Wednesday, January 26, 2011

Stuxnet: Implications of Weaponising Cyberspace?

(Ahmadinejad tries the old Jedi mind-trick: "These are not the enrichment centrifuges you're looking for....")

A couple of weeks ago, the NY Times published a remarkable article on the apparent use of an advanced computer virus allegedly developed by US and Israeli computer scientists designed to specifically target and destroy Iranian uranium enrichment centrifuges at Natanz, by targeting the Supervisory Control And Data Acquisition (SCADA) control systems.

Over on OpinoJuris Professor Duncan Hollis of Temple Law School followed this up with a discussion of whether Stuxnet constitutes the use of force in violation of Article 2(4) of the UN Charter or an “armed attack” giving the victimized state a right of self defence under Article 51 of the Charter. Interestingly, Hollis suggests that Stuxnet falls under Article 41 of the Charter, and therefore could be legal as the UN Security Council has authorised limited sanctions.

Ignoring the small point that Article 41 explicitly requires Security Council authorisation, and that it is far from obvious that a Stuxnet attack on Natanz is covered by the applicable UNSCRs, Stuxnet raises a series of very interesting international law questions - and specifically Law of Armed Conflict questions over what constitutes the use of force in the networked era.

What is the appropriate basis for determining whether or not there has been an armed attack under Article 2(4)? There is an extensive literature on this, and on the related question of the pre-emptive use of force; however, there is little to guide on us on Stuxnet. My preference is that the definition of an armed attack is by definition somewhat fluid in all but the mental elements - the specific intent of the attacker is to achieve an effect on the target, which is usually, but not limited to, destruction, damage or degradation.

On this reading, what matters is the intended effect on the target, irrespective of the of the method used. Presumably the attacker will use the method most likely to be effective at the minimum cost to him/herself - if this is a bomb dropped by an aircraft so be it, or if it is a computer virus that spins nuclear centrifuges to destruction, then what matters is the intention of those creating and releasing the computer virus.

If true, and this is a developing area of the law, then State Responsibility doctrine applies, and the right of self-defence also applies if a State developed and deployed this virus, or sheltered a non-State actor which did. Therefore, if Stuxnet did operate as claimed, targeting only specific Siemens controllers clustered in groups of 984 as in Natanz, though it is an undoubtedly massive technical achievement, it was also intended to cause the effect of slowing the Iranian enrichment programme through causing technical malfunctions of Natanz's centrifuges causing them to self-destruct - and would therefore meet the effect's based doctrine of an armed attack.

The implications of this are vast. First, if the NY Times article is accurate, then the US and Israel have conducted an armed attack against Iran, which has the legal right to defend itself. Consider the outcry if Iran responded by attacking US Navy ships in the Persian Gulf, or lobbed a missile at the Israeli nuclear facilities at Dimona? But faced with the reverse scenario of Iranian hackers successfully interdicting a critical element of the US or Israeli nuclear programme, I'm sure that the US and Israel would take the view that this constituted an attack, and would not rule out a forcible response.

Second, the State Responsibility doctrine relating to non-State actors is going to be much harder to enforce in cyberspace than in the physical world. It was straightforward to how in 2001 that Al Qaeda were based in Taliban-controlled Afghanistan: the camps were physically there, and the Taliban in effect admitted that Bin Laden et al were in territory that they controlled. This acceptance provided the legal mandate for the use of force against the Taliban who were held responsible for the actions of the AQ leadership.

However, consider the position of a group of disaffected hackers in the UK who were able to create a Stuxnet style virus which destroyed the electricity grid in China. Not sponsored by the UK Government, it is quite possibly the UK would have no idea that they were operating from UK territory. If this were an armed attack, either the UK itself would take on responsibility for the action of the non-State group (hardly appealing), find and suppress the organisation (likely to be difficult) or would have to submit to Chinese actions against the hackers on UK soil (as the UK was unwilling or unable to stop them - also unattractive.) If nothing else, this possibility raises the possibility that States will want to have better information about who is doing what on their territory, raising further challenges for civil liberties.

Finally, western infrastructure is heavily, and increasingly, dependent on automation through SCADA controllers: it is much more efficient to have a computer opening and closing valves and controlling power grids than using a telephone to call an engineer in the middle of the night. Consequently our societies are intrinsically more vulnerable to this sort of attack than those which are less technologically advanced with fewer integrated control systems.

So Stuxnet marks a legal watershed as well as a technical triumph. What follows will be very interesting to watch as the law attempts to catch up with the technological advances.

And I wonder if I've just found a PhD topic?


JayRobb said...

Fascinating and thought-provoking as usual, Toby. This would make a GREAT subject for a dissertation, or at the very least an excellent article. I always kick myself that I didn't see the potential in a project I did for a mass comm class in grad school on the future of political campaigns on the internet, back in 1996. I pretty much laid out what Howard Dean and then Barak Obama did with their campaigns on the web about a decade later.

Stuxnet: Two things worry me, regardless of the international law implications. First: the potential for something like this to get out of control. The escape of bioweapons or research superbugs has been the subject of many an apocalyptic story in just about every medium, but I think the potential for a weaponized cybernetic pathogen to rage out of control is more realistic. From what I recall about Stuxnet the story started when the virus started showing up on Ukrainian computers. A programmer making a sloppy mistake is a great gag in the movie "Office Space" but what if the person(s) coding Stuxnet had made an error that would have made its target much less specific?

Second and perhaps more importantly, if we or any other state are going to call down the thunder by launching a cyber-attack, are we ready for the boom? What's to stop an Iranian programmer from designing a virus that would cause a cascading failure of our electrical grid, for example?

One doesn't have to go too far down this path to start having nightmare thoughts.

Toby's Random Musings said...

Jay, hi

Many thanks for all of this. You're spot on, the problem with this is that those who sow the wind will reap the whirlwind.

And I'll get a plan together for the fun and games of some academic work. I do miss it!