Securing Their Swords: Do States have an Obligation to Protect the Cybersecurity of their Autonomous Weapons?

Under international law and custom, countries have a variety of duties which can invoke an “obligation to protect”. These duties may oblige the taking of certain precautions during armed conflicts, protecting the human rights of their citizens or those under their jurisdiction, or taking especial care of those with special needs or vulnerabilities. However, to what extent must States who develop autonomous weapons protect those systems from hijack and subsequent misuse? Do States have an obligation to protect the cybersecurity of their weapons, and / or to protect civilians from the misuse of those weapons?

The simplest answer is that a State which hijacks or subverts an autonomous weapon carries the same obligations under international law and the laws of armed conflict as the use of conventional weapons – predominantly those of necessity, proportionality and distinction. However, such a simplistic analysis suggests that the nature of a perfidious attack by a hijacked autonomous weapon would be prima facie attributable to the interfering State. It further ignores the danger inherent in unconstrained and unregulated use of a highly complex technological weapon system against unprotected civilians, or in the use of such a system outside recognised instances of armed conflict.

This panel will explore whether States do carry an obligation to take at least reasonable steps to protect the cybersecurity of the autonomous and semi-autonomous weapons they develop and deploy, the source of that obligation, and what that obligation might look like in practice.