Article 36 of Protocol I Additional to the 1949 Geneva Conventions requires states to conduct a legal review of all new weapons, means and methods of warfare in order to ensure that their deployment would be in compliance with international law. It states that: “In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an obligation to determine whether its employment would, in some or all circumstances, be prohibited by this protocol or by any other rule of international law applicable to the High Contracting Party.”
The cyber domain creates some new controversies as to what to review, when to conduct the review and which legal regime should apply – international human rights law or law of armed conflict. Cyber capability development is a complex and time-consuming procedure, further complicated by the fact that majority of the more sophisticated cyber weaponry is tailored to a specific target. Getting to know the target, its functioning and the vulnerabilities inherent to it, therefore, makes up a large share of the whole development and/or deployment procedure, while the actual attack may consist of merely switching a button. This kind of systemic long-period covert information gathering typically belongs to the arsenal of foreign intelligence services, rather than that of weapons review committees. The merging of espionage and weapon acquisition implies that while one is accessing and copying the necessary data about the target and learning to know its systems, she might, in fact, already be using or at the very least building the capability. Taking the latter as its point of departure, the present study aims to look at how cyber intelligence is regulated and compare it to the legal framework applicable to weapon reviews, search for overlaps and contradictions and ultimately shed some light into which regime should be preferred in the different stages from the study to deployment of a cyber weapon.