Stuxnet Cyberattack Deemed An "Act Of Force" Against Iran


After three years of research, 20 cybersecurity experts completed a 300-page handbook for NATO, dubbed “The Tallinn Manual.” This revolutionary guide outlines the rules of engagement on the latest battleground, the internet.

Although this document does not yet constitute international law, it sets a dangerous precedent for future warfare by vaguely identifying civilian hackers, also known as “hacktivists,” as potential combatants on this complicated battlefield.

Although some of the analysis was less than conclusive, all 20 researchers were in agreement regarding the 2009 cyberattack known as Stuxnet, which was likely sponsored by the U.S. or Israel and is believed to have set the Iranian nuclear enrichment program back by approximately three years. The authors of The Tallinn Manual firmly deemed that Stuxnet, was an “act of force” against the Iranian regime.  

Under the United Nations Charter, international law prohibits acts of force against rival states unless the act is in self-defense. Consequently, the legality of Stuxnet and the potential for repercussions hinges upon whether or not Stuxnet can be interpreted as self-defense. 

Iran’s nuclear program is constantly greeted with suspicion. Although the regime claims to be developing nuclear technology for peaceful purposes, this does not always seem to be the case. Alarms continue to sound when Iranian President Mahmoud Ahmadinejad openly attends anti-Zionist conferences and makes incendiary statements about the destruction of Israel.    

Considering the erratic behavior of Iran’s leadership, it seems possible that Israel was, indeed, acting in self-defense if the Jewish state is, in fact, responsible for orchestrating the 2009 attack.

However, the potential for escalating conflict in this situation is endless as Stuxnet can also be interpreted as a preemptive strike rather than a defensive maneuver. If the former is true, Iran can legally wage a counterstrike on the guilty party. If the latter is true, those responsible for Stuxnet were justified in transmitting the worm.  

It seems pertinent to consider the following counterfactual. If a nuclear facility in Israel or the U.S. was significantly damaged by a cyberattack sourced from Iran, it is likely that there would be an immediate retaliation. Article 5 of the NATO treaty requiring member states to aid allies when under attack might even be invoked.

This evaluation of Stuxnet highlights many of the most glaring problems facing cybersecurity. Traditional borders prompted by The Peace of Westphalia are becoming obsolete, state sovereignty is continually questioned as transnational actors become more prominent, and the creation of manuals, such as The Tallinn Manual, legalizes conventional military action against those responsible for unconventional attacks.