In this article of our series on select principles of international humanitarian law (“IHL”), also referred to as the law of armed conflict (“LOAC”), we place so-called cyber capabilities in the broader context of cyber warfare and examine whether they qualify as “weapons” or rather as “means or methods of warfare” within the meaning of Article 36 of Additional Protocol I (AP I). We then analyse the peculiarities of legal reviews of “methods of cyber warfare” under Article 36 AP I and the Tallinn Manual. Readers who are new to the topic of legal weapon reviews may want to read our previous article first to build on the insights we provided in it.
To enable readers to quickly grasp the essential phrasings in treaty provisions, academic papers and military manuals, we have once again highlighted key passages.
Estimated reading time: 11 minutes
I. What Is Cyber Warfare?
Cyberspace has become the fourth domain of today’s multi-domain warfare. It shares certain structural similarities with outer space, often referred to as the fifth domain, yet it differs from it legally and operationally in significant ways. In the military domain of cyberspace, understanding cyber warfare, information warfare and cyber attacks has become mandatory. However, no generally accepted definitions exist for these terms, and scholars, states and public media therefore attribute different meanings to them.
According to the ICRC,
“the term cyber warfare refers to means and methods of warfare that rely on information technology and are used in situations of armed conflict.”
The term “cyber weapons” has become very popular and is not only used colloquially but also in academic literature. However, official definitions of “cyber weapons” are even rarer than those of “cyber warfare”. Not even the DoD Dictionary of Military and Associated Terms provides one.
This article provides insights about the ongoing debate on “cyber weapons” and examines how applicable rules of international law oblige states to determine whether the employment of “methods of cyber warfare” complies with those rules.
II. What Are “Cyber Weapons”?
It is one significant merit of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations that it provides practical definitions of the terms most frequently used in the context of hostilities in cyberspace. Although the Tallinn Manual is not an official document and does not bind states, it is perhaps the most formative expert work on the subject. It therefore serves as an important reference point for clarifying terminology in military cyber operations.
According to Rule 103 of the Tallinn Manual 2.0, “means of cyber warfare” are “cyber weapons and their associated cyber systems”, whereas “methods of cyber warfare” are “the cyber tactics, techniques, and procedures by which hostilities are conducted.”
In its commentary on Rule 103, the Tallinn Manual derives the following definition of cyber weapons:
“cyber weapons are cyber means of warfare that are used, designed, or intended to be used to cause injury to, or death of, persons or damage to, or destruction of, objects, that is, that result in the consequences required for qualification of a cyber operation as an attack (Rule 92).”
The Tallinn Manual 2.0 thus acknowledges cyber weapons as a specific subcategory of cyber means of warfare.
III. What Are “Cyber Capabilities”?
Recently, another term has gained traction among military circles: “cyber capabilities.” The USA has taken the lead in providing a rare statutory definition of these capabilities which are rapidly gaining importance in today´s geopolitical landscape.
A Legal Definition of Cyber Capabilities
Section 10 U.S. Code § 398a and the current DoD Dictionary of Military and Associated Terms provide that:
“The term ‘cyber capability’ means a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.”
A U.S. Air Force cyber capability that requires a legal review prior to development or acquisition is:
“any device, computer program or computer script, including any combination of software, firmware or hardware intended to deny, disrupt, degrade, destroy or manipulate adversarial target information, information systems, or networks.”
Are Cyber Capabilities “Weapons?”
This is a tricky question that has various legal implications which we will address hereinafter to the extent they are relevant for Article 36 reviews. But first, we need to recall why cyber capabilities are different from weapons that apply kinetic force.
Why Cyber Capabilities are Different
There is currently no accord among states or academia as to whether cyber capabilities should be labeled as “cyber weapons.” The renowned legal scholars Jeffrey T. Biller and Michael N. Schmitt, who also serves as the editor of the Tallinn Manual have rejected this idea. They have argued that cyber capabilities do not qualify as “weapons” or “means of warfare” because they lack:
“a damage mechanism with the ability to directly inflict the damaging or injurious terminal effect on a target.”
This argument is not without merit as it considers that cyber operations have cascading effects. As a rule, only first-order effects directly impact the targeted computer, network, or IT system. Second- and third-order effects are indirect consequences of earlier effects.
Whether this reasoning deserves approval or results in an over generalisisation of all cyber capabilities as “methods of warfare” is nevertheless still subject to debate.
As P. J. Blount has observed, cyber operations “do not squarely fit traditional conceptualizations of weapons”. The same can be said of cyber capabilities. Article 36 AP I does not require “weapons” to cause physical injury or damage as first order effects. However, we believe that there are valid reasons not to use the term “cyber weapons” in the context of legal reviews under Article 36 AP I or other frameworks.
Popular terms can be simple but deceptive
The term “cyber weapon(s)” has become a popular buzz word precisely because it alludes to “weapons”. Much like the term “data theft” it is descriptive and seemingly straightforward. However, both terms can be deceptive. The term “data theft” implies that data is stolen when hackers in fact only access and copy it without permission. The indiscriminate use of the term “cyber weapon” can also lead to false assumptions. After all, states employ cyber capabilities for a broad range of activities which also include military cyber espionage. Like “data theft”, espionage has no tangible effects but only collects information. To suggest that states perform such espionage with “cyber weapons” would thus miss the point.
There is no legal need to control “cyber weapons”
Moreover, framing cyber capabilities as “cyber weapons” is not even necessary to ensure their compliance with international law. The Negotiating States that drafted Additional Protocol I had the good foresight to phrase Article 36 wisely and “future proof”. They sought to ensure that not only weapons and means, but also methods of warfare comply with international law. To achieve this goal, it is not necessary to frame each cyber capability as a “weapon”. We therefore concur with Jeffrey T. Biller and Michael N. Schmitt, that treating cyber capabilities as “methods of warfare” rather than “weapons” is more appropriate. However, this must not mean that every cyber capability amounts to a method of warfare. Whether it does should in our opinion depend on the intended or expected effect it has and its severity.
Avoiding the term “cyber weapons” also has another advantage. It prevents lowering the bar for claiming a right of self defence under Article 51 of the UN Charter. Since this has no direct bearing on Article 36 reviews, we will not expand on this here and refer readers to P.J. Blount´s instructive observations on this issue. However, we will discuss the right of self defence in a separate article due to its high practical relevance.
State Practice
Current state terminology in military cyber space is not uniform. It not only varies between states but at times also between military departments of the same state. The USA is the most prominent example for this phenomenon.
- Air Force Instruction 51-401 of 3 August 2018 provided “guidance and procedures for the review of Air Force weapons and cyber capabilities prior to acquisition or development to ensure legality under domestic and international law including the law of war“. It thus delineated “cyber capabilities” from “weapons” and did not refer to “cyber weapons” at all.
- By contrast, Army Regulation 27-53 “Legal Review of Weapons and Weapon Systems” of 23 September 2019 used the terms “cyber weapons” and “cyber weapon systems” extensively. However, Section 6. of this Regulation refers to “cyber capabilities that constitute cyber weapons and cyber weapon systems“.
- The DoD Law of War Manual addresses the “legal review of weapons that employ cyber capabilities“. Moreover, Section 16.6 unambiguously clarified that “Not all cyber capabilities, however, constitute a weapon or weapons system.”
The Netherlands Ministry of Defence viewed “Cyber” “only as a method so far”. Time will tell whether other states and the forthcoming Tallinn Manual 3.0 will follow this approach.
The NATO Doctrine for Cyberspace Operations
NATO´s Allied Joint Doctrine for Cyberspace Operations also does not refer to “cyber weapons” but to “capabilities in cyberspace”.
IV. Which Rule of the Tallinn Manual Governs “Weapons Review”?
The Tallinn Manual 2.0 addresses “weapons review” in Rule 110. It does so in two ways:
- First, by requiring all states “to ensure that the cyber means of warfare they acquire or use comply with the rules of the law of armed conflict that bind them”;
- Second, by requiring States that are parties to Additional Protocol I to review “a new means or method of cyber warfare” for inconsistencies with the Additional Protocol or any other applicable rule of international law.
Notably, Rule 110 only addresses “weapons” in its headline but not in its text body. The commentary does not explain this omission. However, this is of limited practical relevance. Under Rule 103, “a means or method of cyber warfare” which is subject to review under Rule 110 includes both “cyber weapons and their associated systems”.
V. How Should States Carry Out Legal Reviews of Methods of Cyber Warfare?
Mandatory questions
Legal reviews of cyber capabilities or methods of cyber warfare must -at a minimum- address the same core questions as reviews of weapons or any other means and methods of warfare:
- Question 1: Do any applicable international treaties, customary rules, or domestic regulations prohibit the method of cyber warfare in question?
- Question 2: Is the method calculated to cause (under U.S. policy) or of a nature to cause (under Article 36 AP I) superfluous injury or unnecessary suffering?
- Question 3: Does the method qualify as inherently indiscriminate because commanders cannot direct its effects against a specific military objective, or because commanders cannot limit those effects as IHL requires?
Although there is no mandatory sequence, States commonly begin with Question 1. If any applicable rule prohibits the method per se, further analysis becomes unnecessary.
In effects-based cyber operations, states must assess all reasonably foreseeable effects. Consequently, the list of questions addressed above is not necessarily conclusive.
At present, no international treaty law specifically prohibits methods of cyber warfare. Moreover, such methods are unlikely to produce first-order effects that directly harm combatants in a way that causes superfluous injury or unnecessary suffering. The decisive issue is therefore often their discriminate character.
Stuxnet remains the benchmark
The only publicly documented military use of computer malware to date is Stuxnet. It exemplifies how means of cyber warfare can be employed without relevant indiscriminate effects.
Developers designed Stuxnet to disrupt Iran’s nuclear capabilities. Because Iran’s primary nuclear facility near Natanz operated as an ‘air-gapped’ facility, meaning operators deliberately kept it disconnected from the internet, reports indicate that actors introduced the malware on-site via USB devices. Stuxnet manipulated Siemens SCADA software to cause reactor centrifuges to spin at irregular speeds. This led to their physical destruction through overheating. A rootkit concealed the manipulation by displaying normal operating data to personnel.
Like many forms of malware, Stuxnet also produced spillover effects and eventually spread beyond Iran via the internet.
However, the New York Times reported in 2011 that independent security expert Ralph Langner described Stuxnet as “a marksman job.” Developers had engineered it to activate only in specific SCADA systems configured for nuclear centrifuges.
Stuxnet demonstrates that developers can, at least in principle, engineer cyber operations to meet the requirement of distinction under IHL. Where technically feasible and operationally practicable, such precision cyber operations may be preferable to kinetic force notably if the latter risks civilian casualties, superfluous injury, or unnecessary suffering.
As the Stuxnet incident illustrates, sophisticated cyber operations may not produce permanent first-order destruction. However, remediation may take longer than repairing damage caused by kinetic strikes.
Conclusion and Outlook
Ultimately, both kinetic force and cyber options often buy time rather than produce definitive outcomes. Political and military decision-makers may use that time to negotiate disarmament agreements, monitor repair efforts, or prepare further operational responses in compliance with the law of armed conflict. Even in the current return to the use of kinetic force in the armed conflict between the USA, Israel and Iran alternative means and methods of warfare always remain an option.
In our next instalment of this series, we will address legal reviews of (lethal) autonomous weapon systems
((L) AWS). These systems have generated significant controversy within defence establishments, LOAC/IHL scholarship, and the broader public debate.
If you would like to discuss particular aspects of designing military AI systems for IHL compliance or if you have any questions on specific LOAC principles, get in touch with me by email or just give me a call.