A Digital Magazine from IT Department

What are Cyber Weapons? – By Manoj Bramhe

Cyber operations are being increasingly used by state and non-state actors in the conduct of offensive and destructive actions. Given the evolving nature of technology concerning cyber activities, the legal parameters surrounding this issue are largely unsettled. The Australian Strategic Policy Institute (APSI), in a recent publication,[1] has highlighted the challenges in defining precisely what falls within the ambit of a ‘cyber weapon’.

Why are definitions important?

In terms of cyber activity and cyber weaponry, as with any developing area of law, the adoption of accepted and consistent definitions of key terminology is likely to assist in the creation of legal norms and policy discussions on the responsible use of cyber operations and ‘cyber arms’ control.

What are the potential definitions of cyber weapons?

Various authors and instruments have discussed cyber weapons in terms of the physical effects they cause. However, settling upon an accurate and comprehensive definition of cyber weapons remains a challenge. The APSI points out that, commonly, cyber technology can have dual functions – attack/defence, peaceful/aggressive, legal/illegal. A further complication is that the modular nature of cyber material means that otherwise legitimate individual software tools can be combined for disruptive or destructive purposes.

Accordingly, two possible definitions of ‘cyber weapons’ are considered.

Narrow definition

A potential narrow definition of cyber weapons is ‘software and information technology systems (IT) that, through ICT networks, cause destructive effects and have no other possible uses.’

A key aspect of this definition is that IT systems (such as computer code) are not standalone weapons but require incorporation within a broader weapon. Under the narrow definition, a cyber weapon will only exist where the software or IT system can only be used for a destructive purpose.

The Pros

Such a narrow definition is consistent with the type adopted by the international community in the Biological Weapons Convention and Chemical Weapons Convention. Both treaties concern products which, like many cyber tools, can have dual functions.

Further, the narrow definition precisely identifies the user’s intent. If there is any ambiguity in terms of intended use then the cyber tool will not be considered a weapon.

The Cons

Identified problems with this definition are:

(i) that this would not conform with the definitions states have given to offensive cyber activities (for example, the definition would not cover a United States cyber action to change passwords and delete content from Islamic State computer networks);

(ii) it would be possible to launch extremely destructive cyber operations that would fall outside the definition; and

(iii) actors could get around the definition by simply adding a non-destructive function to the cyber tool.

Broad definition

An alternative broad definition for ‘cyber weapons’ is ‘software and IT systems that, through ICT networks, manipulate, deny, disrupt, degrade, or destroy targeted information systems or networks.’

The Pros

The key benefit of this definition is that, as opposed to the narrow definition, its broad scope would cover all tools that could be utilised in offensive cyber activities.

The Cons

The flip-side of this however is that a large number of cyber operations use computer administration tools that have multiple uses. In these cases, the difference lies in the intent of the user, not the capability of the cyber tool. For example, a program may have the ability to both copy (espionage) and delete (offensive action) files, with the different outcome manifesting only in the command given to the program by its user. Consequently, the broad definition would likely render a range of legitimate tools as ‘cyber weapons’.