Malware as Incipient Armed Attack, Malware as Preparation of the (Cyber) Battlefield

Robert Chesney
Friday, September 24, 2010, 3:23 AM
Stewart Baker draws attention to a very interesting story involving a piece of malware known as Stuxnet.  Stuxnet aims to penetrate SCADA systems (i.e., software enabling utilities to remotely monitor and manage facilities that generate and transmit electricity), and that it may well have the capacity once in place to shut down critical safety systems the loss of which could result in a significant kinetic impact. I'm in no position to judge whether all that is correct.  But from a classroom perspective, thi

Published by The Lawfare Institute
in Cooperation With
Brookings

Stewart Baker draws attention to a very interesting story involving a piece of malware known as Stuxnet.  Stuxnet aims to penetrate SCADA systems (i.e., software enabling utilities to remotely monitor and manage facilities that generate and transmit electricity), and that it may well have the capacity once in place to shut down critical safety systems the loss of which could result in a significant kinetic impact.
I'm in no position to judge whether all that is correct.  But from a classroom perspective, this is one heck of an interesting fact pattern.  First, it has obvious utility for the ongoing debate regarding the status of various kinds of computer network operations in relation to the laws of war (see Jack's prior post linking to some key recent papers relating in various ways to this topic).  Does the deployment of Stuxnet constitute an armed attack, for example, bearing in mind the incipient nature of the threat it presents?
The Stuxnet fact patttern is also fascinating, moreover, if we assume for the sake argument that it or something akin to it were to be deployed by the United States government.  In my national security law course, we spend a fair amount of time parsing the statutory framework relating to Congressional oversight of covert action, and we focus in particular on the exception to that framework associated with "traditional military activities" and the possible relationship of that phrase to other concepts (especially the idea of preparation of the battlefield).  It is my favorite example of the way in which legal frameworks tend to employ categorical distinctions that do not necessarily maintain separation from one another on close inspection...and it seems to me that the Stuxnet fact pattern will be a very useful way to help students understand just how difficult it can be to work with these particular categorical distinctions in the cyber arena.  One need only tweak the fact pattern a few times in sequence, positing various intended targets and, especially, various U.S. government entities as the sponsor of the operation.

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare