Autonomous cyber capabilities and unilateral measures of self-help against malicious cyber operations

Autonomous cyber capabilities – that is, cyber capabilities able to operate without real-time human intervention – are currently being researched and developed by several states as a result of the increasing use of artificial intelligence and autonomy in the military domain. Whereas these capabilities are expected to be mainly employed to respond to malicious cyber operations, their use for defensive purposes raises some legal challenges that deserve to be explored. This paper seeks to analyse whether autonomous cyber capabilities can be used in compliance with international law to respond to malicious cyber operations using unilateral measures of self-help. After briefly introducing the notion of autonomous cyber capabilities and their current state of technological development, this paper will consider whether autonomous cyber capabilities can be used in compliance with the law regulating self-defence, countermeasures, plea of necessity and retorsions. As will be shown, their potential use in circumstances precluding wrongfulness (i.e., self-defence, countermeasures and plea of necessity) is highly problematic, as autonomous cyber capabilities seem to be currently unable to identify the objective and subjective element of the malicious cyber operation (whether it amounts to an internationally wrongful act and whether it is attributable to a state), and to calibrate their response in the light of the principles of necessity and proportionality. Yet, it will be suggested that states may still cautiously use autonomous cyber capabilities to carry out acts of retorsion.