The Stuxnet computer worm that damaged Iranian nuclear facilities – widely suspected to be an Israeli or even U.S. covert action – was a model of a responsibly conducted cyber-attack, said the top lawyer for the U.S. military’s Cyber Command, Air Force Col. Gary Brown. By contrast, the Chinese stance, which holds that the international law of armed conflict does not apply in cyberspace, opens the door for indiscriminate online actions launched with less concern for collateral damage than was evident in Stuxnet, he warned, while a joint Russo-Chinese proposal for international collaboration on cyber-security could potentially threaten free speech. Brown emphasized that his remarks represented his own opinion and that he was not speaking for the U.S. government, but they still open a window into the thinking of an influential official on the cutting edge of policymaking on cyber war.

At a small gathering of students and faculty at Georgetown University, hosted by former CIA lawyer Catherine Lotrionte, Col. Brown hastened to Stuxnet’s defense when this reporter raised the possibility of the worm having damaged systems outside Iran. The way Stuxnet was designed, “it looked like lawyers had been involved, because it was set to do no damage until it saw a very precise set of circumstances that doesn’t exist anywhere except in Iran,” said Brown, who has written on the legal ramifications of Stuxnet. “Also,” he added, “it was set to expire,” erasing itself from every infected machine this coming June 24^th. Both those attributes suggest a conscientious effort to limit the online equivalent of “collateral damage,” a particularly crucial concern when releasing a worm or virus to replicate itself across the internet, whose omnipresent connectivity means an attack aimed at a legitimate military target in one country can easily spread out of control to innocent civilian systems around the world. “Your normal terrorist or criminal doesn’t care about what collateral damage happens,” Brown said. Keep reading →