Difference between revisions of "Scenario 10: Legal review of cyber weapons"

Jump to navigation Jump to search
General update 2020 following additional peer review
m (Kubomacak moved page Scenario 10: Cyber weapons review to Scenario 10: Legal review of cyber weapons: Name change for accuracy reasons)
(General update 2020 following additional peer review)
__NUMBEREDHEADINGS__
[[File:Cyberweapon.jpg|thumb|© Reeh. Licensed from Shutterstock.]]
State A develops new malware capable of physical destruction of enemy military equipment. However, if released, it is also expected to result in the temporary impairment of the use of civilian cyber infrastructure through which it may spread in order to reach its target. This scenario considers State obligations to conduct a weapons review with respect to cyber capabilities of this kind potentially already in peacetime, well before they may actually be deployed in time of armed conflict. In particular, it examines whether such malware constitutes a weapon that is inherently indiscriminate and therefore prohibited by IHL.
 
== Scenario ==
 
=== Keywords ===
Article 36, cyber weapons, indiscriminate attack, international humanitarian law, malware, methods and means of warfare, weapons review, Stuxnet
 
=== Facts ===
''For a general overview of the structure of analysis in this section, see [[Note on the structure of articles]].''
 
'''[L1]''' The analysis in this scenario examines State obligations to conduct a weaponslegal review with respect to cyber capabilities they may develop or acquire. In the first place, it considers whether malware capable of physical destruction qualifies as a weapon, means or method of warfare. This is especially significant because classifying a capability as a weapon, means or method of warfare means that itits employment must comply with the relevant rules of IHL. The analysis then zones infocusses on the question whether such malware would be considered as inherently indiscriminate and therefore prohibited by IHL.
{{#lst:Legal review of cyber weapons|Definition}}
'''[L2]''' In the present scenario, the malware developed by State A would qualify as a “cyber weapon” due to its ability to produce physical destruction, which is an effect that qualifies as “violence against the adversary”.<ref>Art 49(1) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> State A would accordingly be under a duty to ensure that the use of this malware complies with its international obligations. This is so irrespective of whether State A is currently involved in any armed conflict or not. If State A has ratified Additional Protocol I, its duties would additionally extend to conducting a formal legal review, whichto woulddetermine includeif the assessmentemployment of the malware’smalware would be in compliance with all applicable rules of international law.
 
'''[L3]''' There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering.<ref>Although it Meansis andunusual methods offor cyber warfarecapabilities willto only inimplicate the rarest cases violate the principleprohibition of superfluous injury or unnecessary suffering, it is not wholly inconceivable.<ref> Cf. [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 104, para 6 (proposing, in this regard, the example of remotely taking control of a target’s pacemaker device to stop his “heart and then reviving him multiple times before finally killing him”).</ref> By contrast, the fact that the malware does not distinguish between civilian and military infrastructure in order to reach its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means of warfare.
 
'''[L4]''' ABy weaponcontrast, isthe consideredfact indiscriminatethat bythe naturemalware ifis itnot eitherdesigned cannotto bedistinguish directedbetween atcivilian a specificand military objective,<ref>Artinfrastructure 51(4)(b)while [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocumenten AProute I].</ref>to orits ifintended target raises questions of its effectscompatibility cannotwith bethe limitedprohibition asof requiredinherently byindiscriminate IHLmeans and methods of warfare. A weapon is inherently indiscriminate if it is thus of a nature to strike military objectives and civilian objects without distinction., because it either (1) cannot be directed at a specific military objective,<ref>Art 51(4)(cb) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I].</ref> Stateor A’s(2) malwareits appearseffects tocannot passbe the first condition given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualifylimited as arequired military objective underby IHL.<ref>See Art 5251(24)(c) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I] (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
 
'''[L5]''' State A’s malware appears not to fall into the first category given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.<ref>See Art 52(2) [https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?documentId=D9E6B6264D7723C3C12563CD002D6CE4&action=openDocument AP I] (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
'''[L5L6]''' However, with respect to the second conditioncategory, it is clearmaterial that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess whetherthe extent of the safeguardseffects builton inthe civilian cyber infrastructure caused by the malware areif sufficientit towas preventused reverberatingin harmfula effectsnormal goingway, beyondas anticipated at the controltime of the attackerevaluation.<ref>Cf.Yves Sandoz, Christophe Swinarski and Bruno Zimmermann (eds), [https://doiihl-databases.icrc.org/10applic/ihl/ihl.1017nsf/9781316822524Comment.xsp?action=openDocument&documentId=73ED2A33F274494CC12563CD00430247 Tallinn''Commentary Manualon 2.0],the commentaryAdditional Protocols of 8 June 1977 to rulethe 105,Geneva paraConventions 4of 12 August 1949''] (notingICRC that1987) malware423 thatpara would1466.</ref> inevitablyOverall, andthe harmfullyassessment spreadmust take into civilianaccount networksall inrelevant acircumstances manner beyondand the controlreasonable expectations of the attackerdeploying wouldState.<ref>[https://doi.org/10.1017/9781316822524 violateTallinn thisManual prohibition)2.0], commentary to rule 104, para 5.</ref>
 
'''[L7]''' What is crucial is whether these effects would, if considered on their own, amount to attacks against the affected cyber infrastructure. As long as they do not exceed mere inconvenience or annoyance to the users, from the perspective of IHL they would remain below the threshold of attack.<ref>See Humanitarian Policy and Conflict Research, [https://doi.org/10.1017/CBO9781139525275 ''Manual on International Law Applicable to Air and Missile Warfare''] (CUP 2013) rule 1(e), commentary para 7 (‘the term “attack” does not encompass [cyber operations] that result in an inconvenience’); Michael N Schmitt, [https://www.icrc.org/en/doc/assets/files/other/365_400_schmitt.pdf ‘Wired Warfare: Computer Network Attack and ''Jus in Bello''’] (2002) 84 IRRC 365, 377 (arguing that “inconvenience, harassment or mere diminishment in quality of life” does not qualify as a violent consequence that would bring an act within the ambit of “attack” under IHL); Cordula Droege, [https://doi.org/10.1017/S1816383113000246 ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’] (2012) 94 IRRC 533, 560 (acknowledging the merits of the argument according to which a cyber operation that causes mere inconvenience cannot amount to an attack).</ref> Consequently, the normal and expected use of the weapon would not involve attacks against civilian objects, and therefore the weapon would not be of a nature to strike military objectives and civilian objects without distinction.<ref>See also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).</ref> By contrast, if the spread of the malware would inevitably cause harm exceeding the threshold of attack in the civilian networks through which it propagates, it would violate this prohibition.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4.</ref>
'''[L6]''' In this regard, States may consider including in the malware a “kill switch” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker is capable of limiting the effects of the malware in particular circumstances. Accordingly, the malware would not qualify as an inherently indiscriminate cyber weapon.<ref>Cf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).</ref> Of course, it would still be capable of being used in an indiscriminate manner, but that is an issue that must be considered in relation to each specific attack rather than during the ex ante legal review.
 
'''[L7L8]''' OverallIn addition, the assessmentState mustshould takeassess intothe accounteffectiveness allof relevantsafeguards circumstancesbuilt andinto the reasonablemalware expectationsthat ofwould theenable deployingit State.<ref>[https://doi.org/10.1017/9781316822524to Tallinncontrol Manualits spread once 2deployed.0] For example, commentarythe malware could be designed to ruleinclude 104,a para 5.<!--“[[ADDGlossary#Kill REFswitch|kill switch]--></ref>]” Inwhich, thisif regardactivated, immediately stops the temporarymalware effectsfrom onspreading civilianfurther. infrastructureThe occasionedpresence byof thean spreadeffective of“kill theswitch” virusensures arethat likelythe insufficientattacker toremains indicatecapable of limiting the illegalityeffects of the malware. Thisin isparticular becausecircumstances mereif inconveniencethe orneed annoyancearises—for isinstance, notif consideredthe asmalware collateralstarts damagespreading toin civiliana objectsway inthat thewas proportionalitynot calculusanticipated by its authors.<ref>[https://doi.org/10.1017/9781316822524 TallinnIn Manualother 2.0]words, commentarysuch toa rulesafeguard 105,will paraenable 5.</ref>the Asattacker longto aslimit the releaseindiscriminate and proliferationeffects of the malwarecyber isweapon notin expected,case it malfunctions or shouldoperates notin reasonablyan beunexpected expected,manner. toIts causepresence damagemay tofurther civilianbolster andthe militaryconclusion systemsthat withoutthe distinction,malware itdeveloped wouldby thusState likelyA passis thenot secondindiscriminate condition,by toonature.<ref>SeeCf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 54 (considering“To thatthe “Stuxnet-likeextent malwarethe thateffects spreadsof widelythe intomeans civilianor systems,method butof onlywarfare damagescan specificbe enemylimited technicalin equipment”particular wouldcircumstances, it does not violate [this prohibition].”).</ref>
 
== Checklist ==
* Gary Brown and Andrew Metcalf, ‘[http://jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf Easier Said Than Done: Legal Reviews of Cyber Weapons]’ (2014) 7 Journal of National Security Law & Policy 115.
* Robin Geiss, ‘The Obligation to Respect and to Ensure Respect for the Conventions’ in Andrew Clapham, Paola Gaeta and Marco Sassòli (eds), ''The 1949 Geneva Conventions: A Commentary'' (OUP 2015).
* ICRC, [https://e-brief.icrc.org/wp-content/uploads/2016/09/12-A-Guide-to-the-Legal-Review-of-New-Weapons.pdf ''A Guide to the Legal Review of New Weapons, Means and Methods of Warfare: Measures to Implement Article 36 of Additional Protocol I of 1977''] (Kathleen Lawand ed.) (ICRC 2006).
* Michael N Schmitt (ed), ''[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations]'' (CUP 2017).
* David Wallace, ‘[https://ccdcoe.org/sites/default/files/multimedia/pdf/TP%2011_2018.pdf Cyber Weapon Reviews under International Humanitarian Law: A Critical Analysis]’ (2018) Tallinn Paper No. 11.
* Scenario by: [[People#Editorial_board|Kubo Mačák]]
* Analysis by: [[People#Editorial_board|Kubo Mačák]]
* Reviewed by: [[People#Peer_reviewers|Jakub Harašta]]; [[People#Peer_reviewers|David Wallace]]; [[People#Peer_reviewers|Wen Zhou]]
 
{| class="wikitable"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.

Navigation menu