Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Stuxnet Likely Constituted Illegal Act of Force, Study Says

According to a recent publication from a team of international law practitioners and scholars, who were invited by NATO to create a manual on the law governing cyber warfare, Stuxnet was an act of force; and the use of such force against Iran is likely illegal, as the U.S. was not acting in self-defense at the time the malware was deployed.

According to a recent publication from a team of international law practitioners and scholars, who were invited by NATO to create a manual on the law governing cyber warfare, Stuxnet was an act of force; and the use of such force against Iran is likely illegal, as the U.S. was not acting in self-defense at the time the malware was deployed.

The publication in question is the Tallinn Manual. The Tallinn Manual was created on the premise that a team of experts could develop a document that applies the standards of international law to a virtual battlefield. The project to create such a document started in 2009, when the NATO Cooperative Cyber Defence Center of Excellence invited several experts to create a manual on the law governing cyber warfare.

Stuxnet IllegalAccording to the Atlantic Council, the Tallinn Manual “focuses heavily on the principles of jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and jus in bello, the international law regulating the conduct of armed conflict.”

It does not however, focus on cybersecurity, but rather how international laws regarding warfare can be adapted to fit similar conflicts in cyberspace. In an interview with the Washington Times, Michael N. Schmitt, the manual’s lead author, said their goal was not to make law, but provide an “aid to legal advisers to governments and militaries almost a textbook.”  

Still, according to the authors of the Tallinn Manual, the use of Stuxnet – a self-replicating cyber weapon, or state-sponsored malware, to destroy Iranian centrifuges that were enriching uranium, was an act of force:

“The prohibition on the use of force in international law applies fully to cyber operations. International law has no well – defined threshold for determining when a cyber operation is a use of force. However, the International Group of Experts agreed that, at a minimum, any cyber operation that caused harm to individuals or damage to objects qualified as a use of force.”

According to U.N. charter, force is prohibited except in the case of self-defense. Yet, the authors could not agree if Stuxnet’s usage constituted an armed attack. If the use of Stuxnet was an armed attack, then the Tallinn Manual has a provision for that as well:

“A State that is the victim of a cyber “armed attack” may respond by using force. The force may be either cyber or kinetic. In international law, an “armed attack” is a “grave” use of force. Any cyber operation that results in death or significant damage to property qualifies as an armed attack.”

The argument has been made that Stuxnet was self-defense, but anticipatory self-defense, which makes it a valid use of force. But that is open to debate, because depending on stance made, Stuxnet’s usage could be seen as justifiable defense given Iran’s statements of hostility, or as an act of war against Iran itself.

The full manual is available here. A briefing sheet, with all of the highlights – including the role of hacktivists – can be found here

Advertisement. Scroll to continue reading.

Related: Obama Ordered Use of Stuxnet, Acceleration of Cyber Attacks Against Iran

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.