Speculation has it that Iran wants to pursue legal action against the US-Israeli led Stuxnet cyberattack. If the rumors prove to be true, Iran’s case against the United States could give the international community a great opportunity to use the case as needed momentum towards setting official international regulations on cyberwarfare. Arguably, the Stuxnet cyberattack is an illegal act of force that violated the Charter of the United Nations, the IAEA safeguards regime, and Iranian sovereignty as well.
After the U.S.-Israeli cyberattack, Tehran took a relatively passive posture and never officially complained to international legal channels. Shortly before President Rouhani took office in Tehran, an anonymous Iranian diplomat made public that Iran’s Foreign Ministry had enough evidence to take legal steps against the United States for the Stuxnet cyberattack. If Iran takes legal action against Washington it can demand that it receive compensations for damages caused and having its sovereignty violated by an illegal act of war. A lot is at stake as Iran’s determination against the cyberattack could set boundaries for future illegal cyber behavior.
Stuxnet is out of control
Speculation as to whether the US-Israel were behind the Stuxnet cyberattacks was finally confirmed in the summer of 2012 by David E. Sanger in his New York Times report and later book, Confront and Conceal, stating that the United States had been collaborating with Israel to develop cyberweapons against Iran. Sanger confirmed the U.S. and Israel as authors of the Stuxnet virus through reliable sources that had direct knowledge of the covert initiative codenamed - “Olympic Games.”
Anonymous U.S. officials disclosed to Sanger that the Stuxnet virus was developed by the Central Intelligence Agency, the National Security Agency and Israel’s cyber agency, Unit 8200. Together they wrote the sophisticated virus coupled with another malware program called Flame and additional cyberweapons for attacks on Iran’s infrastructure. Although the covert operation against Iran’s nuclear energy program was first authorized by the Bush administration in 2007-2008, it was the Obama administration that vastly expanded the cyberwar against Iran and launched the cyberattacks in 2009 and 2010.
The Stuxnet cyberattacks against Iran arguably are the world’s first cyberattack intended to cause actual physical damage as the malware was programmed to target Iran’s enrichment performance. Stuxnet attacked in three waves- June 22, 2009, March 1, 2010, and May 11, 2010, and it infected its targets within a month. After the cyberattacks, it was believed that 1,000 IR-1 centrifuges used to enrich uranium at Iran’s facility at Natanz were sabotaged during the attack including but not limited to 30,000 IP addresses in Iran, several manufacturing sites in Hormuzgan and the control system of Kharg Island-which handles the vast majority of Iran’s crude oil exports.
According to Symantec the numbers verify that Stuxnet was mainly aimed at Iran as 58.85% of reported Stuxnet infections occurred in systems in Iran. Data collected by IAEA reports suggested Iran decommissioned and replaced nearly 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, late in 2009 or early in 2010. Iran’s ability to install and operate new IR-1 centrifuges for nuclear energy was hindered but Tehran soon began producing enriched uranium up to 20 percent in February 2010.
The reckless Stuxnet malware continued spreading around the world damaging 100,000 computers across Europe, attacked Russian nuclear facilities, 7,600 power, chemical and petrochemical plants across the world, 30,000 organizations and 115 other countries computers and infrastructure. After the cyberattacks against Iran, the Obama Administration was concerned that Iran might retaliate against American troops and interests throughout the region, including Israel. What the Obama Administration failed to consider was that Stuxnet would boomerang back to hurt American infrastructure. Despite the fact that Stuxnet was out of control, the Obama Administration would continue with the program. According to Sanger in Confront and Conceal, “Inside the Pentagon and the CIA, there were meetings about whether the United States would be accused of being among the first to use a cyberweapon against a sovereign state.”
The Legality against Stuxnet
Iran is an active member of the IAEA and a signatory to NPT with an indigenous civilian nuclear energy program. Another nation interfering with Iran’s right to enrich uranium under the IAEA safeguards and protocols clearly is an infringement on Iran’s sovereignty. Regardless of the extent of damage to Iran’s nuclear facilities by Stuxnet, the act was an illegal act of force by a foreign nation. Unfortunately, the international community of nations has yet to implement clear international laws in a cyber-context on cyberwarfare and cybersecurity. This may have been one of the main reasons for why Iran initially shied away from admitting it was cyberattacked with Stuxnet and taking legal action at the time.
The ambiguities of cyberwarfare legality and existing law structure and frameworks provide limited outlets for states seeking answers to foreign cyberattacks. Shortly before President Rouhani’s election, the Center for the Strategic Studies of the Nuclear Program of Iran published an article stating that an anonymous diplomat told them that Iran believes Stuxnet is equivalent to a military strike and that Iran was preparing to take legal action against the United States. According to the article the anonymous diplomat said, “time for legal action has arrived. The American government will be condemned based on both international standards and based on two documents of its own government specifically, the Pentagon’s strategy in operating in cyberspace and also America’s national strategy to secure cyberspace.”
The unnamed diplomat said that taking legal action against the US for Stuxnet is a priority for Rouhani’s cabinet and that “the Foreign Ministry is currently gathering legal documents and evidence in order to take legal action in international institutions. Statements by American officials will have an important role in these documents. Also, Iran feels that it can mount a strong front on the world stage on this case because other countries also face this danger.”
If and when the Iranian government does decide to officially pursue legal action against the United States for its cyberattacks it could reference the Charter of the United Nations to justify the legality against Stuxnet. In the present charter the UN provides two explicit articles against an illegal act of force. In Article 2, chapter 4, the UN charter states that member states must: “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the united nations.”
Sending a cyberattack to destroy or damage a foreign country’s civilian nuclear facility clearly would violate this article. In Chapter VII Article 39, in accordance with Article 40 and 41, the Security Council “shall determine the existence of any threat to the pace, breach of peace or act of aggression,” and “can authorize force if necessary to maintain or restore peace, provided that certain factual conditions are met.” The second explicit exception to the prohibition against the use of force refers Article 51 in which it says “nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack against a member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”
Iran’s development of nuclear energy does not amount to an armed attack nor an actual danger to the world under article 51 of the UN charter. One may argue that there have been armed attacks by Iran via its support for Hamas and Hezbollah against the US or Israel thus, there is justification for launching a cyberattack against Iran. However, according to the International Court of Justice, supplying training and weapons to an enemy of a state does not, by itself, constitute an armed attack against that particular state.
In pursuing this idea of launching Stuxnet against Iran’s nuclear program as self-defense, according to the “Responsibility of States for internationally wrongful acts” adopted by the International Law Commission, the grounds for “necessity” when a State may violate a rule of international law in order to prevent a greater harm even where there has been no armed attack. Article 25 has been formulated as applying where such conflict “is the only way for the State to safeguard an essential interest against a grave and imminent peril” and the action by the State does not cause greater damage. Therefore, in order for the US and Israel to justify that they used Stuxnet as self-defense against Iran’s nuclear program they would have to factually prove that Iran had weaponized its nuclear program at the time and that the nuclear bombs Iran had built were a dire threat to both countries.
Second chances don’t come often and in Iran’s case its best to avoid being the victim of another cyberattack by the US. Iran has a golden opportunity to test winning a legal case against the US that can facilitate new boundaries for illegal behavior in cyberwarfare. This is important as the international community has continued to fail to implement effective legal frameworks that can govern cyberwarfare and cybersecurity. Iran’s case against the US can help the international community make clear definitions on cyberwarfare and set into motion international cooperation on ratifying international laws and structures that will serve as a limit on cyberwarfare.
By following through in its legal preparation, Iran could develop a role for championing international cybersecurity as it has been the world’s largest victim of cyberwarfare. At a time when cyberwarfare is becoming more prevalent in our world, the international community should support opportunities such as Iran’s case in order to strengthen rules, regulations and principles governing cyberwarfare. As concerned citizens, we should support Iran in its legal action against US cyberattacks as it can be an important step against reckless cyberattacks and unregulated cyberwarfare.