openDocument&documentId=73ED2A33F274494CC12563CD00430247 ''Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949''] (ICRC 1987) 423 para 1466.</ref> Overall, the assessment must take into account all relevant circumstances and the reasonable expectations of the deploying State.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 5.</ref>
+
'''[L5]''' However, with respect to the second condition, it is clear that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess whether the safeguards built in the malware are sufficient to prevent reverberating harmful effects going beyond the control of the attacker.<ref>Cf. [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (noting that malware that would inevitably and harmfully spread into civilian networks in a manner beyond the control of the attacker would violate this prohibition).</ref>
   
  +
'''[L6]''' In this regard, States may consider including in the malware a “kill switch” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker is capable of limiting the effects of the malware in particular circumstances. Accordingly, the malware would not qualify as an inherently indiscriminate cyber weapon.<ref>Cf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).</ref> Of course, it would still be capable of being used in an indiscriminate manner, but that is an issue that must be considered in relation to each specific attack rather than during the ex ante legal review.
'''[L7]''' What is crucial is whether these effects would, if considered on their own, amount to attacks against the affected cyber infrastructure. As long as they do not exceed mere inconvenience or annoyance to the users, from the perspective of IHL they would remain below the threshold of attack.<ref>See Humanitarian Policy and Conflict Research, [https://doi.org/10.1017/CBO9781139525275 ''Manual on International Law Applicable to Air and Missile Warfare''] (CUP 2013) rule 1(e), commentary para 7 (‘the term “attack” does not encompass [cyber operations] that result in an inconvenience’); Michael N Schmitt, [https://www.icrc.org/en/doc/assets/files/other/365_400_schmitt.pdf ‘Wired Warfare: Computer Network Attack and ''Jus in Bello''’] (2002) 84 IRRC 365, 377 (arguing that “inconvenience, harassment or mere diminishment in quality of life” does not qualify as a violent consequence that would bring an act within the ambit of “attack” under IHL); Cordula Droege, [https://doi.org/10.1017/S1816383113000246 ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’] (2012) 94 IRRC 533, 560 (acknowledging the merits of the argument according to which a cyber operation that causes mere inconvenience cannot amount to an attack).</ref> Consequently, the normal and expected use of the weapon would not involve attacks against civilian objects, and therefore the weapon would not be of a nature to strike military objectives and civilian objects without distinction.<ref>See also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).</ref> By contrast, if the spread of the malware would inevitably cause harm exceeding the threshold of attack in the civilian networks through which it propagates, it would violate this prohibition.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4.</ref>
 
   
'''[L8]''' In addition, the State should assess the effectiveness of safeguards built into the malware that would enable it to control its spread once deployed. For example, the malware could be designed to include a “[[Glossary#Kill switch|kill switch]]” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker remains capable of limiting the effects of the malware in particular circumstances if the need arises—for instance, if the malware starts spreading in a way that was not anticipated by its authors. In other words, such a safeguard will enable the attacker to limit the indiscriminate effects of the cyber weapon in case it malfunctions or operates in an unexpected manner. Its presence may further bolster the conclusion that the malware developed by State A is not indiscriminate by nature.<ref>Cf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).</ref>
+
'''[L7]''' Overall, the assessment must take into account all relevant circumstances and the reasonable expectations of the deploying State.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 5.<!--[ADD REF]--></ref> In this regard, the temporary effects on civilian infrastructure occasioned by the spread of the virus are likely insufficient to indicate the illegality of the malware. This is because mere inconvenience or annoyance is not considered as collateral damage to civilian objects in the proportionality calculus.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5.</ref> As long as the release and proliferation of the malware is not expected, or should not reasonably be expected, to cause damage to civilian and military systems without distinction, it would thus likely pass the second condition, too.<ref>See also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).</ref>
   
 
== Checklist ==
 
== Checklist ==
Line 58: Line 55:
 
=== Bibliography ===
 
=== Bibliography ===
 
* Steven Bellovin, Susan Landau and Herbert Lin, ‘[https://academic.oup.com/cybersecurity/article/3/1/59/3097802 Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications]’ (2017) 3(1) Journal of Cybersecurity 59.
 
* Steven Bellovin, Susan Landau and Herbert Lin, ‘[https://academic.oup.com/cybersecurity/article/3/1/59/3097802 Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications]’ (2017) 3(1) Journal of Cybersecurity 59.
 
*William H Boothby, ''Weapons and the Law of Armed Conflict'' (OUP 2016).   
* Jeffrey T Biller and Michael N Schmitt, ‘[https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?article=2462&context=ils Classification of Cyber Capabilities and Operations as Weapons, Means, or Methods of Warfare]’ (2019) 95 Int’l L Stud 179.
 
 
* Duncan Blake and Joseph Imburgia, ‘[https://ssrn.com/abstract=1850831 “Bloodless Weapons”? The Need to Conduct Legal Review of Certain Capabilities and the Implications of Defining Them as “Weapons”]’, (2010) 66 Air Force Law Review 157.
 
* Duncan Blake and Joseph Imburgia, ‘[https://ssrn.com/abstract=1850831 “Bloodless Weapons”? The Need to Conduct Legal Review of Certain Capabilities and the Implications of Defining Them as “Weapons”]’, (2010) 66 Air Force Law Review 157.
* William H Boothby, ''Weapons and the Law of Armed Conflict'' (OUP 2016).
 
 
* Vincent Boulanin and Maaike Verbruggen, [https://www.sipri.org/sites/default/files/2017-12/article_36_report_1712.pdf <i>Article 36 Reviews: Dealing with the Challenges Posed by Emerging Technologies</i>] (SIPRI 2017).
 
* Vincent Boulanin and Maaike Verbruggen, [https://www.sipri.org/sites/default/files/2017-12/article_36_report_1712.pdf <i>Article 36 Reviews: Dealing with the Challenges Posed by Emerging Technologies</i>] (SIPRI 2017).
 
* Gary Brown and Andrew Metcalf, ‘[http://jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf Easier Said Than Done: Legal Reviews of Cyber Weapons]’ (2014) 7 Journal of National Security Law & Policy 115.
 
* Gary Brown and Andrew Metcalf, ‘[http://jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf Easier Said Than Done: Legal Reviews of Cyber Weapons]’ (2014) 7 Journal of National Security Law & Policy 115.
 
* Robin Geiss, ‘The Obligation to Respect and to Ensure Respect for the Conventions’ in Andrew Clapham, Paola Gaeta and Marco Sassòli (eds), ''The 1949 Geneva Conventions: A Commentary'' (OUP 2015).
 
* Robin Geiss, ‘The Obligation to Respect and to Ensure Respect for the Conventions’ in Andrew Clapham, Paola Gaeta and Marco Sassòli (eds), ''The 1949 Geneva Conventions: A Commentary'' (OUP 2015).
* ICRC, [https://e-brief.icrc.org/wp-content/uploads/2016/09/12-A-Guide-to-the-Legal-Review-of-New-Weapons.pdf ''A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977''] (Kathleen Lawand ed.) (ICRC 2006).
 
 
* Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
* Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
 
* David Wallace, ‘[https://ccdcoe.org/sites/default/files/multimedia/pdf/TP%2011_2018.pdf Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis]’ (2018) Tallinn Paper No. 11.
 
* David Wallace, ‘[https://ccdcoe.org/sites/default/files/multimedia/pdf/TP%2011_2018.pdf Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis]’ (2018) Tallinn Paper No. 11.
Line 78: Line 73:
 
* Scenario by: [[People#Editorial_board|Kubo Mačák]]
 
* Scenario by: [[People#Editorial_board|Kubo Mačák]]
 
* Analysis by: [[People#Editorial_board|Kubo Mačák]]
 
* Analysis by: [[People#Editorial_board|Kubo Mačák]]
* Reviewed by: [[People#Peer_reviewers|Jakub Harašta]]; [[People#Peer_reviewers|David Wallace]]; [[People#Peer_reviewers|Wen Zhou]]
+
* Reviewed by: [[People#Peer_reviewers|Jakub Harašta]]; [[People#Peer_reviewers|David Wallace]]
   
 
{| class="wikitable"
 
{| class="wikitable"
Line 93: Line 88:
 
[[Category:Stuxnet]]
 
[[Category:Stuxnet]]
 
[[Category:Weapons review]]
 
[[Category:Weapons review]]
[[Category:Legal review of cyber weapons]]
 
 
[[Category:Scenario]]
 
[[Category:Scenario]]

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)

Template used on this page: