Feeds

Cyberwar playbook says Stuxnet may have been 'armed attack'

Would you rather be shot, blown up, stabbed - or hacked?

Boost IT visibility and business value

The Stuxnet attack on Iran was an illegal "act of force", according to at least some of the legal experts who helped draw up a NATO-commissioned Geneva Convention-style rules of cyberwarfare document.

"Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force," and are likely to violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was put together by an independent group of legal scholars and lawyers assembled by NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Michael Schmitt, professor of international law at the US Naval War College in Rhode Island and lead author of the study, told the Washington Times that "according to the UN charter, the use of force is prohibited, except in self-defence".

Senior US and Israeli officials last year unofficially admitted creating the Stuxnet worm that crippled Iran’s nuclear program by sabotaging industrial equipment used in Uranium purification. Stuxnet targeted systems controlling high-speed centrifuges used in the Iranian nuclear programme to enrich uranium, causing them to slow down and speed up repeatedly until they failed under the abnormal mechanical strain.

The manual states that "any cyber operation which rises to the level of an armed attack in terms of scale and effects and which is conducted by or otherwise attributed to a state constitutes a use of force".

State-controlled Iranian media, such as the English language news outlet PressTV (here), were quick to seize on Schmitt's comments and selective extracts from the manual in accusing the US and Israel of an illegal act of force over the Stuxnet deployment.

However the actual manual is unclear whether or not Stuxnet was an armed attack. The legal experts were hostile to any notion that Iran could be legally justified in striking back against its presumed cyber-aggressors at this point, so long after the worm had done its damage.

Schmitt said the legal experts who drew up the manual agreed that Stuxnet was an act of force but were divided on whether the malware constituted an armed attack. And even if it was an armed attack it might still be justified as self defense in the form of striking back at the aggressor in the face of imminent attack, as a paragraph on page 58 of the manual explains:

In light of the damage they caused to Iranian centrifuges, some members of the international group of experts were of the view that the attack had reached the armed attack threshold (unless justifiable on the basis of anticipatory self defence) [our emphasis].

No international cyber-security incidents to date have clearly crossed over into something comparable to an armed attack, according to the legal experts. The 2007 cyber-operations against Estonia were not characterised by anyone, neither the Estonians nor the international community, as an armed attack - because the scale and effects of the cyber-attack didn't bear comparison to anything even a small scale armed attack might involve. Stuxnet was a better example of a potential cyberattack.

Iran didn't even know that its infrastructure was under attack or by who until long after Stuxnet had done its damage. Rule 9 states that:

"A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state".

However the manual adds an important caveat (rule 15) that "the right to use force in self-defence arise if a cyber-armed attack occurs or is imminent. It is further subject to a requirement of immediacy."

The rules of international law imply that any attempt by Iran to respond to Stuxnet with its own attack or cyber-attack would be characterised as retaliation, and not self-defence, unless it has reason to conclude that cyber-attacks of the same scale are once again imminent.

Elsewhere during his interview with the Washington Times, Schmitt talks about the involvement of civilian hackers in cyber-conflicts.

If a cyberattack occurs before shooting starts, “It’s a crime", says Schmitt. However if a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the cyberattack have effectively have joined hostilities as combatants and can be targeted with "lethal force", according to Schmitt.

The cyber skirmishes that occurred between Georgia and Russia in 2008 during the course of a ground war between the two countries over a break-away region are the primary example to date of a set of circumstances that might leave hackers in the firing line. This might be justified by incidents such as cyber-attacks on an enemy electricity plant that causes explosions and injures workers, the manual suggests. Something has to be raised to a level akin to armed attack: so we're talking Die Hard 4.0-style attacks against power grids, financial systems and transportation networks rather than mere website defacement or propaganda, it would seem.

The majority of the legal eagles took the view that an "informal groupings of individuals acting in a collective but otherwise uncoordinated fashion cannot comprise an organised armed group". Which might be taken as removing the likes of Anonymous from a list of combatants but perhaps including groups similar to LulzSec that feature an informal leadership, list of potential targets and an inventory of hacker tools.

The manual is far clearer in comparing hackers-for-hire to mercenaries who "do not enjoy combat immunity or prisoner of war status" (rule 28). ®

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.