Legally assessing the implications of the creation, installation and control of the Stuxnet worm is especially challenging because of the lack of detailed and reliable information relating to its origin and the physical effects it caused outside the targeted SCADA systems. The media reported that Stuxnet was the first “cyber-weapon” used and were speculating that intelligence operatives from certain States might have been the creators of the malware. Although a cui bono analysis can perfectly well point in the direction of entities that might have an interest in affecting Iran´s nuclear programme, it does not provide sufficient indices in legal terms to attribute the malicious cyber-activity to an individual, to a group of individuals or even to a State.
Further impeding the legal analysis, it remains unclear whether Stuxnet did indeed cause damage of a physical nature outside the targeted SCADA systems. Despite respective assertions by media reports and scientific analyses based on information available in media, it is not known whether Stuxnet did affect the physical integrity of IR-1 centrifuges or other components in Iran´s uranium enrichment plant at Natanz, the nuclear power plant at Bushehr or in other nuclear facilities. Iranian officials did not confirm any actual damage of a physical nature which had been caused by Stuxnet. Reports of the replacement of a remarkable number of centrifuges in the nuclear enrichment facility at Natanz do not provide evidence, in legal terms, of physical damage indirectly caused by Stuxnet either, as it was equally reported that Iran has faced numerous technical problems in recent years because of the poor quality of equipment used, especially in regard to an old centrifuge model which has been troubled by brea downs for years.
Therefore, this legal analysis of the creation, installation, control and effects of Stuxnet is based on assumptions, and only touches upon its potential national or international law implications.