Did Stuxnet breach the UN Charter’s ‘Principles’?

On 28 September, the Iranian Foreign Affairs Minister Ali Akbar Salehi addressed the UN Security Council at the High Level Meeting on Countering Nuclear Terrorism (the text of the speech can be read here). Among other things, in the speech Salehi criticized cyber attacks against Iranian nuclear facilities and qualified them as ‘manifestation of nuclear terrorism and consequently a grave violation of the principles of UN Charter and international law’ (the emphasis is mine).  This might be the first time that Iran has taken an official and explicit position with regard to the (il)legality of Stuxnet, at least in an international forum (on the ‘conspiracy of silence’ that surrounded Stuxnet, see David Fidler’s interesting article in Privacy Interests, July/August 2011).

The question however is, which UN Charter principles were allegedly breached by Stuxnet? Assuming that Salehi used the word ‘principles’ in a technical sense, the Charter’s principles are famously listed in Article 2. Principles 5, 6 and 7 are not relevant in the present case. Principle 2 merely refers to the duty to comply in good faith with the obligations arising from the Charter. On the other hand, Principle 1 reaffirms the sovereign equality of states, a corollary of which is the prohibition of intervention in internal affairs of other states. According to the International Court of Justice, the prohibition of intervention is ‘part and parcel of international law’ (Nicaragua v. United States (Merits), 1986, para. 202). The 1970 UN General Assembly’s Declaration on Friendly Relations condemns ‘armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements’, and also emphasizes  that ‘[n]o State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind’ (the emphasis is mine). The language is broad enough to cover intervention by means of cyber attacks when they have a coercive purpose, i.e. when they aim at coercing the target state into doing or not doing something that the state is otherwise legally entitled to do. But if the (non-forcible) intervention is a reaction against something that the target state was not legally entitled to do, i.e. a breach of international law, then it could amount to a lawful countermeasure aimed at persuading the wrongdoing state to stop the breach and provide reparation. From this perspective, the legality of Stuxnet would therefore depend on: 1) whether Iran’s nuclear programme is an internationally wrongful act in the form of a violation of NPT obligations; 2) whether the state(s) behind Stuxnet (if any) were ‘injured’ by Iran’s breach or were otherwise entitled to adopt countermeasures in relation to it under the law of state responsibility (see Arts. 42, 48 and 54 of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts); 3) whether Stuxnet amounted to a ‘use of force’ (countermeasures cannot affect the prohibition of the use of force: Art. 50 (1) of the ILC Articles); 4) whether non-proliferation law is a special regime that has its own enforcement mechanisms (see Sahib Singh’s chapter in my and Dan’s book).

The third condition leads me to discuss the other two relevant principles in Article 2 of the UN Charter that might determine the illegality of Stuxnet. Principles 3 and 4 are two sides of the same coin and affirm the obligation to settle international disputes peacefully and not to resort to armed force in international relations. Whether Stuxnet is a violation of these two principles depends on whether it can be qualified as a use of ‘armed force’. I have already addressed this issue here, so I will limit myself to refer to the points I make in that article. The recently released draft of the Tallinn Manual on Cyber Warfare (text here) argues, in Rule 11, that ‘[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’. It then suggests several non-exhaustive factors in order to determine when it is so (pp. 49-50). In the end, the Manual concludes that Stuxnet was a use of force (p. 47) and, at least according to some of the experts that drafted the Manual, even an ‘armed attack’ (p. 56). I do not think that Stuxnet reached the scale and effects threshold of an armed attack, but, as it did cause material damage of some significance, I do not see any problems with qualifying it as a use of force, for the reasons I try to explain in my article. It should also be noted that, unlike the previous case of the principle of non-intervention, the legality of Stuxnet as a use of force would not depend on whether Iran has breached the NPT: under Article 51 of the Charter, force can be used only if an armed attack ‘occurs’. Even if Iran were developing nuclear weapons, it would not have committed an armed attack until it actually uses them.

To sum up. If Stuxnet was a use of force, then the responsible state(s) breached the principles listed in Article 2 (1), (3) and (4) of the UN Charter. As countermeasures cannot consist of a violation of the prohibition of the threat and use of force, Stuxnet would be illegal even if it were established that Iran is in breach of the NPT. If however Stuxnet is not considered a use of force, it would be a breach of the principle of non-intervention, unless it amounts to a lawful countermeasure against Iran’s alleged breach of its non-proliferation obligations.

I would be interested in your thoughts on this.