- Rev. Al Sharpton’s Easter message: Politically ‘crucified’ Obama has risen again
- Supreme Court to weigh challenge to ban on campaign lies
- UNICEF launches ‘Mr. Poo’ mascot in India to curb public defecation
- Teen taking selfie by train: ‘Wow, that guy just kicked me in the head’
- Goodbye, Afghanistan — hello, Africa: Air Force to shift as U.S. exits Middle East
- Iran mulls ban on vasectomies, decrease on abortions to bolster population
- CNN op-ed claims right-wingers ‘more deadly than jihadists’
- Classes resume at high school rocked by stabbings
- ABC News accuses Center for Public Integrity of stealing Pulitzer-winning work
- Law firm that cleared N.J. Gov. Christie in ‘Bridgegate’ gave 10K to RGA, which he heads
U.S.-Israeli cyberattack on Iran was ‘act of force,’ NATO study found
Strike devastated nuclear program
The 2009 cyberattack by the U.S. and Israel that crippled Iran’s nuclear program by sabotaging industrial equipment constituted “an act of force” and was likely illegal under international law, according to a manual commissioned by NATO’s cyber defense center in Estonia.
“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” according to “The Tallinn Manual on the International Law Applicable to Cyber Warfare.”
Michael N. Schmitt, the manual’s lead author, told The Washington Times that “according to the U.N. charter, the use of force is prohibited, except in self-defense.”
Under the charter, states may use force in self-defense — and that, some argue, includes “anticipatory self-defense” against an incipient or imminent attack.
The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I.
But they were divided on whether its effects were severe enough to constitute an “armed attack,” he said.
Under the U.N. charter, an armed attack by one state against another triggers international hostilities, entitling the attacked state to use force in self-defense, and marks the start of a conflict to which the laws of war, such as the Geneva Conventions, apply.
Neither Israel nor the United States has publicly acknowledged being behind Stuxnet, but anonymous U.S. national security officials have told news outlets that the two countries worked together to launch the attack, which set the Iranian nuclear program back as much as two years, according to some estimates.
A group of 20 researchers wrote the manual at the invitation of NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia.
It is not a statement of official policy by NATO or any of its member governments, but it reflects a consensus view of a large group of legal scholars and practitioners, including several senior military lawyers from NATO countries who took part in producing the manual.
The authors, advised by a group of technical analysts in cybersecurity, took three years to write the 300-page manual, which was published earlier this month in London, Mr. Schmitt said.
“We wrote it as an aid to legal advisers to governments and militaries almost a textbook,” he said, noting that many of the authors are or have been legal advisers.
He said the manual also was intended to be a starting point for discussions about the law.
“States make law, not scholars,” he said. “We wanted to create a product that would be useful to states to help them decide what their position is” in regard to the manual’s interpretation of the law.
“We were not making recommendations, we did not define best practice we did not want to get into policy,” he said.
Instead, the authors had tried to write the definitive account of “how does existing law apply in cyberspace,” he said.
The threshold questions of what constitutes an act of force and what triggers international hostilities are far from merely hypothetical questions, Mr. Schmitt said.
In August 2008, Georgia and Russia went to war in the disputed border province of South Ossetia. The shooting war was accompanied by cyberattacks that knocked offline many Georgian news sites and much of the country’s government, including the foreign ministry.
Mr. Schmitt said that if a cyberattack occurs before the shooting starts, “It’s a crime.” If it occurs after the shooting begins, then the hackers behind the cyberattack effectively have joined the hostilities as combatants and can be targeted with lethal force, he said.
Some researchers in cybersecurity and international law believe that judgment, like many others in the manual, is contentious.
“That’s is why you don’t let lawyers go off on their own,” said James A. Lewis, a scholar at the Center for Strategic and International Studies.
Mr. Lewis said there has not yet been enough conflict in cyberspace to allow states to develop the norms and rules needed to interpret international law. The manual’s authors “are writing way ahead of practice,” he said.
“A cyberattack is generally not going to be an act of force,” Mr. Lewis said. “That is why Estonia did not trigger Article 5 in 2007.”
Article 5 of the NATO treaty obliges member states to come to the aid of a fellow member state that has been attacked.
In 2007, Estonia was locked in a civil and political conflict with its ethnic Russian population and with Russia over the removal of a war memorial to the Russian soldiers killed fighting Nazism in World War II. The country was beset by massive cyberattacks that crippled computer networks belonging to the government, news organizations and banks.
The attacks were traced to hackers in Russia, and most Western observers believe they were encouraged or even orchestrated by the Kremlin.
“The facts of a cyberincident are generally not well known, difficult to ascertain in detail and unclear even years in retrospect,” he said.
A central issue for international law, such as who carried out an attack, for instance, is generally regarded as extremely difficult to ascertain — the so-called attribution problem.
Mr. Schmitt opined that, for “a [nation] state with highly advanced technical capabilities, attribution is not as hard as the public believes.”
As Mr. Lewis noted, “The standards of proof on the battlefield are lower than they are in court.”
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- Game players don't think peace has a chance in Syria
Latest Blog Entries
TWT Video Picks
By returning to Christian roots, the nation can achieve greatness once again
- 'Culture of intimidation' seen in Nevada ranch standoff
- GOP writes legislation to deny Attorney General Eric Holder his salary
- Nevada Bundy ranch standoff could leave dirt on Harry Reid reputation
- U.S. Navy to turn seawater into jet fuel
- CARSON: Recovering Tocqueville's vision of American exceptionalism
- U.S. military on high alert as Ukraine troops trade gunfire with pro-Russian militants
- Fuel-filled wings, ability to swarm: Pentagon offers glimpse at future of drone fleet
- Secret U.S. assessments show Afghanistan not ready to govern on own
- CNN op-ed claims right-wingers 'more deadly than jihadists'
- Josh Romney swipes Harry Reid with photo tweet of dad paying taxes 'your paycheck'
Celebrity deaths in 2014
Top 10 handguns in the U.S.