We're back!

In the live broadband world, after too long away. (Thanks for not-very-much, BT....)

Anyway, back in January, we looked briefly at the the legal and practical implications of weaponising cyberspace. Given that reciprocity is a key foundation of international law, I was very interested in this short piece from the Guardian today, detailing a possible cyber attack on a US water control facility.

Interesting times!

Armed Attacks in Cyberspace

 (The front door to our wonderful playroom.)

I was at Chatham House last night for Elizabeth Wilmshurst's excellent International Law Discussion Group series, this time addressed by Col. Hays Parks USMC (Retd), the editor of the forthcoming US Department of Defense Manual on the Law of Armed conflict. (Yes, it's finally happening, and we can replace US Army Field Manual FM 27-10 from 1956!) As expected, Col. Parks was excellent, and with a distinguished audience asking pointedly interesting questions, it was heaven for a LOAC* geek! As usual, ILDG was all very interesting, and there will be a formal note of the meeting on the ILDG website shortly.

(An Annex to our wonderful playroom.)

But one of the most interesting elements was the news that there will be a chapter on the law covering electronic attacks and cyberwarfare. This will be the shortest of the chapters, reflecting the novelty of the subject, but it will be fascinating to see the conceptual approach that the US are taking; crucially, what will they say about the definition of an armed attack in cyberspace? All to be revealed shortly, it seems.

* Don't let Wikipedia or the ICRC mislead you, dear reader. LOAC is not "International Humanitarian Law", it is the law to regulate - and make less terrible - armed conflict... hence, the Law Of Armed Conflict - LOAC! Please note: this blog has no strong views on this subject. Too much.

Stuxnet: Implications of Weaponising Cyberspace?

(Ahmadinejad tries the old Jedi mind-trick: "These are not the enrichment centrifuges you're looking for....")

A couple of weeks ago, the NY Times published a remarkable article on the apparent use of an advanced computer virus allegedly developed by US and Israeli computer scientists designed to specifically target and destroy Iranian uranium enrichment centrifuges at Natanz, by targeting the Supervisory Control And Data Acquisition (SCADA) control systems.

Over on OpinoJuris Professor Duncan Hollis of Temple Law School followed this up with a discussion of whether Stuxnet constitutes the use of force in violation of Article 2(4) of the UN Charter or an “armed attack” giving the victimized state a right of self defence under Article 51 of the Charter. Interestingly, Hollis suggests that Stuxnet falls under Article 41 of the Charter, and therefore could be legal as the UN Security Council has authorised limited sanctions.

Ignoring the small point that Article 41 explicitly requires Security Council authorisation, and that it is far from obvious that a Stuxnet attack on Natanz is covered by the applicable UNSCRs, Stuxnet raises a series of very interesting international law questions - and specifically Law of Armed Conflict questions over what constitutes the use of force in the networked era.

What is the appropriate basis for determining whether or not there has been an armed attack under Article 2(4)? There is an extensive literature on this, and on the related question of the pre-emptive use of force; however, there is little to guide on us on Stuxnet. My preference is that the definition of an armed attack is by definition somewhat fluid in all but the mental elements - the specific intent of the attacker is to achieve an effect on the target, which is usually, but not limited to, destruction, damage or degradation.

On this reading, what matters is the intended effect on the target, irrespective of the of the method used. Presumably the attacker will use the method most likely to be effective at the minimum cost to him/herself - if this is a bomb dropped by an aircraft so be it, or if it is a computer virus that spins nuclear centrifuges to destruction, then what matters is the intention of those creating and releasing the computer virus.

If true, and this is a developing area of the law, then State Responsibility doctrine applies, and the right of self-defence also applies if a State developed and deployed this virus, or sheltered a non-State actor which did. Therefore, if Stuxnet did operate as claimed, targeting only specific Siemens controllers clustered in groups of 984 as in Natanz, though it is an undoubtedly massive technical achievement, it was also intended to cause the effect of slowing the Iranian enrichment programme through causing technical malfunctions of Natanz's centrifuges causing them to self-destruct - and would therefore meet the effect's based doctrine of an armed attack.

The implications of this are vast. First, if the NY Times article is accurate, then the US and Israel have conducted an armed attack against Iran, which has the legal right to defend itself. Consider the outcry if Iran responded by attacking US Navy ships in the Persian Gulf, or lobbed a missile at the Israeli nuclear facilities at Dimona? But faced with the reverse scenario of Iranian hackers successfully interdicting a critical element of the US or Israeli nuclear programme, I'm sure that the US and Israel would take the view that this constituted an attack, and would not rule out a forcible response.

Second, the State Responsibility doctrine relating to non-State actors is going to be much harder to enforce in cyberspace than in the physical world. It was straightforward to how in 2001 that Al Qaeda were based in Taliban-controlled Afghanistan: the camps were physically there, and the Taliban in effect admitted that Bin Laden et al were in territory that they controlled. This acceptance provided the legal mandate for the use of force against the Taliban who were held responsible for the actions of the AQ leadership.

However, consider the position of a group of disaffected hackers in the UK who were able to create a Stuxnet style virus which destroyed the electricity grid in China. Not sponsored by the UK Government, it is quite possibly the UK would have no idea that they were operating from UK territory. If this were an armed attack, either the UK itself would take on responsibility for the action of the non-State group (hardly appealing), find and suppress the organisation (likely to be difficult) or would have to submit to Chinese actions against the hackers on UK soil (as the UK was unwilling or unable to stop them - also unattractive.) If nothing else, this possibility raises the possibility that States will want to have better information about who is doing what on their territory, raising further challenges for civil liberties.

Finally, western infrastructure is heavily, and increasingly, dependent on automation through SCADA controllers: it is much more efficient to have a computer opening and closing valves and controlling power grids than using a telephone to call an engineer in the middle of the night. Consequently our societies are intrinsically more vulnerable to this sort of attack than those which are less technologically advanced with fewer integrated control systems.

So Stuxnet marks a legal watershed as well as a technical triumph. What follows will be very interesting to watch as the law attempts to catch up with the technological advances.

And I wonder if I've just found a PhD topic?