A cyberattack that sabotaged Iran's uranium enrichment program was an "act of force" and was likely illegal, according to research commissioned by a NATO defense center.
“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” and likely violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, a study produced by a group of independent legal experts at the request of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.
Acts of force are prohibited under the United Nations charter, except when done in self-defense, Michael Schmitt, professor of international law at the U.S. Naval War College in Rhode Island and lead author of the study, told the Washington Times.
The 20 experts who produced the study were unanimous that Stuxnet was an act of force, but were less clear about whether the cyber sabotage against Iran's nuclear program constituted an "armed attack," which would entitle Iran to use counterforce in self-defense. An armed attack constitutes a start of international hostilities under which the Geneva Convention's laws of war would apply.
Stuxnet was launched in 2009 and 2010, and possibly 2008 as well, and targeted cascades and centrifuges at the Natanz uranium enrichment plantin Iran. The cyberweapon was reportedly designed by Israel and the U.S. in an effort to set back Iran's ability to produce a nuclear weapon, though the U.S. has not officially acknowledged its role in the attack. Until the attacks occurred, intelligence agencies speculated that Iran would be able to produce a nuclear weapon by 2010. The attacks by Stuxnet are believed to have set back the program by an estimated three years.
The 300-page legal manual was produced by 20 researchers, including legal scholars and senior military lawyers from NATO countries, with assistance from cybersecurity analysts.
“We wrote it as an aid to legal advisers to governments and militaries, almost a textbook,” Schmitt told the paper. “We wanted to create a product that would be useful to states to help them decide what their position is. We were not making recommendations, we did not define best practice, we did not want to get into policy,” he said.
Others disagreed with the legal conclusion of the researchers, however.
James A. Lewis, a researcher at the Center for Strategic and International Studies, said the researchers were getting ahead of themselves and there had not been enough incidents of cyberconflict yet to develop a sound interpretation of the law in that regard.
“A cyberattack is generally not going to be an act of force. That is why Estonia did not trigger Article 5 in 2007,” he said, referring to the coordinated DDoS attacks that took down the computer networks of banks, government agencies and media outlets in Estonia that were blamed on Russia, or hackers sympathetic to the Russian government.
Article 5 of the NATO treaty requires member states to aid other members if they come under attack.
