Could Deploying Stuxnet be a War Crime?

by Duncan Hollis

I’ve been updating my article advocating for an e-SOS (the first draft is available here).  When I originally wrote it, Stuxnet had been identified as one of the first forms of malware to target SCADA systems explicitly (a SCADA–or “supervisory control and data acquisition”–system is one specifically designed to operate and control infrastructure, such as electrical and nuclear power systems, telecommunications, and oil storage facilities).   Stuxnet was originally detected in early 2010 by a computer security company in Belarus, and subsequently found to have infected (albeit without causing much actual harm) thousands of SCADA systems world-wide.  Since then, however, we’ve learned three things.  First, the Stuxnet virus did apparently cause significant harm in one very important instance — setting back Iran’s nuclear ambitions for up to several years.  At Iran’s Natanz uranium enrichment facility, Stuxnet took control of the centrifuges and sped them up to intolerable levels at the same time it masked this effort to avoid the system or its operators from shutting the plant process down.  There are also some reports that Stuxnet caused destruction and delayed operations at Iran’s Bushehr nuclear power plant.  Second, it appears the Stuxnet worm was designed to target Iran’s plant(s) in particular; it infected a particular part of a SCADA system, the programmable logic controller (PLC), and then only executed its destructive and masking capacities against a PLC with a specific fingerprint, such as the one at Natanz.  Third, according to the N.Y. Times, the U.S. and Israeli governments are responsible for Stuxnet and its Iranian target.

To date, most of the discussion about Stuxnet has involved analysis of its contents, effects, and origins, with much hat-tipping by those with the expertise to appreciate the apparent technical brilliance of the hack (although apparently parts of Stuxnet were much less sophisticated than others). More recently, press attention has begun to examine Stuxnet’s implications for the future of industrial espionage or outright conflict (Some have even described it as an “Oppenheimer moment,” suggesting that Stuxnet’s destructive capacity outstrips that of previous cyberattacks in much the same way Oppenheimer’s nuclear explosion outstripped TNT).  What I have not seen, however, is any substantial discussion of the legality of deploying Stuxnet if, in fact, it could be attributed to a nation-state, whether Israel or the United States.  So, let’s give Stuxnet a quick spin to see how it holds up (and, here, I’m focusing on its international legality, although presumably one could also ask if U.S. or Israeli participants complied with their respective domestic laws as well).   Although I think the issues are debatable, I’m inclined to see Stuxnet as a use of force, but not necessarily one that, as used, violated the laws of war.    

First, it seems clear that Stuxnet cannot be defended as simple espionage, which International law has long tolerated (or at least never explicitly prohibited).  Stuxnet was not just a cyberexploitation designed to exfiltrate data from the PLCs it infected.  Rather, at Natanz (and perhaps Bushehr) it actually degraded and disrupted certain SCADA systems and may still be doing so today. 

Second, a much harder question is whether a state launching Stuxnet would be engaged in a use of force in violation of the prohibition of Article 2(4) of the UN Charter or an “armed attack” giving the victimized state a right of self defense under Article 51.  Scholars, myself included, have debated how to translate these rules into cyberspace.  If one adopts the classic “instrumentality” approach, and defines force or an armed attack by the instrument used, Stuxnet might not qualify since it lacks the physical characteristics associated with military coercion. Indeed, the U.N. Charter would support this view where Article 41 lists “measures not involving the use of armed force” to include “complete or partial interruption of . . . telegraphic, radio, and other means of communication.” The question is whether interrupting communications between a controller and a centrifuge is the kind of communication interruption envisioned by Article 41? Alternatively, if one defines a use of force as Gary Sharp has based on its target, Stuxnet is much more likely to constitute a use of force; the target here was clearly infrastructure that Iran viewed as critical to its national security. Indeed, flip the scenario, and it becomes hard to imagine the United States not viewing as illegal another state deploying Stuxnet within U.S. nuclear weapons production facilities. Finally, we could determine if Stuxnet is a use of force based, as Michael Schmitt has suggested, on whether its effects equate to the use of kinetic military force. Here, I think we enter a gray area. Stuxnet was destructive and thus functions in the same way as a bomb or missile might (and, indeed, Israel may have seen it as a substitute to deploying those means against Iran). On the other hand, its destruction was much more selective than a traditional bomb or missile and it did not apparently kill anyone.

Even if Stuxnet was a use of force, we could debate whether it was authorized by the U.N. Charter or self-defense. The UN Security Council, for example, has invoked Article 41 in dealing with Iran’s nuclear programs, although I’ve not had time to vet whether a Stuxnet-like attack could be interpreted as covered under any of the applicable resolutions. Similarly, the self-defense arguments are likely to be controversial, especially if they rely on anticipatory self-defense in light of Iran’s stated nuclear ambitions and anti-Israel policies and programs.

Separate and apart from these jus ad bellum questions, there are also serious questions about whether and how Stuxnet complies with the laws of war, or the jus in bello.  For those rules to apply, we, of course, need an international armed conflict, and as the foregoing discussion makes clear, there are significant hurdles to reaching that conclusion.  Still, assuming the laws of war do apply, does Stuxnet constitute a war crime?  Obviously, given Stuxnet’s distribution beyond Iranian facilities to civilian SCADA systems worldwide, some may question Stuxnet’s compliance with the principle of distinction.  States are supposed to only target military targets, and to avoid using force indiscriminately.  To the extent, that Stuxnet has bounced beyond Iran and infected other SCADA systems, including some in the United States, it does appear indiscriminate.  On the other hand, it does not appear that it affected these other SCADA systems in the same way it operated in Iran.  Indeed, it seems those who designed Stuxnet were quite careful to ensure it did discriminate and have (so far at least) confined its negative effects to the apparently intended targets.

But where I worry Stuxnet might run into more trouble is the prohibition on the release of destructive forces.  Article 56 of Additional Protocol I to the Geneva Conventions (which, I’m assuming here constitutes customary international law), provides

Works or installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, shall not be made the object of attack, even where these objects are military objectives, if such attack may cause the release of dangerous forces and consequent severe losses among the civilian population.

Obviously, there are several follow-on questions.  For

starters, does Natanz qualify as a “nuclear electrical generating station” or is a uranium enrichment plant something different?  Even if Natanz doesn’t qualify, Bushehr certainly seems like it would fit under Article 56.  Second, could a state responsible for Stuxnet argue that Stuxnet could not possible risk the release of dangerous forces and consequent civilian losses?  I’m less inclined to such an argument; Stuxnet worked by producing intolerable conditions within nuclear centrifuges, making some of them, in effect, self destruct.  It seems to me that in doing so, one has to know that bad things could happen when those components breaks down, which, when we’re talking about nuclear materials, surely involves potential loss of civilian life.  That said, Article 56 does contain an escape clause of sorts, indicating that if the plant “provides electric power in regular, significant and direct support of military operations and if such attack is the only feasible way to terminate such support” then the prohibition on targeting it ceases.  Thus, arguments linking Natanz or Bushehr facilities to Iran’s attempts to produce nuclear weapons might afford some justification for targeting it notwithstanding Article 56’s prohibitions.  

On a final note, I’d emphasize that all of the foregoing assumes a nation state–whether Israel, the United States, or both–bears responsibility for Stuxnet.  And, there is admittedly now a fair bit of secondary intelligence pointing in that direction (indeed, although there’s no on-the-record admission, last week’s N.Y. Times story certainly suggests U.S. officials are privately taking some responsibility here).  That said, I think it’s also highly unlikely we will ever know for certain who launched Stuxnet.  Neither the United States nor Israel has much incentive to accept full responsibility, particularly given the legal questions I just posed.  And, technically, attributing responsibility to either state will be difficult if not impossible.  As a result, as much as the international lawyer in me loves crunching the doctrine here, I fear it’s ultimately no more than an academic exercise (and one admittedly done on a cursory basis; for example, I didn’t have time to supplement my analysis with Pictet or other sources.  Readers should feel free to do so). 

Anonymity will thus allow those who deployed Stuxnet and any future successors to operate with relative impunity.  Some may view that as a good outcome when the target is Iran.  I worry, however, that without clear rules for when states can deploy or defend against cyberattacks we’ll risk unintended escalations of conflicts into war, not to mention the actual death and destruction cyberthreats can now realistically cause.  Indeed, it makes reports of a 45 minute loss of control over U.S. nuclear weapons last fall quite sobering if one imagines another state was responsible.  As a result, even if Iran is spun as a positive story on the potential of cyberattacks, I’m sticking with my earlier arguments.  I think current conditions cry out for (a) states to devise specific rules for launching or defending against cyberexploitations and cyberattacks; and (b) adopting an e-SOS as a first principle for mitigating or avoiding the most severe cyberthreats.  I don’t think such rules would necessarily mean states could never deploy a Stuxnet (or that Iran would have an absolute right to issue an e-SOS if they did so).  Rather, I think states themselves will have to devise the specific contours of acceptable (and unacceptable) behavior in cyberspace and, then defend their own acts on such terms.  Without those rules, I worry that the very technology that we have welcomed for its transformative effects on our everyday lives may generate new forms of death and destruction for which the Stuxnet episode is merely an opening act.

14 Responses

  1. Actually, the customary nature of Art. 56 of Additional Protocol I is far from obvious, it is the most controversial provision re targeting.
    Even Rule 42 of the ICRC Customary Law Study does not repeat this provision, but only averts that ‘Particular care must be taken’ when such works and installations are targeted.

  2. Tamás — Thanks for the comment.  I knew it was subject to some controversy, but since the U.S. is not a party to AP I, I figured I needed to assume it’s status as customary international law to be able to engage in the analysis, which admittedly would not govern U.S. activities if in fact Art. 56 lacks CIL status.

  3. Response…
    If the U.S. or Israel intentionally sent the worm in or had it attached to Iranian computer(s), this might constitute an “intervantion,” but would it be an intervention into what are merely the affairs “of” Iran or what is “essentially” within the domestic jurisdiciton of Iran (and not also that of the international community) and constitute an impermissible intervention?  I assume that it would not constitute a use of “armed” “force” or an “armed” attack within the meaning of U.N. Charter arts. 2(4) and 51, but it was use of a weapon of sorts and might constitute an “attack”.  “War”? No, so not a war crime regardless of the nature of certain articles in Geneva Protocol I.

  4. Duncan,

    Thanks for a thought provoking article. I would approach the question of whether Stuxnet was an armed attack based on the effect that it had, and seek an analogy for something else that had caused similar damage. If Stuxnet destroyed the Natanz centrifuges, then it places it in effects terms in the same place (physical destruction) as lobbing a bomb at it (clearly an armed attack) or some form of sabotage (probably an armed attack). On this reading, Stuxnet is simply a different form of attack, with the intent and the effect being the same as a more conventional armed attack. It opens the broader question of what constitutes an armed attack in an era of SCADA systems which were effectively unimaginable in the drafting of the Charter.

    On the question of the applicability of the dangerous forces prohibition in AP-1 Art 56, it clearly applies at Bushehr (an operational(?) nuclear power station) but an enrichment facility is less clear cut. Is enriched Uranium itself a dangerous force? I doubt it – it’s a radioactive element, and spreading it about (as is likely to happen if the centrifuges break up) could pose a serious contamination problem, but is this a “dangerous force”? If anything, it would fall into the prohibitions covering environmental damage.

  5. For the sake of argument, let’s assume an armed conflict and that article 56 of Additional Protocol I applied (either as a treaty norm or as customary international law). And assume one of the sites was a nuclear electrical generating station. It seems to me that a Stuxnet-like style of attack may be a good example of how to lawfully target such a facility. If a Stuxnet-like attack did not cause a runaway nuclear meltdown but rather only limited dispersal of fissionable material inside a plant, then that seems unlikely to result in ‘severe losses among the civilian population’. Mere ‘potential loss of civilian life’ is not enough — to fall foul of article 56 it must be severe losses.
    I also suggest that he fact that the Stuxnet virus has been found on other machines is unlikely to breach discrimination if the ‘effect’ is limited to military objectives. What is considered as part of the collateral damage equation probably does not include mere inconvenience and financial cost.

  6. Not only is Art 56 of Addtional Protocol I not considered customary law, but both the US and Israel are among the few countries that have still not ratified them. And even if one or both had, the issue remains the same whether either one used Stuxnet or a fleet of bombers equipped with bunker-busting bombs: the resulting fallout on the civilian population could be dramatic… or negligible given the very pinpointed nature of the attack under each mode. To jump from this scenario to the accusation of war crime seems gratuitously hasty, to say the least.

  7. Iran is in violation of its signature of the Nuclear Non-Proliferation Treaty because it is developing nuclear weapons. Iran does not explicitly acknowledge that it has a bomb project but does hint at it. Further, Iran violates the UN charter by threatening the use of force against Israel, which it has done repeatedly [Article 2:4]. It does not practice “tolerance” or a willingness to “live together in peace with one another as good neighbors” as called for in the Preamble. These violations are clear and obvious although Iran may not explicitly admit what it is doing. Yet, Hollis does not perceive Iranian violations. Is international law only meant to protect the war-mongers?

  8. Thanks for all the comments

    For JJ — I don’t think I made any accusations of a war crime here?  My post only raised questions that I had not seen addressed elsewhere — what are the implications of Stuxnet for laws on the use of force or international humanitarian law?  Moreover, my initial conclusion was that even if one assumes Art. 56 is customary international law (an assumption I had to make expressly because of controversy over it having any such status), that provision seems to leave room for deploying a worm like Stuxnet in certain circumstances.

    For Elliott —  you raise an interesting point — to what extent would internationally wrongful behavior of a state such as Iran preclude it from invoking the protections of Article 2(4) or the laws of war.  Certainly, as I acknowledge in the post, there’s a self-defense counter-argument that Israel and/or the United States might raise if Stuxnet could be characterized as a response to prior acts of Iranian aggression.  As for the laws of war, however, they do not usually apply reciprocal terms; that is, a violation by one side doesn’t allow the other to resort to the same measures.

  9. Elliott,

    To add to Duncan’s point about reciprocity…. Iran has not threatened the use of force against Israel.  Iran has only stated that if Israel attacked, Iran would retaliate.  Also, there is no publicly available evidence that Iran has a nuclear weapons program, and Iran has never hinted at having one, but rather has steadfastly denied it and forcefully advocated for global nuclear disarmament, arguing that nuclear weapons are immoral and contrary to Islamic law.

    Iran is, however, in violation of international law because it has not abided by the UN Security Council’s demands to halt uranium enrichment, even for civilian purposes.  Though one could, as Iran does, argue that the Security Council lacks the authority to make this demand because, according to the language of the NPT, civilian nuclear energy is an “inalienable right.”

  10. “The Stuxnet Story Is Full of Holes”
    Stuxnet is being hyped in order to manufacture a “success” against Iran for public consumption.
    In fact the Federation of American Scientists says that Iran’s nuclear program progressed in the last year, contrary to media claims.

  11. IMHO, the creators of Stuxnet deserve not criminal sanction but rather the Nobel Peace Prize.  At the cost of zero lives, they have set back the Iranian nuclear weapons program by several years.  If that doesn’t qualify for the Nobel, then nothing does.

Trackbacks and Pingbacks

  1. […] Opinio Juris » Blog Archive » Could Deploying Stuxnet be a War Crime? – view page – cached I’ve been updating my article advocating for an e-SOS (the first draft is available here). When I originally wrote it, Stuxnet had been identified as one of the first forms of malware to target SCADA systems explicitly (a SCADA–or “supervisory control and data acquisition”–system is one specifically designed to operate and control infrastructure, such as electrical and nuclear… Read moreI’ve been updating my article advocating for an e-SOS (the first draft is available here). When I originally wrote it, Stuxnet had been identified as one of the first forms of malware to target SCADA systems explicitly (a SCADA–or “supervisory control and data acquisition”–system is one specifically designed to operate and control infrastructure, such as electrical and nuclear power systems, telecommunications, and oil storage facilities). Stuxnet was originally detected in early 2010 by a computer security company in Belarus, and subsequently found to have infected (albeit without causing much actual harm) thousands of SCADA systems world-wide. View page Tags […]

  2. […] Hollis has an interesting post at Opinio Juris asking whether the deployer of Stuxnet committed a war crime. He concludes that the answer is […]

  3. […] Hollis, Could Deploying a Stuxnet be a War Crime?, Opinio Juris (Jan. 25, […]