CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Stuxnet Likely Constituted Illegal Act of Force, Study Says

According to a recent publication from a team of international law practitioners and scholars, who were invited by NATO to create a manual on the law governing cyber warfare, Stuxnet was an act of force; and the use of such force against Iran is likely illegal, as the U.S. was not acting in self-defense at the time the malware was deployed.

According to a recent publication from a team of international law practitioners and scholars, who were invited by NATO to create a manual on the law governing cyber warfare, Stuxnet was an act of force; and the use of such force against Iran is likely illegal, as the U.S. was not acting in self-defense at the time the malware was deployed.

The publication in question is the Tallinn Manual. The Tallinn Manual was created on the premise that a team of experts could develop a document that applies the standards of international law to a virtual battlefield. The project to create such a document started in 2009, when the NATO Cooperative Cyber Defence Center of Excellence invited several experts to create a manual on the law governing cyber warfare.

Stuxnet IllegalAccording to the Atlantic Council, the Tallinn Manual “focuses heavily on the principles of jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and jus in bello, the international law regulating the conduct of armed conflict.”

It does not however, focus on cybersecurity, but rather how international laws regarding warfare can be adapted to fit similar conflicts in cyberspace. In an interview with the Washington Times, Michael N. Schmitt, the manual’s lead author, said their goal was not to make law, but provide an “aid to legal advisers to governments and militaries almost a textbook.”  

Still, according to the authors of the Tallinn Manual, the use of Stuxnet – a self-replicating cyber weapon, or state-sponsored malware, to destroy Iranian centrifuges that were enriching uranium, was an act of force:

“The prohibition on the use of force in international law applies fully to cyber operations. International law has no well – defined threshold for determining when a cyber operation is a use of force. However, the International Group of Experts agreed that, at a minimum, any cyber operation that caused harm to individuals or damage to objects qualified as a use of force.”

According to U.N. charter, force is prohibited except in the case of self-defense. Yet, the authors could not agree if Stuxnet’s usage constituted an armed attack. If the use of Stuxnet was an armed attack, then the Tallinn Manual has a provision for that as well:

“A State that is the victim of a cyber “armed attack” may respond by using force. The force may be either cyber or kinetic. In international law, an “armed attack” is a “grave” use of force. Any cyber operation that results in death or significant damage to property qualifies as an armed attack.”

The argument has been made that Stuxnet was self-defense, but anticipatory self-defense, which makes it a valid use of force. But that is open to debate, because depending on stance made, Stuxnet’s usage could be seen as justifiable defense given Iran’s statements of hostility, or as an act of war against Iran itself.

The full manual is available here. A briefing sheet, with all of the highlights – including the role of hacktivists – can be found here

Advertisement. Scroll to continue reading.

Related: Obama Ordered Use of Stuxnet, Acceleration of Cyber Attacks Against Iran

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.