On June 17, 2010 a small antivirus company established in Belarus discovered the Stuxnet worm. Later research would reveal that an earlier variant of the worm existed at least a year earlier. Stuxnet reputedly caused the physical degradation of some 1000 centrifuges at the Natanz facility in Iran, based on data of the International Atomic Energy Agency (IAEA) . While the identity of the perpetrators is still unknown almost two years later, some have suggested nation-state involvement due to the sophistication of the malware. The heavily hardened Natanz facility was built to withstand “bunker buster” bomb attacks, but apparently not cyber-attacks. The incident, involving a sophisticated cyber “weapon,” has created new impetus for examining the law of armed conflict in cyberspace.
On the 5th of February of this year, several senior government officials, including Secretary of State Hillary Clinton, Prime Minister David Cameron, Chancellor Angela Merkel and others, participated in the 47th Munich Security Conference to address, among other issues, how the Geneva and Hague Conventions should be applied in cyberspace. A joint US-Russian bilateral document presented at the conference offered recommendations in five key areas:
1. Detangling Protected Entities in Cyberspace
2. Application of the Distinctive Geneva Emblem Concept in Cyberspace
3. Recognizing New Non-State Actor and Netizen Power Stature
4. Consideration of the Geneva Protocol Principles for Cyber Weaponry
5. Examination of a Third, ‘Other-Than-War’ Mode
This paper will examine the merits and challenges of each recommendation.
Additionally, the paper will address the overarching challenge of attribution in cyberspace. As long as nations believe they can act anonymously refined rules of behavior may have little practical effect. Yet currently nation states can quite easily create plausible deniability in cyberspace by a variety of means, including discretely delegating the dirty work to sophisticated cybercrime organizations or bot herders, employing anonymizers, spoofing, and/or by using a wide variety of other obfuscation techniques. David Albright, Paul Brannan, and Christina Walrond, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment,” ISIS, Dec. 22, 2010 (available at reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/).