Difference between revisions of "Scenario 10: Legal review of cyber weapons"

Jump to navigation Jump to search
The analysis in this scenario examines State obligations to conduct a weapons review with respect to cyber capabilities during peacetime. In particular, it considers whether malware capable of physical destruction qualifies as a weapon that is inherently indiscriminate and therefore prohibited by IHL.
{{#lst:Legal review of cyber weapons|Definition}}
In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”.<ref>Art 49(1) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a formal legal review, which would include the assessment of the malware’s compliance with all applicable rules of international law.
There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering. By contrast, the fact that the malware does not distinguish between civilian and military infrastructure in order to reach its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means of warfare.
A weapon is considered indiscriminate by nature if it either cannot be directed at a specific military objective,<ref>Art 51(4)(b) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> or if its effects cannot be limited as required by IHL and it is thus of a nature to strike military objectives and civilian objects without distinction.<ref>Art 51(4)(c) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A’s malware appears to pass the first condition given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.<ref>See Art 52(2) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I] (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
However, with respect to the second condition, it is clear that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess whether the safeguards built in the malware are sufficient to prevent reverberating harmful effects going beyond the control of the attacker.<ref>Cf. [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (noting that malware that would inevitably and harmfully spread into civilian networks in a manner beyond the control of the attacker would violate this prohibition).</ref>
In this regard, States may consider including in the malware a “kill switch” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker is capable of limiting the effects of the malware in particular circumstances. Accordingly, the malware would not qualify as an inherently indiscriminate cyber weapon.<ref>Cf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).</ref> Of course, it would still be capable of being used in an indiscriminate manner, but that is an issue that must be considered in relation to each specific attack rather than during the ex ante legal review.
Overall, the assessment must take into account all relevant circumstances and the reasonable expectations of the deploying State.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 5.<!--[ADD REF]--></ref> In this regard, the temporary effects on civilian infrastructure occasioned by the spread of the virus are likely insufficient to indicate the illegality of the malware. This is because mere inconvenience or annoyance is not considered as collateral damage to civilian objects in the proportionality calculus.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5.</ref> As long as the release and proliferation of the malware is not expected, or should not reasonably be expected, to cause damage to civilian and military systems without distinction, it would thus likely pass the second condition, too.<ref>See also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).</ref>
== Checklist ==