A group of legal experts invited to study at NATO’s Cyber Defense Center of Excellence released a report over the weekend that names 2010 Stuxnet cyberattack on Iran’s nuclear power plants as an illegal “act of force.”
The study is called The Tallinn Manual on the International Law Applicable to Cyber Warfare and is supposed to act as a “textbook,” as one of its writers Michael Schmitt explained to the Washington Times. It shows how traditional international law and cyberwar can be interpreted together.
It outlines an act of force as anything that kills or injures humans or otherwise destroys or damages objects. The Stuxnet virus, which infects SCADA systems, or the computers that control industrial infrastructure, infected Iran’s Natanz nuclear power plants. Specifically, it critically damaged the section of the plant that released an important gas into its centrifuges.
The malware is suspected to be a joint effort between the governments of the U.S. and Israel, though neither have accepted responsibility.
As Schmitt noted, however, the U.N. states that acts of force can be used by countries in self-defense, whether that’s in response to an act of force or a preemptive strike against anticipated danger. Though the manual states this attack is probably considered illegal under traditional law, the U.S. and Israel fear nuclear attacks from Iran, making it plausible that the “act of force” was in self-defense. That is, if these two countries are behind the attacks as is suspected.
How other countries should react, however, is up to them. The manual is not intended to be law or an outline of rules. Rather, it is a proposed way of putting existing law into action around cyber attacks. However, some say that the current laws aren’t good enough for cyberwar given the lack of experience we’ve had with real, war-time cyberattacks.