Did Stuxnet breach the UN Charter’s ‘Principles’?Posted: October 9, 2012 Filed under: Cyber, Miscellaneous, Nuclear 5 Comments
On 28 September, the Iranian Foreign Affairs Minister Ali Akbar Salehi addressed the UN Security Council at the High Level Meeting on Countering Nuclear Terrorism (the text of the speech can be read here). Among other things, in the speech Salehi criticized cyber attacks against Iranian nuclear facilities and qualified them as ‘manifestation of nuclear terrorism and consequently a grave violation of the principles of UN Charter and international law’ (the emphasis is mine). This might be the first time that Iran has taken an official and explicit position with regard to the (il)legality of Stuxnet, at least in an international forum (on the ‘conspiracy of silence’ that surrounded Stuxnet, see David Fidler’s interesting article in Privacy Interests, July/August 2011).
The question however is, which UN Charter principles were allegedly breached by Stuxnet? Assuming that Salehi used the word ‘principles’ in a technical sense, the Charter’s principles are famously listed in Article 2. Principles 5, 6 and 7 are not relevant in the present case. Principle 2 merely refers to the duty to comply in good faith with the obligations arising from the Charter. On the other hand, Principle 1 reaffirms the sovereign equality of states, a corollary of which is the prohibition of intervention in internal affairs of other states. According to the International Court of Justice, the prohibition of intervention is ‘part and parcel of international law’ (Nicaragua v. United States (Merits), 1986, para. 202). The 1970 UN General Assembly’s Declaration on Friendly Relations condemns ‘armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements’, and also emphasizes that ‘[n]o State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind’ (the emphasis is mine). The language is broad enough to cover intervention by means of cyber attacks when they have a coercive purpose, i.e. when they aim at coercing the target state into doing or not doing something that the state is otherwise legally entitled to do. But if the (non-forcible) intervention is a reaction against something that the target state was not legally entitled to do, i.e. a breach of international law, then it could amount to a lawful countermeasure aimed at persuading the wrongdoing state to stop the breach and provide reparation. From this perspective, the legality of Stuxnet would therefore depend on: 1) whether Iran’s nuclear programme is an internationally wrongful act in the form of a violation of NPT obligations; 2) whether the state(s) behind Stuxnet (if any) were ‘injured’ by Iran’s breach or were otherwise entitled to adopt countermeasures in relation to it under the law of state responsibility (see Arts. 42, 48 and 54 of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts); 3) whether Stuxnet amounted to a ‘use of force’ (countermeasures cannot affect the prohibition of the use of force: Art. 50 (1) of the ILC Articles); 4) whether non-proliferation law is a special regime that has its own enforcement mechanisms (see Sahib Singh’s chapter in my and Dan’s book).
The third condition leads me to discuss the other two relevant principles in Article 2 of the UN Charter that might determine the illegality of Stuxnet. Principles 3 and 4 are two sides of the same coin and affirm the obligation to settle international disputes peacefully and not to resort to armed force in international relations. Whether Stuxnet is a violation of these two principles depends on whether it can be qualified as a use of ‘armed force’. I have already addressed this issue here, so I will limit myself to refer to the points I make in that article. The recently released draft of the Tallinn Manual on Cyber Warfare (text here) argues, in Rule 11, that ‘[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’. It then suggests several non-exhaustive factors in order to determine when it is so (pp. 49-50). In the end, the Manual concludes that Stuxnet was a use of force (p. 47) and, at least according to some of the experts that drafted the Manual, even an ‘armed attack’ (p. 56). I do not think that Stuxnet reached the scale and effects threshold of an armed attack, but, as it did cause material damage of some significance, I do not see any problems with qualifying it as a use of force, for the reasons I try to explain in my article. It should also be noted that, unlike the previous case of the principle of non-intervention, the legality of Stuxnet as a use of force would not depend on whether Iran has breached the NPT: under Article 51 of the Charter, force can be used only if an armed attack ‘occurs’. Even if Iran were developing nuclear weapons, it would not have committed an armed attack until it actually uses them.
To sum up. If Stuxnet was a use of force, then the responsible state(s) breached the principles listed in Article 2 (1), (3) and (4) of the UN Charter. As countermeasures cannot consist of a violation of the prohibition of the threat and use of force, Stuxnet would be illegal even if it were established that Iran is in breach of the NPT. If however Stuxnet is not considered a use of force, it would be a breach of the principle of non-intervention, unless it amounts to a lawful countermeasure against Iran’s alleged breach of its non-proliferation obligations.
I would be interested in your thoughts on this.
I think it’s fairly clear that Stuxnet rises to the level of “state terrorism”. Of course, “terrorism” is a poorly defined term, so describing Stuxnet as “force” – which presumably has a more coherent definition – perhaps makes more sense.
Certainly Stuxnet rises to the level of “sabotage”.
A question: We all know that virtually all states engage in espionage, and occasionally sabotage, against other states. Stuxnet – and other malware such as Duqu and Flame – clearly fall into that category of activity. What does the UN Charter have to say about states engaging in espionage and sabotage against other states?
It seems to me to be pointless – other than a matter of correctness which IS important – to complain about such activities violating the UN Charter when practically every state does so routinely.
Not to mention that making threats of military attack on other states is also routinely done and is clearly in violation of the UN Charter.
And it really becomes hypocritical for the US to complain about – alleged and absolutely unproven – Iranian attacks against US banks or Saudi oil facilities since the US and Israel initiated such computer attacks against Iran. The double standard is breath-taking.
Thank you for your comment. To answer your question, international law has little to say with regard to espionage. In fact, espionage is not an internationally wrongful act, although it is usually criminalised under national laws. In case of armed conflict, spies are however unlawful combatants, even though their state does not incur international responsibility for sending them.
As to sabotage, this is not a legal term of art, so it all depends on what ‘sabotage’ amounts to in each specific case. It could be a use of force and therefore be prohibited by Article 2 (4) of the UN Charter. Or it could be something less, i.e. a violation of the principle of non-intervention in the domestic affairs of another state. In both cases, it would of course also be a violation of the sovereignty of the state victim of the sabotage.
[…] Did Stuxnet breach the UN Charter’s ‘Principles’? – Arms Control Law […]
The link to the speech is not working. Can you re-post?
The link should now be working.