Stuxnet an “Act of Force” Against Iran

I just saw this story in the Washington Times. It cites to the conclusions of the authors of the new Tallinn Manual on the International Law Applicable to Cyber Warfare. The lead author, Michael Schmitt, is quoted/cited as saying the following:

The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I.  But they were divided on whether its effects were severe enough to constitute an “armed attack,” he said.

What I interpret him to be saying here is that Stuxnet was an international act of force that caused enough damage to constitute a use of force against Iran by the U.S. and Israel in violation of Article 2(4) of the U.N. Charter. I certainly agree with that conclusion. But then he goes on to conclude that Stuxnet did not rise to the level of an “armed attack.” This is in reference to Article 51 of the U.N. Charter, which says that the right of unilateral self defense can only be exercised as against the authors of an armed attack. There’s always been interesting debates among international legal scholars over whether and to what extent the criteria for use of force under Article 2(4) and the criteria for armed attack under Article 51 differ. I personally think that there is a difference in intensity evidenced in the applicable legal sources, so that finding that an act meets the test for a use of force, but does not meet the test for an armed attack, as Schmitt does here, is certainly plausible.

Overall, I would probably agree with the assessment Schmitt makes here, that Stuxnet was illegal as a use of force prohibited by Article 2(4), but that it did not meet the criteria for an armed attack, which would have given rise to the right of unilateral self defense on the part of Iran. I would add, though, that the fact of its illegality under Article 2(4) WOULD however trigger Iran’s right to engage in lawful countermeasures, as defined in the law on state responsibility, best represented in the ILC’s Draft Articles on State Responsibility, Articles 49-53 (ARSIWA).

I have already floated some ideas on what form such lawful countermeasures could hypothetically take in the comments to a post by Sahib Singh over at EJIL:Talk!  In those comments, I concluded that closing the Strait of Hormuz completely, which Iranian officials have at times mentioned doing in response to cyber attacks including Stuxnet, and to the killing of their civilian nuclear scientists, would not satisfy, inter alia, the relevance and proportionality requirements in response to these unlawful acts against Iran, so as to fit under the law of countermeasures in the ARSIWA.

However, I argued that if Iran were, say, to seize a number of privately owned vessels passing through Hormuz, owned by Israeli and/or American companies, and take the vessels and cargo as reparations for these unlawful acts, this action would in fact present a pretty strong case for constituting a lawful countermeasure on the part of Iran in response to these unlawful acts. The seizure policy could be targeted specifically to incentivize the US and Israel to cease their internationally wrongful conduct, as it would introduce risk into US and Israeli shipping commerce and thus undoubtedly negatively affect the economies of the US and Israel, and would thus put economic pressure on them. It would dually serve to provide a source of reparation for Iran for the damage caused by the illegal acts, as contemplated in the official comments to the ILC Draft Articles. The policy could of course be quickly ceased as soon as the US and Israel came into compliance with international law and ceased their internationally wrongful acts. And in my view such seizures would not be classifiable as international uses of force, and thus not prohibited as countermeasures for that reason.

So again, this would in my view be one alternative for legal countermeasures by Iran in response to the illegal use of force against it by the US and Iran constituted by the deployment of Stuxnet.

I certainly would not advise Iran to actually do this – it would be very strategically imprudent and unwarranted, and would obviously lead to an unwanted escalation of tension, and possibly to war.  But speaking from a strictly legal perspective, I do think it would be be a lawful response to the unlawful attack on Iran by the US and Israel which Stuxnet represents.

I would also like to cite to the ancient legal maxim: “What’s good for the goose, is good for the gander.” Here meaning that, in agreeing to set the criteria for armed attack high for cyberattacks, we must remember for future reference that the same criteria would apply to cyberattacks upon the US. And it will be just as difficult for the US to claim a right of unilateral self-defense on that occasion, as we are now agreeing it is for Iran to do on the occasion of the use of Stuxnet and Flame against it.

ACL’s own David Fidler provides an excellent review of the legal issues regarding Stuxnet, though reaching different conclusions from mine, in a piece that can be accessed through the below link. ACL’s Marco Roscini is also currently writing a whole book on these issues, under contract with OUP, and has previously blogged on Stuxnet here.

Fidler on Stuxnet and IL

ADDENDUM: I just saw this CNN opinion piece with some very interesting thoughts about “Cyber Arms Control”


30 Comments on “Stuxnet an “Act of Force” Against Iran”

  1. Mark Pyruz says:

    Dan, the Iranian military isn’t strong enough to deter a severe American military response to your proposed seizure scenario, where domestic politics would shove American leadership to pursue. Things could quickly escalate from there; that’s the Iranian calculation.

    Iranian responses to Stuxnet and the like are far more nuanced, in the form of regional soft power. Successes of such are visible with regards to Iraq, Lebanon and Afghanistan.

  2. Dan Joyner says:

    Hi Mark, I certainly agree with you, which is why I said I wouldn’t recommend that they actually do it. I was just making a legal analytical point.

  3. Don Bacon says:

    And how about “crippling sanctions?” They sure got Japan’s attention, a few years back.

    But as Mark indicates, Iran is using ingenuity and diplomacy to make lemonade out of lemons, and the US is made the fool thereby despite assassinations, cyber-attacks and sanctions. The “crippling sanctions” on Iran have been counter-productive, in fact they have encouraged Iran to expand its nuclear program. The sanctions have also served to benefit Iran’s growing expertise in oilfield equipment manufacturing, shipping and insurance in the petroleum industry. In other field, Iran has increased domestic manufacturing and export of other products and services.

    A higher law? Or a stronger will. –Now there’s a book.

    Ayatollah Ali Khamenei:”The US was dominating Iran [before the Islamic Revolution] and did whatever it desired. The Iranian people staged an uprising to break free from the yoke of the US. Do you expect them to surrender to you again?”

    Surrender is not an option, for anyone. The US can’t understand that, but they should. It’s the motto of New Hampshire: Live Free Or Die. Go Persia.

  4. Johnboy says:

    If I understand you correctly, the initial premise is this:
    1) Stuxnet was a “use of force”, hence illegal. But it was not an “armed attack”, meaning that Iran can’t use that as an excuse to go Whammer-Jammer on the USA (even if it could which, of course, it can’t).
    2) If Iran responds in kind then that is just as much a “use of force” against the USA, which would be just as illegal. But, equally, it would no more rise to the level of an “armed attack” on America as that initial US cyber-assault in Iran.

    Hmmmmm, so what’s to stop Iran from indulging in a little cyber-tit-for-tat?

    Sure, it would be just as illegal as that initial US use-of-force, but the USA would not really be in the position to shout about how unfair that is. After all, payback is a bitch.

    And if Persian Hand-Crafted Viruses aren’t an “armed attack” then the USA can no more claim the right to go Whammer-Jammer on Iran than the Revolutionary Guard could claim the right to go Whammer-Jammer on the Americans.

  5. Dan Joyner says:

    Hi Johnboy, yes, I think that as usual you have the law about right here.

    • Johnboy says:

      But I’m still curious: why do you have to come up with convoluted responses by Iran (e.g. seizing private vessels) when the USA is simply going to deny that there is any interconnectedness whatsoever between *their* cyber-warfare and *Iran’s* belligerent adventurism on the high seas.

      Not when the simplest response to being poked with a (cyber) stick is to…… pick up your own virtual-stick an’ poke ’em one in the eye, all the while shouting “serves ya’ right, dick-head!”.

      • Dan Joyner says:

        Well, as we both agreed, a significant retaliatory cyber attack would be a use of force and therefore illegal, and not justified as a countermeasure. I was trying to identify a response that would be justifiable as a countermeasure, and therefore not be illegal.

  6. yousaf says:

    Sorry off topic but Albright and friends have a WSJ OpEd of Iran racing to bomb even after DNI report:

    • Johnboy says:

      Albright is quite shameless, isn’t he?

      There is no point reading past his second paragraph:
      “Critical capability means the point at which Iran could dash to produce enough weapons-grade uranium or separated plutonium for one bomb so quickly that the International Atomic Energy Agency or a Western intelligence service would be unable to detect the dash until it is over.”

      Everything past that is, well, pointless, precisely because the US intelligence community has already debunked that assumption.

      Clapper is quite certain that Iran just isn’t that fast outta’ the blocks, and he is utterly convinced that if Iran ever *does* attempt that sprint then he’ll see it well before they reach the home straight.

      Albright may as well speculate on the possibility that “Iran waves a magic wand while chanting Abracadabra and – poof! – a nuke pops into existence in the blink of an eye”.

    • Dan Joyner says:

      Albright and Kittrie are clearly becoming BFF’s. They’re publishing everything together these days. My opinion of Kittrie as a law professor pretty much exactly matches my opinion of Albright as a scientist. I think they were made for each other.

  7. Marco Roscini says:

    Dan, excellent comments on a very complicated issue. I agree that if Stuxnet was an internationally wrongful act, for instance a violation of Article 2 (4) of the UN Charter (but it could also be a breach of other international norms, e.g. the principle of non-intervention and the duty to respect another state’s territorial sovereignty), the injured state, i.e. Iran, would be entitled to adopt countermeasures short of the use of force (unless Stuxnet was not only a use of force, but also an ‘armed attack’ in the sense of Article 51 of the UN Charter, which I do not believe is the case). There is however an almost insurmountable problem that would, I believe, deter Iran from considering the adoption of countermeasures: it is far from sure that the US, or Israel, or any other state were responsible for the incident. There is some circumstantial evidence, but we certainly are well below an acceptable standard of proof. Plausible deniability is, after all, the main advantage of cyber operations. It happened with the cyber attacks on Estonia in 2007, where Russia was suspected of taking the Baltic state off line, and more recently with the cyber espionage operations against US targets allegedly originating from China. It would then be difficult to justify the adoption of countermeasures (let alone a use of force) without clear evidence that the target of the countermeasure is the state responsible for the internationally wrongful act. Add that it is still unclear how much damage Stuxnet has actually caused (Iran itself has played down the incident, claiming that there was no or little damage) and the picture becomes even more blurred.

  8. Dan Joyner says:

    Thanks Marco, and you of course raise a very good point about evidence and attribution. This is indeed one of the hallmarks of the difficulty of legal regulation of cyberattacks.

    In light of the fact that there will always be some uncertainty, I think that the standards of evidence and attribution may have to be specially constructed in this area, perhaps differently than in other areas. WRT Stuxnet, I guess my own view is that the link to the US and Israel as its authors has been fairly well established. This NYT story reports admissions of this fact by US government officials:

    I’m not sure if we could ever realistically expect much more confirmation from state officials than this. However, this is a point about which contrasting arguments could be made.

  9. As someone with extensive knowledge of information security, let me add that the attribution problem is truly massive.

    For instance, we know that any really competent hacker can penetrate almost any organization, access their bank accounts, transfer funds out of their accounts and only be detected if someone at that organization or their bank manually determines that an unauthorized transfer was done. As an example of application, Israel could easily access an Iranian government bank account, transfer funds from that account to say, some idiot used car dealer in the US who has been recruited allegedly to assassinate the Saudi Ambassador, and thus establish that “Iran” was behind the alleged plot.

    Equally so, a denial of service attack could be conducted from almost anywhere, using almost any organization’s computer resources, and thus obfuscate who is the actual perpetrator.

    IP addresses mean absolutely nothing. It is routine for US hackers to take control of a computer in a Chinese gaming parlor in order to conceal themselves. Some hackers can even gain control of a US unclassified military computer knowing it will be harder for law enforcement to gain a warrant to access it.

    With botnets existing comprising literally scores or even hundreds of thousands of home computers anywhere in the world, any or all of which can be used to launch attacks, attribution is mostly a joke.

    Only when, in the case of the recent Mandiant report, the hackers leave clues as to their location is attribution reasonably certain. And a number of infosec experts aren’t convinced the Mandiant report proves its case, either.

    And even if you can prove the location of a hacker is in a given state, proving that the STATE is behind it is even harder.

    In this respect, Stuxnet and the subsequent acknowledgment by the US was really stupid.

    Computer “security” does not exist. I have a meme which I repeat at the drop of a hat:

    “You can haz better security, you can haz worse security. But you cannot haz ‘security’. There is no security. Deal.”

    Threatening an armed military response to a case of “cyberespionage” or “cyber-sabotage”, as Pentagon doctrine does, is simply stupid. And there is no such thing as “cyberwar” as many people claim.

    • yousaf says:

      fully agree.

      and the attribution issue goes beyond the merely technical. Even if one were to correctly attribute a cyber attack to a house in Paris, the resident may be a paid recruit of foreign intel. To unfold and extract that last attribution requires counter-espinoage and not just computer skills.

  10. Cyrus says:

    I think we’re forgetting somthing: Stuxnet was not just a comuter virus, it was specifically intended to cause the destruction of nuclear facilities, reportedly by causing things like centrifuges which spin at supersonic speeds to blow up, taking out nuclear facilities, spreading nucler material into the environment, and doing god know what damage to nearby human beings. The assumption that it did not constitute an act of force is therefore quite questionable, as in the end the net effects are little different than a bomb going off. Had the roles been reversed and Iran had let loose a virus causing US nuclear facilities to blow up, I assure yo u that such legalistic nuance and hairsplitting would not have happened. Or imagine if a computer virus was designd to cause dams to suddenly fail and release tons of water etc

    The irony is that by attacking Iran with a computer virus, the US has decided to engage Iran in an arena in which Iran is able to match the US technologically since they too pump out well qualifed compter engineers and programmers (many whom end up working in the US) , and in which the US is actually more vulnerable than Iran since the US infrastructure is more reliant on computerized networks. (nevermind the fact that it would be quite easy to hire programmers globally, thus adding layers of deniability.)

    • Cyrus says:

      Sory, I meant the assumption that it did not constitute an *armed attack* is questionable since it still made things go boom

      • Marco Roscini says:

        The thing is, it is not enough that it made ‘things go boom’ for Stuxnet to be an ‘armed attack’, which is a term of art employed in Article 51 of the UN Charter on self-defence. According to the International Court of Justice, an armed attack is not any use of force, but one that is serious because of its scale and consequences.

      • Cyrus says:

        I can’t think of a more serious thing than a nuclear facility blowing up, a bridge collapsing, a dam bursting, electricity being cut off to a large civilian population etc etc — all of which cyberwars can cause (or will do so) so I am not particularly taken with this rather artificial distinction between act of force and armed attack. The principle behind the whole Charter is that nations should resolve their disputes *peacefully*, period.

      • Marco Roscini says:

        But we were talking about Stuxnet, right? No nuclear facility blew up in that case. The distinction between use of force and armed attack might be artificial, but it was introduced by the UN founding fathers to limit the use of armed force between states as much as possible. As a result, it is only in the case of an armed attack, i.e. a serious use of force, that states can react coercively in self-defence: if there was no minimum threshold, any shot fired could be met with a military response, with obvious repercussions on international peace and security.

      • Cyrus says:

        It was reported that Stuxnet caused the crash of several centrifuges, and if you consider that centrifuges spin hot radioactive gas at supersonic speed, then it is indeed a wonder that more damage was not done *in that particular case* however the fact that Stuxnet was not as successful as planned is no reason to dismiss it as “not serious”. After all, its not as if Stuxnet was the end of cyberwarfare and will never happen again, perhaps more successfully next time.

        I don’t think I said that Iran would be justified in launching a retaliatory war over Stuxnet, what I said that we can’t so glibly dismiss cyberattacks as “not serious” enough to constitute an armed attack. These are two different issues. Indeed, using your analogy, a single shot would not be reason to launch a retaliatory all-out war. Even if Iran had been outright shelled or bombed by the US, any Iranian response would still have to meet the proportionality requirement of international law on self-defense anyway. But that’s irrelevant to the point that (again using your analogy) that’s no justification to start shooting at other countries in the first place? Cyberwarefare can cause “serious” damage just as can outright bombings and shellings. So the idea that cyberwarefare is somehow “not serious” and therefore not the same as an armed attack is simply rubbish. As I said, the the whole idea of the UN Charter is a prohobition on the *use of force* to resolve international disputes, not just the use “armed attack”. If the US has a problem with Iran’s nuclear program, then it should resolve the issue pursuant to international law and the mechanisms of the Charter, which does not include launching viruses into critical infrastucture of other nations.

      • Cyrus says:

        In short, the question of what Iran can legally do in response to Stuxnet, is a different matter than the question of whether Stuxnet was an armed attack or not. My point was that Stuxnet was intended to destroy infrastucture and cause damage, so it is really no different than a bomb. The means of delivery, whether by computer or by C130 bombers, makes no difference. Stuxnet still destroys stuff, and thus it was quite arguably an armed attack even if it didn’t use gunpowder.

      • I would tend to agree that because of the capacity to to injure a number of civilian personnel that it should be considered an “armed attack.” At the very least it constitutes “sabotage” under any definition.

        However, I suspect that in the parlance of international law they are probably defining an “armed attack” as entailing the use of “real world” weapons wielded by actual persons with actual casualties caused by those weapons to the civilian or military personnel of the target country.

        In the case of Stuxnet, the primary purpose of the malware was to destabilize the centrifuges in various ways so that they would not be effective in their purpose. It’s not clear that the intent or capability was there to necessarily cause the centrifuges to fly apart and actually injure anyone. There is no indication that such an event ever occurred. The difference in speed caused by the malware does not appear to be intended to “blow up” the centrifuge but rather to wreck the motor. Presumably there are sensors installed in these centrifuges to spin them down should a dangerous condition occur. Stuxnet was intended to be subtle and to continue operating without giving away the fact that deliberate sabotage was occurring.

        So all in all, I think it would be difficult to prove in court that the intent was to cause civilian or military injuries on a scale likely to occur during a real world “armed attack” – even if that was a possibility.

        Speaking more generally, the probability of “cyberwar” doing more serious damage has yet to be demonstrated in the real world. *Theoretically* malware or direct penetration could certainly cause injuries or even significant damage to a facility. But it is more likely to result in things being shut down rather than blown up in a manner equivalent to a bomb. An example would be the reported use of Israeli cyberattacks on Syria’s air defense system when Israel bombed the alleged Syrian “nuclear facility”. Clearly the actual bombs did more actual damage than the cyberattack did.

        A similar example is the case of random (or perhaps Syrian insurgent-inspired) shots fired into Israel and an Israel retaliation by tank cannon fire directed at Syrian military units as happened the other day. Clearly the latter constitutes an “armed attack”. But does the former?

        I don’t think that international law regards the effect of one military individual of a country going into another country and shooting someone on the same scale as a battalion of said individuals opening fire across a border. So there has to be some concept of “proportionality”.

      • Doing some Google search on the definition of “armed attack”, the ICJ made this distinction in 1986:

        “…it may be considered to be agreed that an armed attack must be understood as including not merely action by regular armed forces across an international border, but also ‘the sending by or on behalf of a State of armed bands, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to’ (inter alia) an actual armed attack conducted by regular forces , or its substantial involvement therein.”

        This would seem to imply that an “armed attack”, as I suggested above, involves the use of real world weapons and real world injuries.

        In addition, in terms of self-defense, the ICJ has said the following:

        “…the State attacked…must not, in the particular circumstances, have had any means of halting the attack other than recourse to armed force. In other words, had it been able to achieve the same result by measures not involving the use of armed force, it would have no justification for adopting conduct which contravened the general prohibition on the use of armed force.”

        I suspect computer intrusions, even ones that cause damage or injury, would not fit under that definition authorizing the use of retaliatory armed force.

        One paper I found suggested the following:

        “Any computer attack that causes damage akin to that caused by a military attack should be regarded as an armed attack. Immediate destruction of life is not a prerequisite.”

        The problem becomes what the level of “damage akin to that caused by a military attack” is. Is it the equivalent to one rifle round? A grenade? A mortar attack? An artillery attack? An air-dropped bomb?

        The paper I read suggested that in the case of attribution to a state, there should be no scale requirement, but that there should be one in the case of terrorists operating from a state without attribution to that state. In that case, Stuxnet – which has reasonably been attributed to the US and Israel – would fall under that scale requirement.

        Bottom line: There is no clearly accepted definition of the term “armed attack”. However, in the case of computer sabotage, the preference to avoid excessive use of military responses to computer intrusions in order to avoid escalating conflicts between states as well as the concept of proportionality in response to armed aggression probably would weigh in to disallow a military response to an act of computer sabotage.

        Clearly the United States, however, does not agree with that notion. In the end, might will make right. Iran will continue to be sabotaged by the US – and if it’s smart – it will do little overtly or covertly to escalate the situation in an attributable way in order to avoid a disproportionate US response which no institution in the international community will be able to prevent or stop.

  11. Dan Joyner says:

    Great discussion going on here! Love it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s