Autonomous cyber capabilities in the use of force and conduct of hostilities: a jus ad bellum and jus in bello perspective

Autonomous cyber capabilities – that is, software agents designed and programmed by a human operator to carry out some tasks through cyberspace without real-time human control in pursuit of a pre-determined goal – are emerging from the realm of science fiction and becoming a reality. States are currently researching and developing these technologies to be used for both offensive and defensive purposes. Thus, there are no doubts that autonomous cyber capabilities will play a crucial role in the future of warfare. At the same time, however, the increasing autonomy of cyber capabilities brings with it new legal hurdles that need to be addressed. So far, conversations about cyberspace and autonomous systems have generally neglected this topic. This thesis aims at filling the gap in the existing literature by exploring whether and to what extent autonomous cyber capabilities can be used in compliance with the international law regulating the use of force (jus ad bellum) and the conduct of hostilities (jus in bello). It will be contended that autonomous cyber capabilities can be used in compliance with these two branches of international law only in some limited circumstances – that is, when they are used to carry out pre-determined, tailored operations in closed and predictable environments. In all the other circumstances, autonomous cyber capabilities raise important challenges vis-à-vis the lex lata. In order to overcome these challenges and ensure the use of autonomous cyber capabilities in compliance with international law under all circumstances, this thesis will suggest as a lex ferenda proposal that States should retain a certain degree of human control as a result of their due diligence obligations. Accordingly, it proposes that in using autonomous cyber capabilities States are required to retain a certain degree of human control in order to ensure compliance with international law. It also argues that the level of human control ultimately depends on the characteristics and design of autonomous cyber capabilities, the circumstances of deployment, and the operating environment.