How do \u2013 and should \u2013 we classify offensive cyber capabilities? Particularly in the context of international humanitarian law, the question whether offensive cyber capabilities are weapons, means of warfare, or methods of warfare is not just semantics but has legal implications. Yet, there is great terminological inconsistency.<\/p>\n
The most prominent term is arguably that of \u2018cyber weapons\u2019. It is used in the Tallinn Manual 2.0<\/a> (a non-binding comprehensive academic study on the application of international law to cyber operations), and military manuals (e.g. Denmark<\/a>), by states (Brazil<\/a>, Egypt<\/a>), the International Committee of the Red Cross<\/a> (ICRC), tech companies<\/a>, government officials<\/a>, the press<\/a>, and academics<\/a>. In contrast, Australia<\/a> and the US largely refrain from calling offensive cyber capabilities \u2018weapons\u2019 (see e.g. the Air Force Instructions<\/a>, treating weapons and cyber capabilities as two distinct categories). At the same time, the term \u201ccyber means and methods of warfare\u201d can be found in many recently published cyber position papers (see e.g. Germany<\/a>, and Finland<\/a>).<\/p>\n Against the background of these terminological inconsistencies, this article will examine the legal relevance of and possible approaches to the classification of offensive cyber capabilities to then propose criteria according to which these capabilities could be classified.<\/p>\n The Terminology and Legal Implications of the Classification<\/strong><\/p>\n Offensive cyber capabilities are resources, skills, and operational concepts used to manipulate, deny, disrupt, degrade or destroy<\/a> targeted communications and information systems and achieve strategic, political, or military objectives in or through cyberspace<\/a>. They include, but are not limited to, \u201ccomputer code that is used, or designed to be used, with the aim of causing physical, functional, or mental harm to structures, systems, or people<\/a>.\u201d<\/p>\n While the term \u2018cyber weapons\u2019 is very much en vogue<\/em>, there is no authoritative or globally acknowledged definition of \u2018cyber weapons\u2019 (see here<\/a>, here<\/a>, and here<\/a>). The inflationary and often unreflective categorization of offensive cyber capabilities as \u2018cyber weapons\u2019 neglects the specifics of the capability in question and leads to confusion about the legal rules applicable thereto.<\/p>\n In the context of international humanitarian law (IHL), the terms \u2018means of warfare\u2019 and \u2018methods of warfare\u2019 are much more pertinent. Importantly, \u2018means of warfare\u2019 is commonly understood to encompass weapons and weapons systems<\/a> (cf. ICRC Commentary to Additional Protocol I<\/a>, Rule 103 of the Tallinn Manual 2.0<\/a>, and Switzerland<\/a>\u2019s<\/u> cyber position paper, p.\u00a09). In this sense, whatever falls within the ambit of the above definition of \u2018cyber weapons\u2019 also falls under the ambit of \u2018means of warfare\u2019. The term \u2018methods of warfare\u2019, on the other hand, \u201cdesignates the way or manner in which the weapons are used\u201d and \u201ccomprises any specific, tactical or strategic, ways of conducting hostilities that are not particularly related to weapons and that are intended to overwhelm and weaken the adversary\u201d (see here<\/a>, cf. Rule 103 Tallinn Manual 2.0<\/a>).<\/p>\n While the review obligation and the precautionary principle under Articles 36 and 57(2)(a)(ii) Additional Protocol I<\/a>, respectively, apply to both means (encompassing weapons) and methods of warfare, the classification of cyber capabilities as either means or methods of warfare makes a crucial difference regarding the law of neutrality. The latter forbids belligerents \u201cto move [\u2026] convoys of either munitions of war or supplies across the territory of a neutral Power\u201d (Article 2 Hague V<\/a>) and obliges neutral states to prevent their territory from being used by the belligerents (Article 5 Hague V). The Tallinn Manual 2.0<\/a>\u2019s Rule 151 states that \u201cphysically transporting cyber weapons [and] transmission of cyber weapons across cyber infrastructure located in the neutral State\u201d falls under the prohibition of Article 2 Hague V.<\/p>\n Problematically, due to the interconnectedness of cyberspace, code used for offensive cyber operations will almost always be routed through neutral territory and civilian information and communications technology (ICT) infrastructure. For the same reason, its path and spread are nearly impossible to control once employed.<\/a> Even the Stuxnet worm<\/a>, employed against an Iranian nuclear facility, though considered carefully designed and precise, did not only affect the targeted system but spread to several unintended targets<\/a> across multiple countries. During distributed denial-of-service (DDoS) operations<\/a>, Botnets<\/a>, i.e.<\/em> networks of hijacked internet-connected devices which are remotely controlled and operated to perform a certain task, are employed to flood a target system with requests to overload and disrupt it. The massive number of requests likely also overwhelms and (temporarily) incapacitates the systems it is routed through. Accordingly, the employment of offensive cyber capabilities that classify as means of warfare would almost always violate the law of neutrality. This would render their employment virtually impossible.<\/p>\n On the other hand, if offensive cyber capabilities were seen as methods of warfare, the law of neutrality would not prohibit states from transmitting code used for offensive cyber operations through neutral territory: The transmission of code would be a permitted use of ICT infrastructure in the neutral state (cf. Article 8 Hague V). This would risk undermining the purpose of the law of neutrality<\/a> \u2013 protecting neutral states and their nationals and preventing a further escalation of the conflict.<\/p>\n \u2018One Size Fits All\u2019 versus Case-by-Case Approach<\/strong><\/p>\n In accordance with the terminology chosen in the Tallinn Manual 2.0<\/a>, most publicly available cyber position papers contain the notion \u2018cyber means and methods of warfare\u2019 (e.g. Australia<\/a>, Germany<\/a>, Finland<\/a>, Australia<\/a>, Switzerland<\/a>, and the ICRC<\/a>). While all documents lack an elaboration on criteria for distinguishing between means and methods, they indicate support for a classification on a case-by-case basis.<\/p>\n In contrast, a \u2018one size fits all\u2019 approach to the classification is now advocated by the Tallinn Manuals’ general editor, Michael Schmitt. By comparison, he concludes<\/a> that offensive cyber capabilities lack a prevalent characteristic of acknowledged physical weapons – direct causation of the terminal effect on the target \u2013 because they \u201cmerely tr[y] to convince another computer to do something<\/a>\u201d. Thus, all offensive cyber capabilities would constitute methods of warfare.<\/p>\n Considering the variety of types and technical means of cyber capabilities, a \u2018one size fits all\u2019 approach is overly simplified. Moreover, relying on characteristics decisive in the physical domain neglects the fact that cyber capabilities\u2019 nature, deployment, and ways of causing harm are fundamentally different from physical weapons. While the terminal effect (i.e. damage\/destruction to objects, injury\/death to persons) is a primary effect of physical weapons<\/a>, it is usually a second-, or third-order effect of cyber capabilities. Primary effects of cyber capabilities include \u201cthe deletion, corruption, or alteration of data or the disruption of an adversary\u2019s computer network.<\/a>\u201d The Stuxnet worm<\/a>, for example, successfully took over the operation of centrifuges in an Iranian nuclear enrichment facility and caused the system to send faulty instructions (first-order effect), leading to the malfunctioning of the centrifuges (second-order effect) and ultimately the destruction of some centrifuges (third-order and terminal effect).<\/p>\n In the desirable event that loss of functionality<\/a> is recognized as damage, the primary effect of Botnets used in DDoS operations<\/a>, the (temporary) incapacitation of the target system with the amount of requests they send to the target system, and ransomware (like WannaCry<\/a>) which encrypts targeted files rendering them unusable, would also be the terminal effect. The same is true for malware<\/a> deleting data, if data is considered an object<\/a>. Those capabilities have in common that \u2013 once launched \u2013 they operate and develop independently from human interaction, thus entailing an almost incalculable risk of spreading uncontrollably and harming unintended targets. One could refer to them as automated<\/a>.<\/p>\n Different from these cyber capabilities are non-automated cyber capabilities, which are employed to gain access to and control over a system which can then be manually influenced (consider e.g. recent water plant incidents<\/a>). Here, the terminal effect is not initiated by the primary effect of the offensive cyber capability. To cause harm, intermediary human interaction is needed to exploit the situation established by the primary effect.<\/p>\n Conclusion: A Proposal for Classification Criteria<\/strong><\/p>\n Against this background, the capacity to inflict damage or destruction as a primary effect must not be an essential feature of a cyber weapon \u2013 because no authoritative weapons definition requires it, and it contradicts the mode of action of all cyber capabilities. The classification of offensive cyber capabilities should focus on technical means, the need of intermediary human interaction to cause harm, and on effects on the target system, the civilian population, and neutral states.<\/p>\n In line with this, offensive cyber capabilities would classify as means of warfare (weapons) if they 1) are automated, 2) have the capacity to initiate the process leading to the terminal effect on the target independently without human interference, and 3) are intended to and can cause a certain degree of harm (not just inconvenience, irritation, or fear<\/a>). Stuxnet, for example, would fall within this category.<\/p>\n Non-automated offensive cyber capabilities, on the other hand, where the situation created by virtue of the primary effect must be actively exploited (e.g. water plant incidents<\/a>) to cause harm, would constitute methods of warfare. This also fits in with methods of warfare<\/a> of the physical domain, like perfidy<\/a>, where e.g. feigning surrender or improper use of distinctive emblems elicit confidence from the belligerent (primary effect) which is betrayed\/exploited to cause harm.<\/p>\n While the criteria set out above will likely raise some intricate follow-up questions, they can be a starting point to discuss the classification of cyber capabilities independent from inadequate reliance on cyber capabilities\u2019 ability to demonstrate characteristics of physical weapons.<\/p>\n <\/p>\n The \u201cBofaxe\u201d series appears as part of a\u00a0<\/em>collaboration<\/em><\/u><\/a>\u00a0between the\u00a0<\/em>IFHV<\/em><\/u><\/a>\u00a0and V\u00f6lkerrechtsblog.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" How do \u2013 and should \u2013 we classify offensive cyber capabilities? Particularly in the context of international humanitarian law, the question whether offensive cyber capabilities are weapons, means of warfare, or methods of warfare is not just semantics but has legal implications. Yet, there is great terminological inconsistency. The most prominent term is arguably that […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[6639],"tags":[],"authors":[6056],"article-categories":[5108],"doi":[],"class_list":["post-15256","post","type-post","status-publish","format-standard","hentry","category-uncategorized","authors-lisa-m-cohen","article-categories-bofaxe"],"acf":{"subline":"On the Classification of Offensive Cyber Capabilities in International Humanitarian Law"},"meta_box":{"doi":"10.17176\/20210909-093732-0"},"_links":{"self":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/15256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/comments?post=15256"}],"version-history":[{"count":2,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/15256\/revisions"}],"predecessor-version":[{"id":15259,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/posts\/15256\/revisions\/15259"}],"wp:attachment":[{"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/media?parent=15256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/categories?post=15256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/tags?post=15256"},{"taxonomy":"authors","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/authors?post=15256"},{"taxonomy":"article-categories","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/article-categories?post=15256"},{"taxonomy":"doi","embeddable":true,"href":"https:\/\/voelkerrechtsblog.org\/de\/wp-json\/wp\/v2\/doi?post=15256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}