It’s becoming clear that, as the New York Times’ Julian E. Barnes puts it, United States cyber operations against Iran are taking place in what is “an undeclared cyberconflict, one carefully calibrated to remain in the gray zone between war and peace.” But has the United States, with a cyber operation against Iran in June and another in late September, already crossed the line that international law draws around “uses of force”? What may that mean for any future confrontations?
Tensions between the United States and Iran have been high for some time now. Last month’s attack on Saudi oil facilities, attributed to the Iranians by the United States and others, marked the latest escalation. On Wednesday, Reuters reported that the United States employed a cyber operation in response to that attack, targeting “physical hardware” central to Iran’s ability to spread “propaganda.” This news underlines the importance of cyber operations to maintaining the current U.S. administration’s delicate balancing act of responding to what it views as Iranian aggression, whilst avoiding an overt and direct confrontation. This latest report of a cyber operation, which the United States carried out in late September, follows the June 20 cyber operation conducted by the U.S. military in response to the downing by Iran of a U.S. drone. As the cycle of tit-for-tat continues, could the United States, in law if not in fact, have already gone too far?
What we know about the June strike: The reported facts
On June 20, the ongoing confrontation between the United States and Iran almost escalated into a shooting war. Air and naval attacks on Iranian missile and radar installations, in response to the shooting down of a U.S. Navy surveillance drone and in the wake of the alleged mining of Norwegian and Japanese tankers by the Iranian Revolutionary Guard Corps (IRGC), were cancelled at the eleventh hour. Nevertheless, an offensive operation of a different kind still went ahead. U.S. Cyber Command (CYBERCOM) carried out operations against Iranian targets, presumably at the same time as the aborted conventional strikes were ordered.
The cyber operations were reportedly aimed at an IRGC-affiliated cyber group that supported the tanker mining incident and that has allegedly been interfering with civilian and military ships and personnel passing through the Strait of Hormuz, for example, the British tanker “Stena Impero.”
From what is publicly known about the operation, it was “intended to take down the computers and networks used by the . . . group, at least temporarily.” It “wiped out a critical database” used by the IRGC to plan attacks against ships in the Gulf, leaving Iran attempting to restart the affected computer systems and recover the information lost. In this way it apparently “diminished Iran’s ability to conduct covert attacks.”
Did the June 20 US cyber operation cross the use of force threshold?
The New York Times cites a U.S. official who describes American cyber operations as “calibrated to stay well below the threshold of war.” But a more legally accurate way of framing this issue would be to question whether these operations stay below the use of force threshold. Article 2(4) of the U.N. Charter requires States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” The Charter thus prohibits the threat or use of force by States, except where, broadly speaking, the defending State acts in self-defense, where the use of force is authorized by the United Nations Security Council under Chapter VII of the Charter, and where consent to use force is obtained from the territorial State. For now, let’s focus simply on whether the U.S. cyber operation against Iran constituted a use of force. The question whether it was legally justified may be best addressed when (or if) the facts surrounding this episode become clearer.
[Editor’s note: For more on the use of force framework, see Claus Kress’ “On the Principle of Non-Use of Force in Current International Law.”]
There is no set definition of a use of force. Generally accepted examples of a use of force include training and arming guerrilla forces fighting in another State, or placing mines in the harbors of another State. In the context of cyberspace, an operation is most likely to constitute a use of force if it is equivalent, or at least comparable, in scale and effects to a non-cyber or conventional use of force. Therefore, a cyber intrusion causing damage equivalent to an airstrike on a military installation of another State, for example, would amount to a use of force.
How can one tell whether a cyber operation is equivalent to a conventional use of force? According to the group of experts convened to produce the Tallinn Manual 2.0, cyber operations are most likely to constitute a use of force if they result in physical harm to individuals or property (at page 334). If a cyber operation does not cause physical damage, it may nevertheless be comparable to a conventional use of force depending on a number of non-exhaustive factors, according to the Tallinn Manual 2.0. These factors include severity, directness, immediacy, invasiveness and measurability of effects (at page 334-336). This factors-based approach has received notable endorsements from some of the most cyber-capable States, such as the United States, and most recently, France and the Netherlands. Notably, France appears to go a step further by de-centering the physical harm requirement in favor of applying the Tallinn Manual-type factors on a case by case basis. As Mike Schmitt explained at Just Security, France also posits, as an example of a cyber use of force, “operations that penetrate military systems to weaken … defensive capabilities.” Although not directly analogous, that certainly comes close to describing the U.S. cyber operation against Iran in June of this year.
A complete account of the effects caused by the U.S. operation has not yet, and may never be, publicly available. Moreover, much of how international law applies to cyberspace is itself in a state of flux. Nevertheless, were one to take the above use of force factors and the latest expressions of opinio juris to reflect the law as it is, there is good reason to conclude the United States may have crossed the use of force threshold with this cyber operation.
The operation in question likely exploited unpatched vulnerabilities in software to purge the Iranian cyber group’s shipping targets database and to take down “critical communications systems.” In the case of the shipping targets database, it is unclear whether the deletion of data is the equivalent of physical damage inflicted upon an object by a conventional use of force. This is because data deletion generally does not produce the kind of tangible effect envisaged by the rules governing the use of force. However, if data is destroyed such that critical infrastructure is taken down, such as the computer systems upon which a State’s financial system depends, that, in the view of some States (France and the Netherlands are arguably examples) would amount to a use of force. It is unlikely that the effects the U.S. operation in question caused were that extreme. Nevertheless, in the case of the IRGC’s “critical communications systems” the operation seemingly had tangible damaging effects on their computer hardware. According to the New York Times’ report on Aug. 28, Iran was “still trying to repair critical communications systems.” It thus appears that, for at least two months after the operation the computer systems targeted were rendered inoperable. Indeed, it is possible such damage may still be ongoing.
There is good reason to conclude the United States may have crossed the use of force threshold with this cyber operation.
Applying the multi-factor approach to determining a use of force, therefore, the operation was arguably sufficiently severe, and its effects clear enough, to constitute a use of force. It was, one may reasonably speculate, highly invasive given that it targeted the systems of a secretive IRGC military system. Its directness is evident: it was solely responsible for affecting the Iranian computer systems in question. It was a military operation, and it was targeted at adversary military systems. The operations effects were immediate and, of great legal significance, long-term in duration. Were those effects more transient, the operation may have been more capable of escaping characterization as a use of force: indeed, one may suspect that this is why it was “always designed to be temporary” in its effects. But the fact that those effects “lasted longer than expected,” in conjunction with the balance of the other use of force factors, tend to cast the operation as a use of force.
Does it matter that the United States did not intend the operation to have a long-term effect or cross the use of force threshold more generally? A definitive answer to this question is difficult to identify. On the one hand, traditionally, intention has been a factor considered when determining whether a conventional, kinetic operation amounts to a use of force, as well as whether it is also sufficiently serious to cross the higher threshold of an armed attack within the meaning of article 51 of the Charter, that is, whether a use of force is serious enough to engage the victim state’s entitlement to respond with force in self-defense. This concept is most notably reflected in the jurisprudence of the International Court of Justice (for example, the Oil Platforms case, at para. 64). In the context of cyberspace, the United Kingdom as well as the United States also appear to consider intentional harm to be a factor in favor of finding that a cyber activity constitutes a use of force. That said, there are those, namely the majority of experts in both volumes of the Tallinn Manual, who maintain that “intention is irrelevant in qualifying a [cyber] operation as an armed attack,” and therefore by inference irrelevant when evaluating whether a cyber operation is a use of force, and that “only the scale and effects” of a cyber operation matter (Tallinn Manual 2.0 at page 343-344, and Tallinn Manual 1.0 at Section 2: Self-Defense, para. 11). Given such equivocal guidance, it is difficult to evaluate the legal significance of the United States’ alleged intention to avoid long-term effects or cross the use of force threshold.
That brings us to the latest reported cyber strike by the United States. The Reuters reporting provides scant information to say much about the strike’s legal dimensions. It is unclear what is meant by the report that the operation “took aim at Tehran’s ability to spread ‘propaganda.’” But, unlike an operation purely against data, this operation reportedly “affected physical hardware,” which makes it more likely to qualify as a use of force. Reuters also suggests that this operation “appears more limited” than the June 20 strike. Although in the realm of speculation, that may mean that this more recent operation targeted computer systems of less importance than the critical communications and military systems affected by the June strike. Nevertheless, it is advisable to revisit whether the September operation crossed the use of force threshold only after more information about it surfaces.
Why does it matter whether or not these operations crossed the use of force threshold? The answer to this question is simple: It may signal that the stakes are rising even higher in this unfolding U.S.-Iran confrontation. Perhaps this is a risk CYBERCOM is willing to accept, or even an outcome it intended to achieve, in order to demonstrate American strength and resolve, and to deter Iran from what the United States would consider to be further aggression. But it is not without its consequences. For example, if we assume: first, that the drone shootdown did not necessarily entail an unlawful use of force, and that second, that the U.S. cyber operation employed in response was a use of force, the Iranians may have felt even more emboldened to match the United States’ escalation with an escalation of their own. The fact that the effects of the United States’ June 20 cyber operation have continued to manifest themselves over time, not to mention whatever effects the September cyber operation may have had, could provide hardly needed impetus for Iran to do so. As the cycle of hostilities continues, it is important to reflect back on which instances may have either clearly crossed the use of force threshold (e.g., the attack on the Saudi oil facility) or been reasonably perceived by the other side to have done so.