Cyberwar playbook says Stuxnet may have been 'armed attack'

Would you rather be shot, blown up, stabbed - or hacked?


The Stuxnet attack on Iran was an illegal "act of force", according to at least some of the legal experts who helped draw up a NATO-commissioned Geneva Convention-style rules of cyberwarfare document.

"Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force," and are likely to violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was put together by an independent group of legal scholars and lawyers assembled by NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Michael Schmitt, professor of international law at the US Naval War College in Rhode Island and lead author of the study, told the Washington Times that "according to the UN charter, the use of force is prohibited, except in self-defence".

Senior US and Israeli officials last year unofficially admitted creating the Stuxnet worm that crippled Iran’s nuclear program by sabotaging industrial equipment used in Uranium purification. Stuxnet targeted systems controlling high-speed centrifuges used in the Iranian nuclear programme to enrich uranium, causing them to slow down and speed up repeatedly until they failed under the abnormal mechanical strain.

The manual states that "any cyber operation which rises to the level of an armed attack in terms of scale and effects and which is conducted by or otherwise attributed to a state constitutes a use of force".

State-controlled Iranian media, such as the English language news outlet PressTV (here), were quick to seize on Schmitt's comments and selective extracts from the manual in accusing the US and Israel of an illegal act of force over the Stuxnet deployment.

However the actual manual is unclear whether or not Stuxnet was an armed attack. The legal experts were hostile to any notion that Iran could be legally justified in striking back against its presumed cyber-aggressors at this point, so long after the worm had done its damage.

Schmitt said the legal experts who drew up the manual agreed that Stuxnet was an act of force but were divided on whether the malware constituted an armed attack. And even if it was an armed attack it might still be justified as self defense in the form of striking back at the aggressor in the face of imminent attack, as a paragraph on page 58 of the manual explains:

In light of the damage they caused to Iranian centrifuges, some members of the international group of experts were of the view that the attack had reached the armed attack threshold (unless justifiable on the basis of anticipatory self defence) [our emphasis].

No international cyber-security incidents to date have clearly crossed over into something comparable to an armed attack, according to the legal experts. The 2007 cyber-operations against Estonia were not characterised by anyone, neither the Estonians nor the international community, as an armed attack - because the scale and effects of the cyber-attack didn't bear comparison to anything even a small scale armed attack might involve. Stuxnet was a better example of a potential cyberattack.

Iran didn't even know that its infrastructure was under attack or by who until long after Stuxnet had done its damage. Rule 9 states that:

"A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state".

However the manual adds an important caveat (rule 15) that "the right to use force in self-defence arise if a cyber-armed attack occurs or is imminent. It is further subject to a requirement of immediacy."

The rules of international law imply that any attempt by Iran to respond to Stuxnet with its own attack or cyber-attack would be characterised as retaliation, and not self-defence, unless it has reason to conclude that cyber-attacks of the same scale are once again imminent.

Elsewhere during his interview with the Washington Times, Schmitt talks about the involvement of civilian hackers in cyber-conflicts.

If a cyberattack occurs before shooting starts, “It’s a crime", says Schmitt. However if a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the cyberattack have effectively have joined hostilities as combatants and can be targeted with "lethal force", according to Schmitt.

The cyber skirmishes that occurred between Georgia and Russia in 2008 during the course of a ground war between the two countries over a break-away region are the primary example to date of a set of circumstances that might leave hackers in the firing line. This might be justified by incidents such as cyber-attacks on an enemy electricity plant that causes explosions and injures workers, the manual suggests. Something has to be raised to a level akin to armed attack: so we're talking Die Hard 4.0-style attacks against power grids, financial systems and transportation networks rather than mere website defacement or propaganda, it would seem.

The majority of the legal eagles took the view that an "informal groupings of individuals acting in a collective but otherwise uncoordinated fashion cannot comprise an organised armed group". Which might be taken as removing the likes of Anonymous from a list of combatants but perhaps including groups similar to LulzSec that feature an informal leadership, list of potential targets and an inventory of hacker tools.

The manual is far clearer in comparing hackers-for-hire to mercenaries who "do not enjoy combat immunity or prisoner of war status" (rule 28). ®


Other stories you might like

  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • City-killing asteroid won't hit Earth in 2052 after all
    ESA ruins our day with some bad news

    An asteroid predicted to hit Earth in 2052 has, for now, been removed from the European Space Agency's list of rocks to be worried about.

    Asteroid 2021 QM1 was described by ESA as "the riskiest asteroid known to humankind," at least among asteroids discovered in the past year. QM1 was spotted in August 2021 by Arizona-based Mount Lemmon observatory, and additional observations only made its path appear more threatening.

    "We could see its future paths around the Sun, and in 2052 it could come dangerously close to Earth. The more the asteroid was observed, the greater that risk became," said ESA Head of Planetary Defense Richard Moissl. 

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • Intel demos multi-wavelength laser array integrated on silicon wafer
    Next stop – on-chip optical interconnects? Plus it's built with 300mm tech, meaning potential volume production

    Intel is claiming a significant advancement in its photonics research with an eight-wavelength laser array that is integrated on a silicon wafer, marking another step on the road to on-chip optical interconnects.

    This development from Intel Labs will enable the production of an optical source with the required performance for future high-volume applications, the chip giant claimed. These include co-packaged optics, where the optical components are combined in the same chip package as other components such as network switch silicon, and optical interconnects between processors.

    According to Intel Labs, its demonstration laser array was built on the company's well-established 300mm wafer manufacturing technology which is already used to make optical transceivers, paving the way for high-volume manufacturing in future. The eight-wavelength array uses distributed feedback (DFB) laser diodes, which apparently refers to the use of a periodically structured element or diffraction grating inside the laser to generate a single frequency output.

    Continue reading
  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • US seeks exascale systems 10 times faster than current state-of-the-art computers
    China claims to have 10 in the pipeline and may pull ahead in HPC arms race

    The US Department of Energy is looking to vendors that will help build supercomputers up to 10 times faster than the recently inaugurated Frontier exascale system to come on stream between 2025 and 2030, and even more powerful systems than that for the 2030s.

    These details were disclosed in a request for information (RFI) issued by the DoE for computing hardware and software vendors, system integrators and others to "assist the DoE national laboratories (labs) to plan, design, commission, and acquire the next generation of supercomputing systems in the 2025 to 2030 time frame."

    Vendors have until the end of July to respond.

    Continue reading

Biting the hand that feeds IT © 1998–2022