Step one of the analysis is to assign a value to each of the consequence commonalities, and, in assessing those, I will rely on Ralph Langer's description of the operation, as linked from the previous post. Lacking experience to distinguish subtle gradations within the full ten-point scale, I will value each from "low" to "high." Also, due to the sophisticated and subtle activity of the code, many of the values may be differently characterized. Moreover, a separate assessment may be warranted for each of the software components, the "dropper" and the "payload": a small digital warhead designed to disrupt centrifuge rotor controls, and a big digital warhead designed to manipulate centrifuge valves, with the same goal of centrifuge destruction.
1) Severity - “Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion.”
The Stuxnet virus, the payload of which sought to slowly degrade centrifuge performance in an Iranian uranium-enrichment plant to the point of physical destruction, rates high for severity. (The dropper alone would probably rate a low here, but so would the bomber considered in isolation from its payload).
2) Immediacy - “The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.”
This operation would appear to rate low on the immediacy scale in light of both the dropper's patient, circumspect method of infection of the targeted controllers, and the payload's effect on centrifuge performance, designed, according to Langer, to be slow, and erratic: "The goal of the attack was to do it slowly and creepy, obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly."
On the other hand, it is not clear that disruption of the enrichment program through virus-engineered mechanical failure was anything but a foregone conclusion - notwithstanding its slow mechanism of action - from the moment the controllers were first infected. Or earlier: In light of the dropper's careful targeting of the specific centrifuge controllers, and its inexorable operation once released into the "wild," the outcome may have been sure. Certainly, nothing has indicated that its creators could recall it, should they have wanted to.
Furthermore, the immediacy of consequence described above is intended to distinguish acts of warlike character from other, less immediate, means of resolution, diplomatic coercion or peaceful accommodation. However, international diplomatic and economic sanctions have been ongoing for a decade in the case of the nuclear program attributed to Iran. That is the backdrop against which the state or states that developed and deployed Stuxnet did so, in parallel with their use of other means. Could they have disabled or recalled the code if diplomatic efforts had satisfactorily prevailed during the interim between its sponsors' release of Stuxnet and Stuxnet's disruption of the centrifuges was realized? (The question may be nonsensical insofar as any resolution satisfactory to the code's presumptive sponsors would necessarily include Iran's forebearance from operating the targeted centrifuges and appurtenant infrastructure, thereby precluding operation of Stuxnet.
Finally, we must presume that the designers of Stuxnet designed it with the international treaty framework, and the discourse in which Schmitt offered his analysis (and in which it has since been developing), in mind, that the activity of the malicious code was not, to some degree, designed to behave as it did specifically in order to seem less warlike under international legal analytic rubrics such as the one at hand. I don't know what we can conclude from that speculation, but it seems reasonable to believe some feedback exists.
Overall, due to the various indeterminacies alluded to above, Stuxnet rates low for immediacy, with a high margin of error and a suspicious and borderline paranoid grain of salt.
3) Directness - “The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate.”
It is hard to be sure what precisely the actus reus is in this case. Overall, Stuxnet seems to have been precisely engineered to be as circumspect and indirect as possible, while still infecting the targeted controllers (and only the targeted controllers) and very slowly and indirectly disabling the centrifuge program.
The actus reus may be characterized as the development of the malicious code, as its release into the wild (with knowledge of its design, target and intended consequences), or as the degrading and destructive effects of its payload on the targeted systems. All three of these are required for the realization of its designers' intended outcome; indeed, the payload's delivery to the target also would seem to have depended on "numerous contributory factors," as all network activity does. (How a computer network attack could ever rate high in light of networks themselves comprising "numerous contributory factors" is beyond me; nevertheless, Schmitt developed the analysis with network attack in mind).
So, I find this one to be simultaneously low and high.
4) Invasiveness - “In armed coercion, the act causing the harm usually crosses into the target state . . . represent[ing] a great[] intrusion on the rights of the target state. . . .”
Highly invasive: A significant amount of its infiltration and all of its reported destructive activity occurred in Iran.
5) Measurability - "While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure.”
With a true and relaible accounting of the Natanz enrichment program's inputs and outputs over the program's period of operation the results should be measurable. Wikipedia summarized citations of interruption of enrichment activities, diminished productivity, large-scale replacement of centrifuges and "a serious nuclear accident," from Haaretz, the Economist, der Spiegel, Wikileaks, and the Institute for Science and International Security.
An ISIS report concludes:
If its goal was to quickly destroy all the centrifuges in the FEP, Stuxnet failed. But if the goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily.Either way, its effects would appear to be somewhat more measurable than the results of diplomacy or sanctions.
6) Presumptive Legitimacy - “[T]he application of violence is deemed illegitimate absent some specific exception such as self-defense. . . . By contrast, most other forms of coercion . . . are presumptively lawful, absent a prohibition. . . . [T]he consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not. . . .”
I am not sure that I understand this category, but am sure that destructive sabotage of a state's national institutions and resources - particularly rising to the level of "nuclear accident" - is not presumptively lawful. Stuxnet, as agent of sabotage, would rate low in terms of what I can understand presumptive legitimacy to signify, but high on a scale of warlike-ness.
7) Responsibility - “Armed coercion is the exclusive province of states. . . . [N]on-governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.). . . . In sum, the consequences of armed coercion are more susceptible to being charged to the State actor than in the case of other forms of coercion.”
We do not know who created and released Stuxnet. There are reports of varying credibility, at the top of which I find those security researchers who publicly reason from the innovative form and insidious function - from the level of sophistication - of the malicious code that it must have been created by "the cyber-superpower" in concert with other state actors.
Worm and virus creation and deployment is not the exclusive province of states in historical practice to date. Only a state or states could attempt to make such activity legitimate for certain restricted circumstances. Moreover, again, destructive sabotage of the national resources and institutions of a state, by whatever means, is highly warlike, and so the exclusive province of states, if ever legitimate.
Thus, with three "highs," a "mid/high," two "low/highs," and a "low/mid," the Stuxnet worm would score in the range from middle (three highs, three lows and a middle) to high (six highs and a middle) by my application of the principle Schmitt analysis, suggesting that the development and deployment of the malicious code was a borderline case tending toward an act of war. Certainly those factors may be characterized otherwise by others, and, if the security experts are correct, they were by the cybernatsec lawyers of the organizations whose creation of Stuxnet was sponsored by suspect states during the design phase.
I know too little to attempt the secondary Schmitt analysis, which would call for substantial additional research (above and beyond all the additional research I might/should have conducted to develop sufficient background to attempt the foregoing, but didn't), as well as access to a class of classified mind (and information) that, as far as I know, I rarely encounter.