The 2009 cyberattack by the U.S. and Israel that crippled Iran’s nuclear program by sabotaging industrial equipment constituted “an act of force” and was likely illegal under international law, according to a manual commissioned by NATO’s cyber defense center in Estonia.
“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” according to “The Tallinn Manual on the International Law Applicable to Cyber Warfare.”
Michael N. Schmitt, the manual’s lead author, told The Washington Times that “according to the U.N. charter, the use of force is prohibited, except in self-defense.”
Under the charter, states may use force in self-defense — and that, some argue, includes “anticipatory self-defense” against an incipient or imminent attack.
The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I.
But they were divided on whether its effects were severe enough to constitute an “armed attack,” he said.
Under the U.N. charter, an armed attack by one state against another triggers international hostilities, entitling the attacked state to use force in self-defense, and marks the start of a conflict to which the laws of war, such as the Geneva Conventions, apply.
Neither Israel nor the United States has publicly acknowledged being behind Stuxnet, but anonymous U.S. national security officials have told news outlets that the two countries worked together to launch the attack, which set the Iranian nuclear program back as much as two years, according to some estimates.
A group of 20 researchers wrote the manual at the invitation of NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia.
It is not a statement of official policy by NATO or any of its member governments, but it reflects a consensus view of a large group of legal scholars and practitioners, including several senior military lawyers from NATO countries who took part in producing the manual.
The authors, advised by a group of technical analysts in cybersecurity, took three years to write the 300-page manual, which was published earlier this month in London, Mr. Schmitt said.
“We wrote it as an aid to legal advisers to governments and militaries almost a textbook,” he said, noting that many of the authors are or have been legal advisers.
He said the manual also was intended to be a starting point for discussions about the law.
“States make law, not scholars,” he said. “We wanted to create a product that would be useful to states to help them decide what their position is” in regard to the manual’s interpretation of the law.