CYIL vol. 13 (2022)

JAKUB SPÁČIL CYIL 13 ȍ2022Ȏ conclude whether the elements of an armed attack are actually met based solely on the scope and consequences of the operation, without taking into account the intent of the attacker, since it may only be the unplanned cascading effects of the operation that do not require a response in self-defense. 39 The risks associated with the uncontrolled spread of malware can be demonstrated on an example of the Sapphire virus that spread in 2003. Although the virus targeted computer servers in South Korea, it spread globally 40 and caused problems in the United States, Canada, Thailand, Japan, Malaysia, the Philippines and India. 41 As a result of the Sapphire virus infecting computer systems, the 911 emergency telephone line was disconnected, among other things, which undoubtedly could have led to delays in providing medical assistance and therefore to personal injury or death. Similar instances of uncontrolled malware spread cannot be prevented as they are inherent in this type of software. While standard software is programmed and tested for a specific environment (e.g. before deploying software controlling a production line, it is thoroughly tested in a simulated environment to avoid damaging the line when the software is deployed), a similar level of testing cannot be achieved with malware, as it is usually software to be deployed in an environment about which the malware creator has only limited information. 42 Although malware used for military operations can be expected to contain a number of safeguards against such uncontrolled proliferation, it can never be completely eliminated. Indeed, even the Stuxnet worm used to destroy centrifuges at the Natanz nuclear plant in Iran in 2008, which was tested on a model of those centrifuges in U.S. Department of Energy laboratories prior to use, and whose spread was intended to be limited to the plant, spread globally due to a coding error, and only due to very comprehensive targeting did not damaged other control systems with potentially tragic consequences. 43 The foregoing considerations must lead us to the question of how to assess the relationship between the intent of the attacker (the subjective element of armed attack) and the consequence caused (the objective element of armed attack). Is it true that any consequences of a cyber operation that are not directly planned cannot be taken into account for the purposes of assessing the fulfilment of the objective element of an armed attack? The short answer is no. As in the case of kinetic attacks, when malware is used, the attacking state must be aware of a certain range of consequences corresponding to the weapon used. The question then is how to determine the threshold of such damage that can still be attributed to the attacking state for the purposes of assessing whether the elements of an armed attack have been met. Before attempting to answer this question, we will present three hypothetical examples of cyber operations conducted with different intent and with varying degrees of unintended consequences. 39 Ruys concludes that animus is presumed in the case of major attacks (RUYS, 2011, p. 167, see supra note 17), but this is not applicable to cyber operations due to their unpredictability. 40 TECHREPUBLIC. Lock IT Down: Sapphire/Slammer worm attacks SQL Server and the Internet [online]. TechRepublic.com, 28 January 2003 [accessed 14 March 2022]. Available at < https://www.techrepublic.com/ article/lock-it-down-sapphire-slammer-worm-attacks-sql-server-and-the-internet/>. 43 SANGER, E., D., MAZZETTI, M. Israel Struck Syrian Nuclear Project, Analysts Say [online]. NYTimes. com, 14 October 2007 [accessed 14 March 2022]. Available at < https://www.nytimes.com/2007/10/14/ washington/14weapons.html>; GROSS, M., J. A Declaration of Cyber-war [online]. VanityFair.com, 3 March 2011 [accessed 14 March 2022]. Available at < https://www.vanityfair.com/news/2011/03/stuxnet-201104>. 41 NGUYEN, 2013, p. 1100, see supra note 2. 42 NGUYEN, 2013, p. 1102, see supra note 2.

56

Made with FlippingBook Learn more on our blog