Difference between revisions of "Scenario 10: Legal review of cyber weapons"

Jump to navigation Jump to search
no edit summary
'''[L7]''' What is crucial is whether these effects would, if considered on their own, amount to attacks against the affected cyber infrastructure. As long as they do not exceed mere inconvenience or annoyance to the users, from the perspective of IHL they would remain below the threshold of attack.<ref>See Humanitarian Policy and Conflict Research, [https://doi.org/10.1017/CBO9781139525275 ''Manual on International Law Applicable to Air and Missile Warfare''] (CUP 2013) rule 1(e), commentary para 7 (‘the term “attack” does not encompass [cyber operations] that result in an inconvenience’); Michael N Schmitt, [https://www.icrc.org/en/doc/assets/files/other/365_400_schmitt.pdf ‘Wired Warfare: Computer Network Attack and ''Jus in Bello''’] (2002) 84 IRRC 365, 377 (arguing that “inconvenience, harassment or mere diminishment in quality of life” does not qualify as a violent consequence that would bring an act within the ambit of “attack” under IHL); Cordula Droege, [https://doi.org/10.1017/S1816383113000246 ‘Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians’] (2012) 94 IRRC 533, 560 (acknowledging the merits of the argument according to which a cyber operation that causes mere inconvenience cannot amount to an attack).</ref> Consequently, the normal and expected use of the weapon would not involve attacks against civilian objects, and therefore the weapon would not be of a nature to strike military objectives and civilian objects without distinction.<ref>See also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 5 (considering that “Stuxnet-like malware that spreads widely into civilian systems, but only damages specific enemy technical equipment” would not violate this prohibition).</ref> By contrast, if the spread of the malware would inevitably cause harm exceeding the threshold of attack in the civilian networks through which it propagates, it would violate this prohibition.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4.</ref>
'''[L8]''' In addition, the State should assess the effectiveness of safeguards built into the malware that would enable it to control its spread once deployed. For example, the malware could be designed to include a “[[Glossary#Kill switch|kill switch]]” which, if activated, immediately stops the malware from spreading further. The presence of an effective “kill switch” ensures that the attacker remains capable of limiting the effects of the malware in particular circumstances if the need arises—for instance, if the malware starts spreading in a way that was not anticipated by its authors. In other words, such a safeguard will enable the attacker to limit the indiscriminate effects of the cyber weapon in case it malfunctions or operates in an unexpected manner.<ref>See also ICRC, [https://shop.icrc.org/avoiding-civilian-harm-from-military-cyber-operations-during-armed-conflicts-icrc-expert-meeting-21-22-january-2020-geneva-pdf-en ''Avoiding Civilian Harm from Military Cyber Operations during Armed Conflicts''] (ICRC 2021) 30 (recommending the use of kill switches in the development of military cyber capabilities to reduce the risk of civilian harm posed by such capabilities).</ref> Its presence may further bolster the conclusion that the malware developed by State A is not indiscriminate by nature.<ref>Cf. also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 105, para 4 (“To the extent the effects of the means or method of warfare can be limited in particular circumstances, it does not violate [this prohibition].”).</ref>
== Checklist ==
Cookies help us deliver our services. By using our services, you agree to our use of cookies.

Navigation menu