Difference between revisions of "Scenario 10: Legal review of cyber weapons"

Jump to navigation Jump to search
→‎Legal analysis: model change for RAs
(→‎Legal analysis: model change for RAs)
There is no indication that the malware’s employment would cause any injury to persons, thus rendering inapplicable the rules on superfluous injury or unnecessary suffering. By contrast, the fact that the malware does not distinguish between civilian and military infrastructure in order to reach its intended target raises questions of its compatibility with the prohibition of inherently indiscriminate means of warfare.
A weapon is considered indiscriminate by nature if it either cannot be directed at a specific military objective,<ref>Art 51(4)(b) APAdditional Protocol I.</ref> or if its effects cannot be limited as required by IHL and it is thus of a nature to strike military objectives and civilian objects without distinction.<ref>Art 51(4)(c) AP I.</ref> State A’s malware appears to pass the first condition given that it is specifically designed to target the PLCs controlling military equipment, which would normally qualify as a military objective under IHL.<ref>See Art 52(2) AP I (“In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military of advantage.”).</ref>
However, with respect to the second condition, it is clear that the effects of the malware are not limited solely to the intended military objective and, moreover, that these effects are not wholly under State A’s control. Once released, the malware can spread through civilian infrastructure and can be expected to temporarily impair the ordinary use of infected civilian host systems. Accordingly, State A must assess whether the safeguards built in the malware are sufficient to prevent reverberating harmful effects going beyond the control of the attacker.<ref>Cf. Tallinn Manual 2.0, commentary to rule 105, para. 4 (noting that malware that would inevitably and harmfully spread into civilian networks in a manner beyond the control of the attacker would violate this prohibition).</ref>
Cookies help us deliver our services. By using our services, you agree to our use of cookies.

Navigation menu