Protecting the cyber domain requires speedy responses. Mustering that speed will be a task reserved for autonomous cyber agents—software that chooses particular actions without prior human approval. Unfortunately, autonomous agents also suffer from marked deficits, including bias, unintelligibility, and a lack of contextual judgment. Those deficits pose serious challenges for compliance with international law principles such as proportionality.
In the jus ad bellum, jus in bello, and the law of countermeasures, compliance with proportionality reduces harm and the risk of escalation. Autonomous agent flaws will impair their ability to make the fine-grained decisions that proportionality entails. However, a broad prohibition on deployment of autonomous agents is not an adequate answer to autonomy’s deficits. Unduly burdening victim states’ responses to the use of force, the conduct of armed conflict, and breaches of the non-intervention principle will cede the initiative to first movers that violate international law. Stability requires a balance that acknowledges the need for speed in victim state responses while ensuring that those responses remain within reasonable bounds.
The approach taken in this Article seeks to accomplish that goal by requiring victim states to observe feasible precautions in the use of force and countermeasures, as well as the conduct of armed conflict. Those precautions are reconnaissance, coordination, repair, and review. Reconnaissance entails efforts to map an adversary’s network in advance of any incursion by that adversary. Coordination requires the interaction of multiple systems, including one or more that will keep watch on the primary agent. A victim state must also assist through provision of patches and other repairs of third-party states’ networks. Finally, planners must regularly review autonomous agents’ performance and make modifications where appropriate.
These precautions will not ensure compliance with the principle of proportionality for all autonomous cyber agents. But they will both promote compliance and provide victim states with a limited safe harbor: a reasonable margin of appreciation for effects that would otherwise violate the duty of proportionality. That balance will preserve stability in the cyber domain and international law.