The Stuxnet computer worm that damaged Iranian nuclear facilities – widely suspected to be an Israeli or even U.S. covert action – was a model of a responsibly conducted cyber-attack, said the top lawyer for the U.S. military’s Cyber Command, Air Force Col. Gary Brown. By contrast, the Chinese stance, which holds that the international law of armed conflict does not apply in cyberspace, opens the door for indiscriminate online actions launched with less concern for collateral damage than was evident in Stuxnet, he warned, while a joint Russo-Chinese proposal for international collaboration on cyber-security could potentially threaten free speech. Brown emphasized that his remarks represented his own opinion and that he was not speaking for the U.S. government, but they still open a window into the thinking of an influential official on the cutting edge of policymaking on cyber war.
At a small gathering of students and faculty at Georgetown University, hosted by former CIA lawyer Catherine Lotrionte, Col. Brown hastened to Stuxnet’s defense when this reporter raised the possibility of the worm having damaged systems outside Iran. The way Stuxnet was designed, “it looked like lawyers had been involved, because it was set to do no damage until it saw a very precise set of circumstances that doesn’t exist anywhere except in Iran,” said Brown, who has written on the legal ramifications of Stuxnet. “Also,” he added, “it was set to expire,” erasing itself from every infected machine this coming June 24th. Both those attributes suggest a conscientious effort to limit the online equivalent of “collateral damage,” a particularly crucial concern when releasing a worm or virus to replicate itself across the internet, whose omnipresent connectivity means an attack aimed at a legitimate military target in one country can easily spread out of control to innocent civilian systems around the world. “Your normal terrorist or criminal doesn’t care about what collateral damage happens,” Brown said.
None of this means Stuxnet didn’t constitute a “cyber attack,” Col. Brown said, although he noted as a lawyer that that’s a notoriously ill-defined term. The worm “destroyed maybe a thousand pieces of pretty sophisticated equipment being used by the Iranian government,” he noted. “That physical damage is something that most people who study international law would say rises to a ‘use of force,’” he said. From a common-sense perspective, he added, “it’s really hard for me to get my head around the idea that something that breaks things isn’t ‘an attack.’”
But, Brown hastened to add, “it might be justified,” for example as an act of self-defense under international law. (Another government official at the event went even further, suggesting taking such action against the Iranian nuclear program is positively required under international law, since the United Nations has identified the program as a potential threat to peace). What is critical is to apply the same tests of just cause, proportional response, and so on to a cyber-attack as to a conventional military strike, emphasized Brown, who in 2008-2009 served as the chief lawyer for the Combined Air Operations Center that runs air operations over Afghanistan and Iraq. “Before we would take action in cyberspace we would look at everything that’s connected to that system,” he said, “I think the activities we contemplate taking on the internet are very thought out and very precise.”
By contrast, when China and other countries argue that the “law of armed conflict” does not apply to cyberspace, they implicitly set aside the legal obligation to do due diligence on collateral damage – among many other restrictions. “They could be looking to insure that actions that are currently considered to be ‘espionage’ aren’t pushed under the law of armed conflict,” Brown speculated. “Espionage has no rules, so it’s a lawless regime….That’s not true under the law of armed conflict, although the enforcement mechanism is somewhat lacking.”
Meanwhile, the rules that China and Russia have jointly proposed for cyberspace raise serious concerns for the United States, Brown said, echoing comments by other U.S. officials. The proposed “International Code of Conduct for Information Security,” also sponsored by Tajikistan and Uzbekistan, was put before the United Nations last fall. “Mostly, when you read through it, you’ll think it sounds pretty good,” said Brown. “The thing that makes me uncomfortable with the proposal [is that] essentially they treat ‘information’ as a separate category, as an area of national sovereignty…. [For example,] if Google wanted to go to China and make ways for Chinese folks to get around the firewall, the ‘Great Firewall,’ so they could communicate freely with the rest of the world, they would consider this an aggressive action [under the proposed pact] because ‘information’ is part of national sovereignty.”
That’s not where the United States wants to go, Brown said. As much as America wants to build defenses against online threats, its priority has to be “first, do no harm” to freedom of speech.