The Stuxnet attack and legality

Were we in the right?

The stuxnet attack is one of the first, large scale critical system targeting attacks to date. The Stuxnet worm might have gone unnoticed, but unfortunately an employee took home the bug on his laptop. The result was stuxnet was unleashed on the world. But why was it developed in the first place?

From: http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/

Stuxnet was launched in 2009 and 2010, and possibly 2008 as well, and targeted cascades and centrifuges at the Natanz uranium enrichment plant in Iran. The cyberweapon was reportedly designed by Israel and the U.S. in an effort to set back Iran’s ability to produce a nuclear weapon, though the U.S. has not officially acknowledged its role in the attack. Until the attacks occurred, intelligence agencies speculated that Iran would be able to produce a nuclear weapon by 2010. The attacks by Stuxnet are believed to have set back the program by an estimated three years.

The 300-page legal manual was produced by 20 researchers, including legal scholars and senior military lawyers from NATO countries, with assistance from cybersecurity analysts.

It was thought out, but the question as always becomes... were we right? The morality aside, diplomacy functions within a strong worldwide legal framework. Were we legally right? Unfortunately there just isn't enough data or law yet to establish legality yet.

James A. Lewis, a researcher at the Center for Strategic and International Studies, said the researchers were getting ahead of themselves and there had not been enough incidents of cyberconflict yet to develop a sound interpretation of the law in that regard.

“A cyberattack is generally not going to be an act of force. That is why Estonia did not trigger Article 5 in 2007,” he said, referring to the coordinated DDoS attacks that took down the computer networks of banks, government agencies and media outlets in Estonia that were blamed on Russia, or hackers sympathetic to the Russian government.  Unfortunately, not only is the legality of cyber warfare not declining, its getting better:

From: http://www.nextgov.com/cybersecurity/2013/03/yes-cyberattacks-are-perfectly-legal-under-laws-war/62015/

This makes a recent study from a group of NATO experts very, very welcome. Called the Tallinn Manual, it seeks to adapt the existing laws of war to cyberspace, laying down 95 new ideas over 282 pages. Many of them are just common-sense extensions of current international principles: According to one rule, cyberwarriors must take care not to hit the same targets that are off-limits to conventional forces.

...These include civilians, albeit with a crucial caveat: If you’re a civilian who’s decided to join the fight, you become a legitimate target even if you aren’t affiliated with a government or a military.

This unfortunately not only makes cyber attacks legal, but any entity can join in, even civilians. The interesting part of this is that the Geneva convention is setting the stage for this, instead of preventing it. Hopefully, advances will be made to prevent these kind of attacks from being legal in the future.