Cyber operations are being increasingly used by state and non-state actors in the conduct of offensive and destructive actions. Given the evolving nature of technology concerning cyber activities, the legal parameters surrounding this issue are largely unsettled. The Australian Strategic Policy Institute (APSI), in a recent publication, has highlighted the challenges in defining precisely what falls within the ambit of a ‘cyber weapon’.
Why are definitions important?
In terms of cyber activity and cyber weaponry, as with any developing area of law, the adoption of accepted and consistent definitions of key terminology is likely to assist in the creation of legal norms and policy discussions on the responsible use of cyber operations and ‘cyber arms’ control.
What are the potential definitions of cyber weapons?
Various authors and instruments have discussed cyber weapons in terms of the physical effects they cause. However, settling upon an accurate and comprehensive definition of cyber weapons remains a challenge. The APSI points out that, commonly, cyber technology can have dual functions – attack/defence, peaceful/aggressive, legal/illegal. A further complication is that the modular nature of cyber material means that otherwise legitimate individual software tools can be combined for disruptive or destructive purposes.
Accordingly, two possible definitions of ‘cyber weapons’ are considered.
A potential narrow definition of cyber weapons is ‘software and information technology systems (IT) that, through ICT networks, cause destructive effects and have no other possible uses.’
A key aspect of this definition is that IT systems (such as computer code) are not standalone weapons but require incorporation within a broader weapon. Under the narrow definition, a cyber weapon will only exist where the software or IT system can only be used for a destructive purpose.
Such a narrow definition is consistent with the type adopted by the international community in the Biological Weapons Convention and Chemical Weapons Convention. Both treaties concern products which, like many cyber tools, can have dual functions.
Further, the narrow definition precisely identifies the user’s intent. If there is any ambiguity in terms of intended use then the cyber tool will not be considered a weapon.
Identified problems with this definition are:
(i) that this would not conform with the definitions states have given to offensive cyber activities (for example, the definition would not cover a United States cyber action to change passwords and delete content from Islamic State computer networks);
(ii) it would be possible to launch extremely destructive cyber operations that would fall outside the definition; and
(iii) actors could get around the definition by simply adding a non-destructive function to the cyber tool.
An alternative broad definition for ‘cyber weapons’ is ‘software and IT systems that, through ICT networks, manipulate, deny, disrupt, degrade, or destroy targeted information systems or networks.’
The key benefit of this definition is that, as opposed to the narrow definition, its broad scope would cover all tools that could be utilised in offensive cyber activities.
The flip-side of this however is that a large number of cyber operations use computer administration tools that have multiple uses. In these cases, the difference lies in the intent of the user, not the capability of the cyber tool. For example, a program may have the ability to both copy (espionage) and delete (offensive action) files, with the different outcome manifesting only in the command given to the program by its user. Consequently, the broad definition would likely render a range of legitimate tools as ‘cyber weapons’.
The essential differences and ultimate dilemma
What are the key differences between the definitions?
There are two fundamental differences in the definitions: nature of tools covered and intent of the user.
Nature of tools covered
The narrow definition only covers cyber tools which can solely be used for destructive purposes. Conversely, the broad definition encompasses all cyber tools that could potentially cause destruction; regardless of whether this is the only or most common use.
Intent of the user
With the narrow definition, the user’s intent is apparent through mere utilisation of the cyber tool. Under the broad definition, irrespective of whether or not the user intends to utilise a tool for a legitimate purpose, it may still constitute a cyber weapon.
What is the dilemma?
When considering a potential definition for ‘cyber weapons’, practical considerations remain relevant. As noted by the ASPI, on one hand states may be more willing to adopt a narrow definition, but then ‘cyber weapons’ may become an illusory concept due to the large scope of destructive cyber activity not covered. On the other hand, the net of a wide definition, whilst catching offensive cyber activity, would also ensnare legitimate tools and therefore inhibit the activities of those who defend against cyber-attacks.
Reference: Australian Strategic Policy Institute, Defining Offensive Cyber Capabilities (2018)