Stuxnet: State Jurisdiction and Cyberspace

Evangelia Linaki, University of Leiden

To begin with, imagine a nuclear power plant composed of a vast number of centrifuges used for the enrichment of uranium being attacked by a missile. It is fairly easy for someone to play out the scene of what would happen immediately after the attack. What would happen, however, were the same nuclear power plant to be targeted by an electronic worm? There is no need to speculate on that, since in 2010 Stuxnet – the most sophisticated worm ever built – hit the nuclear power plant in Natanz, Iran.  This seems to be a case in which technological advancement has crept up on most of us unawares with regard to what mankind can do with the use of a computer and on the virtual dimension. At the same time, though, technology has long been testing several fields of Public International Law, including the notion of State jurisdiction. Thus, it will be interesting to see in the next lines whether Iran would have jurisdiction over the persons who launched the abovementioned worm.

Factual Background

In 2010 an unprecedented cyber operation took place against Iran’s nuclear power plant with the deployment of a worm called Stuxnet. Stuxnet constitutes a unique piece of malware, due to its never-seen-before structure and features ((Shearer, Jarrad, W32.Stuxnet, available at (accessed 20/12/2012).)). What is unique about Stuxnet is that it can be activated only when a number of specific circumstances are present and its objectives are more than explicit: on the one hand, it instructs uranium centrifuges to run at a different pace, a fact which damages the centrifuges themselves and the process of uranium enrichment, and, on the other hand, it sends false signals that the system works properly through the usage of certificates of two widely known companies ((For more details see Richmond, Jeremy, Evolving Battlefields: Does Stuxnet Demonstrate a Need For Modifications to the Law of Armed Conflict?, 35 Fordham International Law Journal 613, at 849-852 (2012).)). It should be mentioned that it is uncertain whether this worm was launched via the Internet or transmitted through a USB stick or any other removable device, whereas there is no consensus as to the damage caused. However, it is estimated that around 1000 centrifuges were destroyed and needed to be replaced ((Broad, William J. et al., Israeli Test on Worm Called Crucial in Iran Nuclear Delay, The New York Times, 15 January 2011, available at (accessed 20/12/2012).)). As for the perpetrators, several clues, such as the time and resources needed for such a complex worm to be created ((Stahl, Julie, Cyber Warfare Against Iran? Worm May be First Strike, CBN News, 14 October 2010, available at (accessed 20/12/2012).))and statements of State officials ((Lappin, Yaakov, Barak: Israel won’t outsource its security to anyone, The Jerusalem Post, 31 October 2012, available at and Sanger, David E., Obama Order Sped Up Wave of Cyberattacks Against Iran, The New York Times, 1 June 2012, available at (both accessed 20/12/2012).)), did point to the US and Israel as the ones responsible for the attack. However, it now seems to be almost certain that the abovementioned States were responsible for this incident ((Lubold, Gordon, Obama’s Favorite General Stripped of His Security Clearance, Foreign Policy, 24 September 2013, available at (accessed 12/10/2013).)).

Jurisdiction in Public International Law

In 1968, a Model Plan Classification of Documents concerning State Practice in the Field of Public International Law was produced by the Council of Europe and treated, among others, the issues of Personal Jurisdiction of the State and State Territory and Territorial Jurisdiction ((Evans, Malcolm D., International Law, at 315 (2010) and Council of Europe Resolution (68) 17, dated 28 June 1968.)). According to the 1997 revised Model Plan and Part Eight dedicated to State Jurisdiction, there are three recognized types of jurisdiction ((Council of Europe Recommendation  No. R (97) 11, dated 12 June 1997, at 64.)):

  1. Jurisdiction to prescribe or legislative jurisdiction, namely to whom a State can extend its laws ((See Evans, supra note 7, at 318.)).
  2. Jurisdiction to enforce which is related to the capacity of a State to compel compliance or enforce punishment ((Wilske, Stephan, Schiller, Teresa, International Jurisdiction in Cyberspace: Which States May Regulate the Internet?, 50 Federal Communications Law Journal 117, at 171 (1997).)).
  3. Jurisdiction to adjudicate which refers to the right of a State’s courts to receive and try cases, as well as deliver judgments upon these cases ((See id., at 144-145 and Evans, supra note 7, at 317.)).

It should be pointed out that the last two types of jurisdiction do not usually exist if the jurisdiction to prescribe has not been established ((See id. Wilske and Schiller, at 145 and 171.)).

However, one would reasonably wonder how it can be established that a State has the right to exercise its jurisdiction? According to the 1997 revised Model Plan, the widely accepted bases of jurisdiction consist of ((See CoE Recommendation, supra note 8.)):

  1. Territoriality
  2. Nationality
  3. Protective principle
  4. Universality
  5. Other bases

Stuxnet and Iranian Jurisdiction

As a first step, it has to be highlighted that the analysis to follow will focus on whether Iran would have jurisdiction to prescribe, enforce or adjudicate under the principles of territoriality, nationality, universality and the protective principle. Such jurisdiction would be exercised upon individuals and, thus, no reference or speculation will be made upon State involvement. That is due to the fact that the very purpose and reasons of existence of the notion of jurisdiction itself refer to the extent to which a State can regulate the conduct of persons ((See Evans, supra note 7, at 313.)). In any other case, were a State to be found involved and responsible, this would lead to a dispute between States, the triggering of the mechanism of settlement of disputes between States and the invocation of State responsibility.


This principle is strictly interrelated to the right of a State to be sovereign over its territory, which in turn consists of its land and sea territory, as well as the airspace above this land and sea territory ((See id., at 320.)). What is important is that a State’s laws are wholly applied throughout its territory ((See id., at 321.))and, as it was recognised by the Permanent Court of International Justice in the Lotus case, “the first and foremost restriction imposed by international law upon a State is that […] it may not exercise its power in any form in the territory of another State ((The Case of the S.S. “Lotus”, Judgment No. 9, PCIJ, Series A, No. 10, at 18-19 (1927).)).” It should also be mentioned that two relevant notions have emerged within the notion of territoriality ((See Evans, supra note 7, at 321)):

  1. Subjective territorial jurisdiction (the State can exercise its jurisdiction with regard to incidents that were initiated within its own territory but completed outside its borders)
  2. Objective territorial jurisdiction (the State can exercise its jurisdiction with regard to incidents initiated elsewhere but completed within its own territory).

With regard to Stuxnet, it is undisputable that the nuclear power plant is situated on Iranian territory and the effects of the cyber incident were produced on Iranian soil. In this case, one could assume that, if the perpetrator (i.e. a person transmitting the worm through a removable device) were found on Iranian territory, regardless of his nationality, Iran would have the jurisdiction both to extend its laws to that person and enforce them, even by conducting investigation and ultimately arresting the person. On the other hand, had the perpetrator launched the worm outside Iran, and then the Iranian jurisdiction could be established under the concept of the objective territorial jurisdiction. The Stuxnet case seems to resemble that of a terrorist attack, during which the bomb is usually planted on an airplane on the territory of State A but it explodes in the territory of State B. Therefore, it could be easily argued that, since the worm was launched outside Iranian territory and the damage was experienced in Iran and in the real world, the objective territorial jurisdiction of Iran is established.


This principle refers to the extension of a State’s laws to those persons that hold this State’s nationality, regardless of the place where they might be. It is also important to point out that it is up to the State to lay down the conditions according to which nationality is granted ((Constitution of Maritime Safety Committee of the Inter-Governmental Maritime Consultative Organization, Advisory Opinion, ICJ Reports 1969, at 150))and that nationality can be established and become effective only when a genuine and close link between the person and the State exists ((Nottebohm, Second Phase, Judgment, ICJ Reports 1955, at 4.)).

With regard to the given case, there are two scenarios that can be followed under the principle of nationality: the person responsible for the launching of the worm either was an Iranian national or he was not. The second case seems to be straightforward, as a non-Iranian national would not be subject to Iranian laws and jurisdiction. If, however, he holds the Iranian nationality, then Iran would be entitled to exercise its jurisdiction over this person with no obstacles in the case in which this individual is located within Iranian territory. However, the situation would not be so simple in case this person was located outside Iranian territory. Under the nationality principle, a State can in theory exercise its jurisdiction over its nationals but, once they are found in foreign territory, the territorial principle comes into play. As mentioned above, the State can only exercise jurisdiction within its borders and not on the territory of a foreign State. Thus, in the given scenario, it would need to acquire the prior consent of the foreign State to apply its laws extraterritorially or require the extradition of the individual.


The principle of universality refers to the capacity of all States to exercise their jurisdiction over certain heinous crimes, which it is in the interest of the entire international community to repress and address ((See Evans, supra note 7, at 326)). Although there is not a full list of such crimes upon which universal jurisdiction could be exercised, genocide, crimes against humanity, war crimes and even piracy (which might otherwise not be addressed and suppressed) constitute some tangible examples ((See id.)). In the given case, none of the abovementioned crimes is present but, nevertheless, one could put forward the question of whether the possibility of an explosion of the nuclear power plant, which would be equated with a nuclear incident, could constitute a heinous crime. It is, though, not the purpose of this paper to explore whether such incident could be considered as a heinous crime.

Protective Principle

This principle is invoked and justifies the exercise of jurisdiction on the part of a State whenever its vital interests are in jeopardy ((See id., at 325)). According to this principle, a State could exercise jurisdiction even in the case in which non-nationals of that State acting outside its territory are responsible for a situation threatening its vital interests ((See id., at 326.)). The term “vital interests” has not been defined and no list of such interests can be found. Within this framework, once again one could pose the question of whether Iran could invoke such principle in order to protect the vital interest of citizens against destruction, environmental degradation and pollution and health deterioration in case the Stuxnet incident had led to lethal consequences.

Concluding remarks

Technology and cyberspace have at a large scale raised questions with regard to many an issue in Public International Law and especially State jurisdiction. The Stuxnet case is a very useful example not only of what technology is capable of achieving but, most importantly, it is a cyber incident which resulted in tangible consequences in the real world. Therefore, it serves as a perfect example which combines the virtual and the real dimension. At first sight, it does not seem to pose serious threats to the notion of jurisdiction. However, one should not be misled by such fact, but, instead, be reminded that the identity of the individual perpetrators is not known. Such fact in turn renders the problem of attribution even more acute, as the virtual world constitutes the best place for anonymity and without the identity of the perpetrator any kind of attempt of exercise of jurisdiction becomes impossible or even the substance of this notion is put under serious question and doubt as to its adequate capability to accommodate and respond to the new challenges.