A group of international law experts have agreed that the Stuxnet malware attack on Iran was an act of force and possibly illegal but its impact may not have been severe enough to entitle Iran to respond with force.
The NATO cyber defence centre in Estonia last week released the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 280 page document written by 20 international law experts that covers 95 “black letter rules” governing cyber conflicts written.
The manual's general editor, Michael Schmidt, chairman of the International Law Department at the US Naval War College, told the Washington Times the group were unanimous that Stuxnet was an “act of force”.
The document (page 48) states that “acts that kill or injure persons or destroy or damage objects are unambiguous uses of force”. It notes the UN Charter prohibits the use of force unless except when it is in self-defence.
The Stuxnet worm, discovered in 2010, was reportedly ordered by the US Government and developed with the aid of Israel. The program was designed to infect control systems used in Iran’s uranium enrichment equipment.
The 20 scholars were less certain whether Stuxnet’s effects were severe enough to qualify as an “armed attack”, which would have, under Article 51 of the UN Charter, afforded Iran the right to use force in self-defence.
Schmidt told the Washington Times the document was meant to be a “textbook” for legal advisors to governments and militaries, adding that it was not a list of recommendations.
“States make law, not scholars,” said Schmidt. “We wanted to create a product that would be useful to states to help them decide what their position is” in regard to the manual’s interpretation of the law.
“We were not making recommendations, we did not define best practice we did not want to get into policy,” he said.
The document places a higher threshold on the term “cyber attack” than its popular use in that, “whether defensive or offensive, it is reasonably expected to cause injury or death to persons or damage or destruction to objects.” A case that qualifies is an attack on electrical grid SCADA systems that results in fires. Attacks on data that result in deaths or destruction of systems also qualify.
It also makes a distinction between espionage and computer network exploitation (CNE). CNE, in the context of the law of armed conflict, are not cyber espionage when conducted from outside the enemy controlled territory.