Stuxnet an “Act of Force” Against IranPosted: March 25, 2013
I just saw this story in the Washington Times. It cites to the conclusions of the authors of the new Tallinn Manual on the International Law Applicable to Cyber Warfare. The lead author, Michael Schmitt, is quoted/cited as saying the following:
The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I. But they were divided on whether its effects were severe enough to constitute an “armed attack,” he said.
What I interpret him to be saying here is that Stuxnet was an international act of force that caused enough damage to constitute a use of force against Iran by the U.S. and Israel in violation of Article 2(4) of the U.N. Charter. I certainly agree with that conclusion. But then he goes on to conclude that Stuxnet did not rise to the level of an “armed attack.” This is in reference to Article 51 of the U.N. Charter, which says that the right of unilateral self defense can only be exercised as against the authors of an armed attack. There’s always been interesting debates among international legal scholars over whether and to what extent the criteria for use of force under Article 2(4) and the criteria for armed attack under Article 51 differ. I personally think that there is a difference in intensity evidenced in the applicable legal sources, so that finding that an act meets the test for a use of force, but does not meet the test for an armed attack, as Schmitt does here, is certainly plausible.
Overall, I would probably agree with the assessment Schmitt makes here, that Stuxnet was illegal as a use of force prohibited by Article 2(4), but that it did not meet the criteria for an armed attack, which would have given rise to the right of unilateral self defense on the part of Iran. I would add, though, that the fact of its illegality under Article 2(4) WOULD however trigger Iran’s right to engage in lawful countermeasures, as defined in the law on state responsibility, best represented in the ILC’s Draft Articles on State Responsibility, Articles 49-53 (ARSIWA).
I have already floated some ideas on what form such lawful countermeasures could hypothetically take in the comments to a post by Sahib Singh over at EJIL:Talk! In those comments, I concluded that closing the Strait of Hormuz completely, which Iranian officials have at times mentioned doing in response to cyber attacks including Stuxnet, and to the killing of their civilian nuclear scientists, would not satisfy, inter alia, the relevance and proportionality requirements in response to these unlawful acts against Iran, so as to fit under the law of countermeasures in the ARSIWA.
However, I argued that if Iran were, say, to seize a number of privately owned vessels passing through Hormuz, owned by Israeli and/or American companies, and take the vessels and cargo as reparations for these unlawful acts, this action would in fact present a pretty strong case for constituting a lawful countermeasure on the part of Iran in response to these unlawful acts. The seizure policy could be targeted specifically to incentivize the US and Israel to cease their internationally wrongful conduct, as it would introduce risk into US and Israeli shipping commerce and thus undoubtedly negatively affect the economies of the US and Israel, and would thus put economic pressure on them. It would dually serve to provide a source of reparation for Iran for the damage caused by the illegal acts, as contemplated in the official comments to the ILC Draft Articles. The policy could of course be quickly ceased as soon as the US and Israel came into compliance with international law and ceased their internationally wrongful acts. And in my view such seizures would not be classifiable as international uses of force, and thus not prohibited as countermeasures for that reason.
So again, this would in my view be one alternative for legal countermeasures by Iran in response to the illegal use of force against it by the US and Iran constituted by the deployment of Stuxnet.
I certainly would not advise Iran to actually do this – it would be very strategically imprudent and unwarranted, and would obviously lead to an unwanted escalation of tension, and possibly to war. But speaking from a strictly legal perspective, I do think it would be be a lawful response to the unlawful attack on Iran by the US and Israel which Stuxnet represents.
I would also like to cite to the ancient legal maxim: “What’s good for the goose, is good for the gander.” Here meaning that, in agreeing to set the criteria for armed attack high for cyberattacks, we must remember for future reference that the same criteria would apply to cyberattacks upon the US. And it will be just as difficult for the US to claim a right of unilateral self-defense on that occasion, as we are now agreeing it is for Iran to do on the occasion of the use of Stuxnet and Flame against it.
ACL’s own David Fidler provides an excellent review of the legal issues regarding Stuxnet, though reaching different conclusions from mine, in a piece that can be accessed through the below link. ACL’s Marco Roscini is also currently writing a whole book on these issues, under contract with OUP, and has previously blogged on Stuxnet here.
ADDENDUM: I just saw this CNN opinion piece with some very interesting thoughts about “Cyber Arms Control”