According to a recent publication from a team of international law practitioners and scholars, who were invited by NATO to create a manual on the law governing cyber warfare, Stuxnet was an act of force; and the use of such force against Iran is likely illegal, as the U.S. was not acting in self-defense at the time the malware was deployed.
The publication in question is the Tallinn Manual. The Tallinn Manual was created on the premise that a team of experts could develop a document that applies the standards of international law to a virtual battlefield. The project to create such a document started in 2009, when the NATO Cooperative Cyber Defence Center of Excellence invited several experts to create a manual on the law governing cyber warfare.
According to the Atlantic Council, the Tallinn Manual “focuses heavily on the principles of jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and jus in bello, the international law regulating the conduct of armed conflict.”
It does not however, focus on cybersecurity, but rather how international laws regarding warfare can be adapted to fit similar conflicts in cyberspace. In an interview with the Washington Times, Michael N. Schmitt, the manual’s lead author, said their goal was not to make law, but provide an “aid to legal advisers to governments and militaries almost a textbook.”
Still, according to the authors of the Tallinn Manual, the use of Stuxnet – a self-replicating cyber weapon, or state-sponsored malware, to destroy Iranian centrifuges that were enriching uranium, was an act of force:
“The prohibition on the use of force in international law applies fully to cyber operations. International law has no well - defined threshold for determining when a cyber operation is a use of force. However, the International Group of Experts agreed that, at a minimum, any cyber operation that caused harm to individuals or damage to objects qualified as a use of force.”
According to U.N. charter, force is prohibited except in the case of self-defense. Yet, the authors could not agree if Stuxnet’s usage constituted an armed attack. If the use of Stuxnet was an armed attack, then the Tallinn Manual has a provision for that as well:
“A State that is the victim of a cyber “armed attack” may respond by using force. The force may be either cyber or kinetic. In international law, an “armed attack” is a “grave” use of force. Any cyber operation that results in death or significant damage to property qualifies as an armed attack.”
The argument has been made that Stuxnet was self-defense, but anticipatory self-defense, which makes it a valid use of force. But that is open to debate, because depending on stance made, Stuxnet’s usage could be seen as justifiable defense given Iran’s statements of hostility, or as an act of war against Iran itself.