Stuxnet, 'Schmitt Analysis,' and the Cyber 'Use of Force' Debate   [open pdf - 3MB]

From the abstract: "One of the many vexing issues surrounding cyberspace involves whether peacetime cyber operations can constitute a prohibited use of force under Article 2(4) of the U.N. Charter. Among the analytic frameworks developed to address this issue, one of the most enduring is the so-called 'Schmitt Analysis.' It is also the only model that purports to adhere to preexisting legal norms, including Article 2(4). The framework consists of seven factors that states are likely to consider when characterizing cyber attacks--severity, immediacy, directness, invasiveness, measurability, presumptive legitimacy, and responsibility. When the framework first debuted in 1999, however, there were few clear examples of state cyber coercion and the prospect of cyber-induced physical damage was largely theoretical. In light of several recent instances of suspected state cyber coercion--culminating in damage to Iranian nuclear facilities by the Stuxnet worm--it is now worth evaluating the framework's continued utility. A Schmitt Analysis of Stuxnet suggests the framework's underlying analytical approach remains sound--i.e., to discern a cyber 'use of force' threshold, one must predict how states will characterize cyber attacks. That said, Stuxnet reveals several limitations with the model, as well as opportunities to broaden it. Most importantly, it may be time to relax the model's strict adherence to Article 2(4), which was intended to provide more objective and predictable characterizations of force in cyberspace. In actuality, Article 2(4) has been a weak constraint on cyber coercion and it appears to be just one of many factors states will consider. Such additional factors reflect the new realities of cyberspace, such as cyber's potentially devastating effects, the non-traditional distribution of cyber capabilities and vulnerabilities, and the international community's response to events like Stuxnet. Consequently, until new norms emerge, cyber professionals must be prepared to operate in an ambiguous and contested legal environment."

Public Domain
Retrieved From:
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/
Media Type:
Help with citations