Could Deploying Stuxnet be a War Crime?
I’ve been updating my article advocating for an e-SOS (the first draft is available here). When I originally wrote it, Stuxnet had been identified as one of the first forms of malware to target SCADA systems explicitly (a SCADA–or “supervisory control and data acquisition”–system is one specifically designed to operate and control infrastructure, such as electrical and nuclear power systems, telecommunications, and oil storage facilities). Stuxnet was originally detected in early 2010 by a computer security company in Belarus, and subsequently found to have infected (albeit without causing much actual harm) thousands of SCADA systems world-wide. Since then, however, we’ve learned three things. First, the Stuxnet virus did apparently cause significant harm in one very important instance — setting back Iran’s nuclear ambitions for up to several years. At Iran’s Natanz uranium enrichment facility, Stuxnet took control of the centrifuges and sped them up to intolerable levels at the same time it masked this effort to avoid the system or its operators from shutting the plant process down. There are also some reports that Stuxnet caused destruction and delayed operations at Iran’s Bushehr nuclear power plant. Second, it appears the Stuxnet worm was designed to target Iran’s plant(s) in particular; it infected a particular part of a SCADA system, the programmable logic controller (PLC), and then only executed its destructive and masking capacities against a PLC with a specific fingerprint, such as the one at Natanz. Third, according to the N.Y. Times, the U.S. and Israeli governments are responsible for Stuxnet and its Iranian target.
To date, most of the discussion about Stuxnet has involved analysis of its contents, effects, and origins, with much hat-tipping by those with the expertise to appreciate the apparent technical brilliance of the hack (although apparently parts of Stuxnet were much less sophisticated than others). More recently, press attention has begun to examine Stuxnet’s implications for the future of industrial espionage or outright conflict (Some have even described it as an “Oppenheimer moment,” suggesting that Stuxnet’s destructive capacity outstrips that of previous cyberattacks in much the same way Oppenheimer’s nuclear explosion outstripped TNT). What I have not seen, however, is any substantial discussion of the legality of deploying Stuxnet if, in fact, it could be attributed to a nation-state, whether Israel or the United States. So, let’s give Stuxnet a quick spin to see how it holds up (and, here, I’m focusing on its international legality, although presumably one could also ask if U.S. or Israeli participants complied with their respective domestic laws as well). Although I think the issues are debatable, I’m inclined to see Stuxnet as a use of force, but not necessarily one that, as used, violated the laws of war.
First, it seems clear that Stuxnet cannot be defended as simple espionage, which International law has long tolerated (or at least never explicitly prohibited). Stuxnet was not just a cyberexploitation designed to exfiltrate data from the PLCs it infected. Rather, at Natanz (and perhaps Bushehr) it actually degraded and disrupted certain SCADA systems and may still be doing so today.
Second, a much harder question is whether a state launching Stuxnet would be engaged in a use of force in violation of the prohibition of Article 2(4) of the UN Charter or an “armed attack” giving the victimized state a right of self defense under Article 51. Scholars, myself included, have debated how to translate these rules into cyberspace. If one adopts the classic “instrumentality” approach, and defines force or an armed attack by the instrument used, Stuxnet might not qualify since it lacks the physical characteristics associated with military coercion. Indeed, the U.N. Charter would support this view where Article 41 lists “measures not involving the use of armed force” to include “complete or partial interruption of . . . telegraphic, radio, and other means of communication.” The question is whether interrupting communications between a controller and a centrifuge is the kind of communication interruption envisioned by Article 41? Alternatively, if one defines a use of force as Gary Sharp has based on its target, Stuxnet is much more likely to constitute a use of force; the target here was clearly infrastructure that Iran viewed as critical to its national security. Indeed, flip the scenario, and it becomes hard to imagine the United States not viewing as illegal another state deploying Stuxnet within U.S. nuclear weapons production facilities. Finally, we could determine if Stuxnet is a use of force based, as Michael Schmitt has suggested, on whether its effects equate to the use of kinetic military force. Here, I think we enter a gray area. Stuxnet was destructive and thus functions in the same way as a bomb or missile might (and, indeed, Israel may have seen it as a substitute to deploying those means against Iran). On the other hand, its destruction was much more selective than a traditional bomb or missile and it did not apparently kill anyone.
Even if Stuxnet was a use of force, we could debate whether it was authorized by the U.N. Charter or self-defense. The UN Security Council, for example, has invoked Article 41 in dealing with Iran’s nuclear programs, although I’ve not had time to vet whether a Stuxnet-like attack could be interpreted as covered under any of the applicable resolutions. Similarly, the self-defense arguments are likely to be controversial, especially if they rely on anticipatory self-defense in light of Iran’s stated nuclear ambitions and anti-Israel policies and programs.
Separate and apart from these jus ad bellum questions, there are also serious questions about whether and how Stuxnet complies with the laws of war, or the jus in bello. For those rules to apply, we, of course, need an international armed conflict, and as the foregoing discussion makes clear, there are significant hurdles to reaching that conclusion. Still, assuming the laws of war do apply, does Stuxnet constitute a war crime? Obviously, given Stuxnet’s distribution beyond Iranian facilities to civilian SCADA systems worldwide, some may question Stuxnet’s compliance with the principle of distinction. States are supposed to only target military targets, and to avoid using force indiscriminately. To the extent, that Stuxnet has bounced beyond Iran and infected other SCADA systems, including some in the United States, it does appear indiscriminate. On the other hand, it does not appear that it affected these other SCADA systems in the same way it operated in Iran. Indeed, it seems those who designed Stuxnet were quite careful to ensure it did discriminate and have (so far at least) confined its negative effects to the apparently intended targets.
But where I worry Stuxnet might run into more trouble is the prohibition on the release of destructive forces. Article 56 of Additional Protocol I to the Geneva Conventions (which, I’m assuming here constitutes customary international law), provides
Works or installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, shall not be made the object of attack, even where these objects are military objectives, if such attack may cause the release of dangerous forces and consequent severe losses among the civilian population.
Obviously, there are several follow-on questions. For
starters, does Natanz qualify as a “nuclear electrical generating station” or is a uranium enrichment plant something different? Even if Natanz doesn’t qualify, Bushehr certainly seems like it would fit under Article 56. Second, could a state responsible for Stuxnet argue that Stuxnet could not possible risk the release of dangerous forces and consequent civilian losses? I’m less inclined to such an argument; Stuxnet worked by producing intolerable conditions within nuclear centrifuges, making some of them, in effect, self destruct. It seems to me that in doing so, one has to know that bad things could happen when those components breaks down, which, when we’re talking about nuclear materials, surely involves potential loss of civilian life. That said, Article 56 does contain an escape clause of sorts, indicating that if the plant “provides electric power in regular, significant and direct support of military operations and if such attack is the only feasible way to terminate such support” then the prohibition on targeting it ceases. Thus, arguments linking Natanz or Bushehr facilities to Iran’s attempts to produce nuclear weapons might afford some justification for targeting it notwithstanding Article 56’s prohibitions.
On a final note, I’d emphasize that all of the foregoing assumes a nation state–whether Israel, the United States, or both–bears responsibility for Stuxnet. And, there is admittedly now a fair bit of secondary intelligence pointing in that direction (indeed, although there’s no on-the-record admission, last week’s N.Y. Times story certainly suggests U.S. officials are privately taking some responsibility here). That said, I think it’s also highly unlikely we will ever know for certain who launched Stuxnet. Neither the United States nor Israel has much incentive to accept full responsibility, particularly given the legal questions I just posed. And, technically, attributing responsibility to either state will be difficult if not impossible. As a result, as much as the international lawyer in me loves crunching the doctrine here, I fear it’s ultimately no more than an academic exercise (and one admittedly done on a cursory basis; for example, I didn’t have time to supplement my analysis with Pictet or other sources. Readers should feel free to do so).
Anonymity will thus allow those who deployed Stuxnet and any future successors to operate with relative impunity. Some may view that as a good outcome when the target is Iran. I worry, however, that without clear rules for when states can deploy or defend against cyberattacks we’ll risk unintended escalations of conflicts into war, not to mention the actual death and destruction cyberthreats can now realistically cause. Indeed, it makes reports of a 45 minute loss of control over U.S. nuclear weapons last fall quite sobering if one imagines another state was responsible. As a result, even if Iran is spun as a positive story on the potential of cyberattacks, I’m sticking with my earlier arguments. I think current conditions cry out for (a) states to devise specific rules for launching or defending against cyberexploitations and cyberattacks; and (b) adopting an e-SOS as a first principle for mitigating or avoiding the most severe cyberthreats. I don’t think such rules would necessarily mean states could never deploy a Stuxnet (or that Iran would have an absolute right to issue an e-SOS if they did so). Rather, I think states themselves will have to devise the specific contours of acceptable (and unacceptable) behavior in cyberspace and, then defend their own acts on such terms. Without those rules, I worry that the very technology that we have welcomed for its transformative effects on our everyday lives may generate new forms of death and destruction for which the Stuxnet episode is merely an opening act.