Waging Wars in Cyberspace

Below is an edited version of the final two chapters of my Honors thesis on the Stuxnet incident and Article 51 of the UN Charter. A full copy of my thesis is available on OhioLink.

Rubin, Willa. “Waging Wars in Cyberspace: How International Law On Aggression And Self-Defense Falls Short Of Addressing Cyber Warfare. Could Iran Legally Retaliate For The Stuxnet Attack?” Published on OhioLink. May 2016. http://bit.ly/2b8ihKJ 

Editor’s Note:

This paper examines how a single cyber operation—Stuxnet—highlights how experts must re-evaluate our customary and codified international legal norms to incorporate the possibility of unconventional weapons of mass destruction.

I began this paper by discussing how the term “cyber” is defined and used by academics. I also provided context for the international legal system and relevant international political theories. I then discussed the historical roots and uses of the term “aggression.” I explained how the Stuxnet worms worked on a technical level, and how they damaged the production and performance of centrifuges at Iran’s nuclear facility at Natanz between approximately 2007-2010. Below is an edited version of the final two chapters of my thesis, which concerned whether or not the Stuxnet incident could be considered “aggression” under the 2010 amendment to the Rome Statute. It also questioned what a “proportional” response to a cyber attack like the Stuxnet incident would look like.

Willa Rubin

 Understanding The Stuxnet Incident As An Act of “Aggression”

Chapters 5 and 6 of this thesis discussed how the Stuxnet worms were extremely difficult to detect, due to their gradual and clandestine disruptions of centrifuge production and performance at Iran’s nuclear facility at Natanz. Could the use of these worms be seen as violating the 2010 amendment to the Rome Statute which criminalized aggression?

7.a. The “Crime” And “Act” Of “Aggression”

The 2010 amendment to the Rome Statute distinguishes the “crime of aggression” from the “act of aggression.” The “crime” is defined as:

“The planning, preparation, initiation or execution, by a person in a position effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations […]”[1]

Conversely, the “act of aggression” means executing this plan:

“The ‘act of aggression’ means the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner inconsistent with the Charter of the United Nations.”[2]

Both definitions expand upon and render binding the otherwise non-binding UN General Assembly (UNGA) Resolution 3314 (1974)[3], which recommended that both the “crime” and “act” of aggression be considered criminal. [4] This difference is critical in the case of cyber operations, which is discussed later in more detail.

The Stuxnet incident would likely be seen as some form of “aggression.” Experts studied the code used in Stuxnet, and determined that they were likely built to target Natanz specifically.[5] Stuxnet clearly and intentionally violated Iran’s territorial sovereignty—specifically via cyberspace. Langner notes that it was “intended to drive the engineers crazy,” as it disrupted the performance and production of centrifuges while superficially appearing as if all was functioning properly.[6] However, determining whether or not this operation would be a “crime” or “act” of aggression—as opposed to pre-emptive self-defense, as the US and Israel may claim—is contingent on whether or not the Stuxnet worms could be seen as an “armed attack.”

7.b. An “Armed Attack?”

Under Article 51, attacking an adversary before the adversary can launch its

attack may be legal, depending on the imminence of the adversary’s purported attack. When there is compelling evidence showing that an adversary’s attack is imminent, attacking the adversary first would be considered “pre-emptive,” which is legal. On the other hand, attacking an adversary without compelling evidence constitutes a “preventive” attack, which is illegal and would be considered “aggression.”

In the case of the Stuxnet incident, the US and Israel might argue that the Stuxnet operation was launched as an act of “pre-emptive” collective self-defense against Iran. After all, Iran has historically used hostile language about both the US and Israel—and based on studies of Iran’s nuclear program, it is certainly possible that Iran intended to build its nuclear program beyond the capabilities necessary for nuclear power as a source of energy. Regardless of Iran’s intentions with its nuclear program, attacking Iran first—before it could attack the US or Israel—would constitute a “preventive,” and thus illegal, attack. This is due to Iran’s material capabilities at the time of Stuxnet’s initial launch. Iran was enriching uranium, but it had not even produced a nuclear explosive, let alone a weapon; it could not pose an imminent threat to US or Israeli national security.

From the language of Article 51, it is unclear in the context of non-conventional weaponry (namely, cyber operations) what an “armed attack” would actually constitute. Stuxnet was the first known cyber operation launched that had a direct, physical result, directed at one member of the UN by another. Its effect was gradual and happened over the course of many years—but it lacked civilian casualties. How might a state respond to a non-armed attack, but a violation of state sovereignty nonetheless? Without a clear protocol for these dubiously-defined “attacks,” it is difficult to determine what a proportional response to a cyber attack would actually look like.

The question of what constitutes an “armed attack” is problematic. Article 51 and the rest of the UN Charter were signed into force in 1945, after two uses of atomic bombs on Japan by the US; “armed attack” clearly refers to conventional weapons, and weapons of mass destruction, being used by state actors. But when applied to cyber attacks that do not wreak the same immediate havoc as conventional weapons, do Article 51 and “armed attack” even suffice to discuss cyber warfare?

However large-scale this cyber attack was, claiming that the Stuxnet worms were akin to an attack conventional weapons would be vastly overstated. Assuming this is considered to be an “armed attack”—and given that states may respond in “self-defense” to “armed attacks” under Article 51—how might Iran respond?

8. Proportionality: How Might Iran Respond To The Stuxnet Incident?

Customary law shows that responses to attacks must be “proportional” to the initial attack. [7] But what does “proportionality” mean for cyber operations, which often lack kinetic results that directly endanger civilians? This section investigates the limits of “proportionality” in response to a cyber attack with the same impact as Stuxnet. In doing so, it addresses how terms such as “armed attack” in Article 51 are similarly vague regarding cyber operations.

8.a. “Proportional” Responses To Cyber Attacks

Proportionality is crucial to consider, as an attack of the same scale as Stuxnet would involve one state quickly building and launching two highly complex, self-propagating worms in a foreign nuclear facility.

The US Army Counterinsurgency (COIN) Manual defines “proportionality” using “simple utilitarian terms: civilian lives and property lost versus enemy destroyed and military advantage gained.”[8] The European Court of Human Rights nuances this definition to include proportional intentions, beyond comparable damage inflicted: “The force used must be strictly proportionate to the achievement of the permitted aims.”[9]           While the US may have committed the crime (or an act) of aggression against Iran, it is unclear whether Iran could legally respond proportionally. It also raises the following question: What would a proportional response be in the event of an equally destructive cyber operation? For example, could a state’s response to a cyber operation only be via another cyber operation?

Iran has a limited range of legal options for responding to American-Israeli aggression—particularly now in 2016. Normally, as a member of the UN, Iran would need to obtain a unanimous vote from the UN Security Council (UNSC) and obtain a vote from the P5 members to justify responding to an attack on its sovereignty.[10] However, as a member of the permanent five members of the UNSC, the US would veto any resolution giving Iran the power to attack the US or Israel. Yet Iran never pursued this course of action. Since the attack was realized over six years ago—and was not hugely destructive—could a “proportional” response from Iran be considered self-defense anymore?

This raises an important question in addressing Article 51 in the future: when coping with clandestine cyber operations that take place over a long period of time, how can the UN and other international legal bodies rectify aggressive behavior that occurs in cyberspace?

8.b. A Threat To International Peace and Security?

Another central question surfaces from Article 51: would a cyber attack pose a real, tangible “threat” to international peace and security? Perhaps not immediately; as of 2016, cyber attacks as we know them have not had immediately destructive physical impacts. But future attacks could lead to a comparably dangerous outcome. In Lights Out, Koppel notes that, “where FEMA’s presumed 9.0 earthquake would leave a city in rubble, with thousands of dead and injured, even the most massive cyberattack would inflict very little immediate physical damage.” [11] However, he adds that a cyberattack on the continental US powergrid could trigger an intense “domino-like, cascade effect,” causing electrical blackout where civilians have limited access to resources they are used to like plumbing, information, heat or air-conditioning, and so forth.[12] While an attack directly on the US power grid certainly differs from an attack on Iranian centrifuge production, this shows that our international legal infrastructure intended to provide procedures and legal responses to attacks is insufficient to address responses to aggressive cyber operations between states.

Conclusion:

Article 51 says that states may respond to “aggression” from an adversary in the event of an “armed attack.” The definition of “aggression” under the Rome Statute shows that the term was meant to be used in the context of military-like invasion, with a kinetic impact endangering people’s lives. By this standard, the Stuxnet incident could be considered more akin to industrial sabotage. The term “armed attack” is clearly dubious regarding cyber operations—if these operations as we know them do not directly endanger civilians, could they truly be considered “armed”? How might that change in the future if cyber attacks evolve to a point where they do produce that dangerous doomsday scenario—or worse, where they are deadly themselves? This lack of clarity is indicative of how insufficiently prepared the international legal system is to address malignant cyber operations; the standard rhetoric and procedures meant for states responding to conventional warfare do not fit neatly with this growing field of malignant operations.

[1] Rome Statute of the International Criminal Court.

https://www.icc-cpi.int/nr/rdonlyres/ea9aeff7-5752-4f84-be94-0a655eb30e16/0/rome_statute_english.pdf

[2] Rome Statute, ibid.

[3] Wilmshurst, Elizabeth. “Definition of Aggression.” United Nationals Audiovisual Library of International Law. http://legal.un.org/avl/pdf/ha/da/da_e.pdf

[4] It is worth noting that the International Criminal Court (ICC) will not be able to exercise jurisdiction over the crime of aggression until “at least 30 States Parties have ratified or accepted the amendments [concerning the crime of aggression]; and a decision is taken by two-thirds of States Parties to activate the jurisdiction at any time after 1 January 2017.”[4] Also, states cannot be tried at the ICC; this Court is reserved solely for cases concerning the culpability of individuals. This scenario presumes that individuals responsible for the employment of Stuxnet may be found culpable individually. Although neither the US nor Israel have ratified the Rome Statute, the Rome Statute is still the most updated—and most binding—edition of what UNGA 3314 sought to proscribe.

[5] Ralph Langner. “To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve.” The Langner Group, 2013.

[6] Langner, Ralph. “Cracking Stuxnet: a 21st-century cyber weapon.” TED Talk, 2011. http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon/transcript?language=en#t-175983 (accessed November 13, 2015).

[7] Article 51 of the UN Charter states that: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.” Charter of the United Nations (1945). https://treaties.un.org/doc/Publication/CTC/uncharter.pdf.

[8] Newton and May, ibid, 26.

[9] Khatsiyeva and others v. Russia. Cited in Newton and May, 7.

[10] Obtaining UNSC approval is necessary to responding to armed attacks. The UNSC permanent five (“P5”) members refers the United Kingdom, France, China, Russia, and the United States. These are the only states with permanent seats on the UNSC, and all have veto power—a privilege that other rotating members of the Council do not have.

[11] Ted Koppel. Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (Crown, 2015), 15.

[12] Koppel, ibid, 15.