2-2: On Stuxnet and Cyberwar

In their recent ‘Survival’ journal article, James Farwell and Rafal Rohozinski offer a detailed summary of the Stuxnet 2010 incident and go over what this suggests about the future of global cyber warfare in general. Clearly a means of conflict likely to be used increasingly more often in the foreseeable coming times, the two experts focus on how cyber conflict presents two major inherent differences from conventional warfare:

  • For one, it is very hard to trace the authors behind an attack. Therefore, culpability is hard to prove.
  • Secondly, it causes very little, if any at all, harm to civilians.

These two distinctive features currently make for a rather interesting dynamic since most valid international treaties predate the advent of computers, and thus do not consider something that causes no physical damage an ‘aggression’. This gray area currently offers governments the chance to act basically without any interference from international organizations or other countries. Obviously, many people believe this must change soon as cyber warfare cannot be ignored any longer, but how should one go about regulating this new means of conflict? Where does one trace the line exactly?

Simply put, there are no clear answers. Traceability being a big issue, one would have to pretty much forgo the distinction between lonely hacker and government-mandated attacks and, in most cases, also the certainty of the identity of the attacker. Yet, I imagine most people would agree on the fact that, for instance, a US citizen who is simply suspected of hacking the national Defense systems does not really merit the same punishment one would impose on a culpable hostile nation (also, most countries adhere to the legal presumption of innocence principle). Furthermore, if one opted for regulation, he would have to quantify the damage to ensure that proportionality in the response is respected. But again, how can we objectively quantify the damage brought about by a worm or a virus? It is nowhere near as easy as having to count physical damages.

Given all of these considerations, one cannot help but ask: is future regulation really advantageous in the end? Or would all the subsequent red tape and general legal ambiguity be more counterproductive than helpful? If so, just how exactly should we go about it without infringing on established constitutional and international rights? — Tommaso