Punching on the Edges of the Grey Zone: Iranian Cyber Threats and State Cyber Responses

Chatham House Report on Cyber Sovereignty and Non-Intervention – Helpful or Off Target?

The recent escalation in hostilities between the United States and Iran has raised intense debates about the propriety and legality of both parties’ uses of lethal force. These debates highlight the murky and dangerous terrain of grey-zone conflict, the attendant legal ambiguities, both domestic and international, and the risks inherent in aggressively pressing grey-zone strategies up to and across recognized lines set by the U.N. Charter.

Be those debates as they may, one thing seems clear. Despite the temporary pullback from open hostilities, Iran will continue to press its grey-zone strategy through asymmetric means, of which malicious cyber operations are likely to constitute a core component. The need to not just prepare for, but actively counter Iran’s ability to execute cyber operations is, as a result, squarely on the table. So too are the difficult questions of how international law applies in the current context and should inform U.S. options.

This reality provides an important backdrop to assessing Chatham House’s recent foray into the debate arena over how international law should govern cyber operations below the use-of-force threshold. In this article, I scrutinize Chatham House’s report on the international law rule of non-intervention and the principle of sovereignty.

Iran’s Strategic and Tactical Posture

The Iranian cyber threat is nothing new. Since at least 2012, Iran has employed near-continuous malicious cyber operations as a core component to its grey-zone strategy of confronting the United States.  It has conducted operations ranging from multiple distributed denial of service (DDOS) salvos against US banks to destroying company data in an operation against the Sands Casino, not to mention a number of substantial operations directed against targets throughout the Middle East. Well before the current crisis, the US Intelligence Community identified Iran as a significant cyber threat actor with the capability and intention to at least cause localized, temporary disruptive effects, and assess that it is actively “preparing for cyber attacks against the United States and our allies.” And as these assessments make clear, the Iranian threat is not limited to cyber effects operations against data and infrastructure.  In true copycat fashion, Iran is also positioned to engage in online influence and election interference operations a la Russia.

Given this background, it is no surprise that many, like my colleague Paul Rosenzweig, have warned that hostile Iranian cyber operations are likely in the offing. The recent step back from the dangerous escalation of open hostilities that culminated in the strike on Soleimani and Iran’s retaliatory missile strike is at best a strategic pause, and more likely a return to the pre-existing, if not an escalated, grey zone conflict in which asymmetric cyber operations form a key component of Iran’s modus operandi. Indications are that Iran has stepped up its cyber reconnaissance activities since the strikes and some predict it may conduct a substantial cyber operation to exact revenge or send a message.

United States Strategy and Tactical Posture

And so although the threat is not new, it is now more acute and brings into sharp focus key aspects of the shift in U.S. cyber strategy over the last several years, with its emphasis on persistence and proaction—in particular the concepts of defending forward and persistent engagement. As these strategies and the Command Vision for U.S. Cyber Command make clear, addressing cyber threats such as the one emanating from Iran may require “defend[ing] forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”

As anyone with even a passing understanding of the strategic and operational environment of cyberspace knows, the effectiveness of counter-cyber operations will often depend on speed and surprise. Further, the ability to “[i]dentify, counter, disrupt, degrade, and deter” adversary cyber capabilities and operations will often require interaction with globally distributed, adversary owned or illicitly controlled infrastructure. From the perspective of international law, this implicates not only the rights and obligations of the two states involved, but potentially those of third-party states, for example, those in whose territory adversary-controlled infrastructure resides.

Orientation to International Law

Accounting for the nature of the threat and the particulars of the domain is essential to assessing how international law applies in the cyber context, especially to cyber operations conducted below the use-of-force threshold and how states are likely to approach these issues. In the final analysis, states and states alone are the authors of international law, and they will form views about how the law applies mindful of these realities; realities that will grow increasingly more challenging with the inevitable introduction to cyber arsenals of artificial intelligence, automation, and machine learning. Determining the legal basis for any specific operation aimed at countering or disrupting cyber threats is complex and highly fact specific, and in the absence of clear state practice and opinio juris, general claims to customary rules broadly proscribing states’ response options should be viewed with caution.

Chatham House’s Report and Recent State Pronouncements on International Law

With its recently released report titled, “The Application of International Law to Cyberspace: Sovereignty and Non-Intervention,” Chatham house has weighed in on important debates about how international law applies to states’ conduct of cyber operations below the threshold of a use of force and outside the context of armed conflict. Focusing on the principle of sovereignty and the rule of prohibited intervention, the report concludes with an overarching recommendation that, given conflicting state views over the normative status of the principle of sovereignty and uncertainties about how it applies in the cyber context, states are better off approaching the regulation of malicious cyber activities through the prism of the customary international law (CIL) prohibition on intervening in the internal affairs of another state.

To a certain extent, this is sound advice. The CIL foundations of the non-intervention rule are much firmer and the rule has the potential to address aspects of foreign influence efforts in ways that the purported sovereignty rule would not. Considering the unprecedented scope, scale, and depth of malicious foreign interference campaigns that cyber capabilities now enable, advocating against overly narrow articulations of the non-intervention rule has resonance.  But ultimately the recommendation rests on the report’s argument that the rule of prohibited intervention is broader in scope than generally understood, and so it would do much of the same work as the sovereignty rule. However, it is unclear whether the report is arguing a good faith interpretation of existing law or urging states to evolve the rule of prohibited intervention to broaden its ambit in the cyber context.  Ultimately, states will have to determine the best role the non-intervention rule can play in addressing foreign interference, and hence the rules acceptable parameters. At present, it is simply unclear.

The report’s preference for approaching the regulation of malicious cyber operations through the lens of prohibited intervention is also premised on the recognition that there is disagreement among states, at least those that have opined publicly, over the normative status of the sovereignty principle, and virtually no agreement as to a definable set of criteria for determining what cyber operations would run afoul of a professed sovereignty rule. As the report correctly notes, overstatements about the principle of sovereignty not only crash head on with the reality of ubiquitous state practice, but “as such could increase the risk of confrontation and escalation” since violations of international law give the affected state the right to take countermeasures—actions that are otherwise unlawful—in response.

Unfortunately, and in spite of acknowledging the divergence of states’ views on the sovereignty question, the Report throws its weight on the debate scale in favor of the sovereignty-as-a-rule camp. In this regard, its arguments are neither novel nor availing, and its effort to better define the internal content of a sovereignty rule adds little clarity.  More on that below, but first, a little more on the rule of prohibited intervention.

Prohibited Intervention

Russia’s ongoing and concerted campaign to interfere in the elections of numerous democratic states, sow dissension, and undermine democratic institutions more broadly is by now evident and has provided a blueprint for other states like Iran seeking to challenge the existing order and weaken Western democracies. The targets of these efforts have struggled to come up with effective responses, due in no small measure to the legal and policy ambiguities surrounding these sub-use-of-force, grey zone operations. States like Russia and Iran are not so much engaging in novel behavior as much as engaging in traditional, albeit adversarial statecraft through technologically new means and methods.  It is the qualitative and quantitative difference in impact that calls into question traditional understandings of the existing legal architecture.

That customary international law contains a prohibition against states intervening in the internal and external affairs of other states is not controversial. As evidenced by the 2015 UN GGE report and subsequent official statements from a growing number of states, it is generally accepted that this prohibition applies to states’ activities conducted in and through cyberspace. Like the U.N. Charter prohibition on the use of force, the non-intervention rule derives from the general principle of sovereignty and is intended to protect the same basic sovereign interests in states’ territorial integrity and political independence.

The rule is also of finite scope, prohibiting states from employing an ill-defined notion of “coercion” against an equally ill-defined set of core “sovereign prerogatives” of the targeted state to force a particular outcome. According to the International Court of Justice (ICJ), employing forcible measures such as direct military action or indirect support to an insurgency, actions that would also likely run afoul of Article 2(4) of the U.N. Charter, would violate the non-intervention rule.  In contrast, states can and routinely do seek to influence the sovereign decisions of other states through a variety of means, even if heavy handed like sanctions, that do not run afoul of international law.  Between these extremes, the standard lacks clarity, making it difficult to easily map to the cyber domain or any other domain for that matter. Unfortunately, only a handful of states have offered official views on the application of the non-intervention rule in the cyber context, providing little insight into their views of the rule’s internal content.

Like others, the Chatham House report would fill the void of official state views on the subject by pointing to non-binding sources as “useful guidance,” such as the ICJ’s articulation of the rule in its 1986 Nicaragua decision. These sources generally focus on the element of coercion as the rule’s touchstone, the ICJ describing it as “defin[ing], and indeed form[ing] the very essence of, prohibited intervention.”  Others, drawing on sources such as Oppenheim, who the Chatham House report cites liberally, yet selectively, articulate the rule in slightly broader terms.  They assert that to be internationally wrongful, an intervention “must be forcible or dictatorial, or otherwise coercive, in effect depriving the state intervened against of control over the matter in question.” But as Oppenheim also notes, although intervention and interference are frequently used interchangeably, international law only proscribes the former as wrongful. In his view “[i]nterference pure and simple is not intervention,” an important limitation on the intent and purpose of the rule’s coverage, and directly relevant to the sovereignty debate discussed below.

A number of commentators take a very narrow view of the non-intervention rule’s scope, a point with which the Chatham House report takes issue. According to the report’s author, writing in Just Security, it rejects “overly rigid interpretation and application” of the ICJ’s description of the coercion element as leaving “unacceptable leeway to aggressor states,” and setting a threshold of action and harm that will rarely be crossed.  In her view, “the non-intervention principle is in practice capable of broader application.” Thus, according to the report, the rule should be understood in light of its central focus on protecting the free will of states regarding core sovereign prerogatives and should operate to prevent states from employing pressure, whether successful or not, aimed at overcoming the free will of the target state in an attempt to compel conduct or an outcome involving a matter reserved as a sovereign right to that state.

The report’s focus on efforts to overcome the free will of targeted states is understandable and has merit. Actions aimed at subverting a state’s free will undermine the sovereign equality of states and the international order, and present a direct threat to international stability, peace and security. Covert disinformation and influence campaigns may not be new, but the internet and cyber capabilities have exacerbated their impact and elevated the risk they pose. The threat has started to galvanize attention and action, but primarily through domestic-law approaches such as Australia’s recent national security and foreign interference laws. In those instances where states have reportedly taken more proactive measures to counter foreign influence campaigns, they have not offered a legal rationale.

There is no doubt work to be done on the international law front if states are going to set boundaries around destabilizing influence campaigns. As Eric Jensen and I stated, the non-intervention rule is indeed in need of clarification and perhaps evolution. As we said, the rule should be understood “to encompass actions involving some level of subversion or usurpation of a victim state’s protected prerogatives, such as the delivery of covert effects and deception actions that, like criminal fraud provisions in domestic legal regimes, are designed to achieve unlawful gain or to deprive a victim state of a legal right.”

Unfortunately, where the report falls short is in proffering greater evidence of state practice and opinio juris in support of its broader interpretation of the rule.  Given the dearth of official statements on the subject, this is understandable. Nevertheless, the report would have been better to offer its views not in the form of legal conclusions, but as recommendations for good faith extension or modification of existing law, which is ultimately a policy question reserved for states that must be carefully considered and weighed against the potential impact on external sovereign prerogatives.

Before turning to the sovereignty question, one aspect of the report’s analysis is worth particular mention. In challenging an overly narrow construction of the non-intervention rule, the report was quick to downplay the importance of the ICJ’s pronouncements on the subject in the Nicaragua decision, dismissing them as dicta. On this point, the report is correct. The matters before the ICJ involved forcible measures addressed separately under the court’s use-of-force analysis. Further, the court’s entire discussion of the non-intervention principle was only for the purpose of dispelling an argument that the forcible measures were justified as countermeasures. As such, its broader pronouncements on the elements of the rule were unnecessary and deserving of limited weight.  Unfortunately, when it comes to the issue of the normative status of sovereignty, the report is less circumspect of ICJ pronouncements.

The Sovereignty Debate

On the question of sovereignty, the report unfortunately tacks in a different direction. It relies on the same sort of ICJ dicta it correctly downplayed with respect to prohibited intervention and fails to adequately reflect the marked divergence in states’ views on the sovereignty question and its applicability to the cyber context. In so doing, the report elevates in importance factually inapposite ICJ opinions over actual state practice and opinio juris. It also adopts the same flawed syllogism used in the Tallinn Manual 2.0 that rests on the erroneous premise that international law contains a blanket trespass rule against states sending their agents into the territory of another state without consent. Overwhelming state practice, most notably in the context of espionage, says otherwise; a point that neither the report nor the Tallinn Manual 2.0 account for adequately.

Where the report diverges with the Tallinn Manual 2.0 is on its views of what actions might constitute violations of the asserted rule of sovereignty, adopting what the author describes as a more holistic approach and concluding that there may be “some form of de minimis rule in action.” On this point the report, like the Tallinn Manual 2.0, wades deep into uncharted waters without the benefit of even rudimentary navigational tools. Fortunately, here the report does recognize the limits the distinct absence of state practice or opinio juris place on any effort to identify the contours of a claimed sovereignty rule or to assert controlling thresholds, concluding that “[t]he assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.”

Notwithstanding claims to the contrary, to date only two states, the United Kingdom and the Netherlands, have put on record their positions as to whether sovereignty is simply descriptive of legal personality or a prescriptive primary rule of international law. Their polar opposite views, coupled with the distinct absence of comment on this core question from the handful of states such as Estonia, Australia, and the U.S. that have offered official statements on international law’s applicability to cyber operations is prima facie evidence of the unsettled nature of the question.

The United Kingdom’s position is clear: that as a matter of current international law, there is no “cyber specific rule of a ‘violation of territorial sovereignty’ in relation to interference in the computer networks of another state without its consent.” The U.K. assesses legality against the accepted prohibitions on the use of force and intervention. Based on my professional dealings, there are a number of key states that find sympathy with this view.

The Netherlands takes the opposite view, stating its belief that “respect for the sovereignty of other countries is an obligation in its own right, the violation of which may in turn constitute an internationally wrongful act.” As to what that obligation entails, in what can only be understood as a strong dose of pragmatism the Netherlands is far more vague. Beyond “generally” endorsing the Tallinn Manual 2.0 Rule 4 approach, it notes that in light of the unique nature of cyberspace, the precise boundaries of what may or may not be permissible have yet to crystallize. And in an interesting twist, the Netherlands goes on to intimate that cross-border cyber law enforcement activities may not be captured by the rule, as “[o]pinion is divided as to what qualifies as exercising investigative powers in a cross-border context ….” Such an acknowledgment is anathema to strict sovereigntists, and although the Netherlands letter to Parliament is conspicuously silent on the issue, perhaps this was a nod to the difficult question of espionage.

Recently France also lent its voice to the cyber international law discussion. But despite claims to the contrary, including in the Chatham House report itself, France did not assert that sovereignty constitutes a standalone primary norm of international law.

First, it should be noted that despite numerous assertions to the contrary, the French document does not claim to be the official position of the French government. It was written and published by the French Ministère des Armées (MdA), in the same vain as the DoD Law of War Manual which does not necessarily reflect the views of the U.S. Government as a whole.  Further, although the MdA does state that cyberattacks, as it defines that term, against French digital systems or any effects produced on French territory by digital means may constitute a breach of sovereignty in the general sense, at no point does it assert unequivocally that a violation of the principle of sovereignty constitutes a breach of an international obligation. To the contrary, obviously aware of the debate, the document is deliberately vague on this point and simply asserts France’s right to respond to cyberattacks with the full range of options available under international law consonant with its assessment of the gravity of the attack.

Tellingly, while noting that cyber operations are not unlawful per se, the MdA states that it is actively taking “a number of measures to prevent, anticipate, protect against, detect and respond to [cyberattacks], including by neutralizing their effects.” Yet when discussing France’s right to take countermeasures the document is again vague, and perhaps more so, stating in measured fashion that they are available only when cyberattacks in fact infringe international law (with a distinct focus on uses of force)—not simply when they “breach” sovereignty. These are not simply my observations.  They were confirmed in discussions with a senior French official involved in the drafting and publication of the document.

The French paper offers a number of important and helpful views on the role international law should play with respect to cyber operations, and the authors should be commended. But it is first and foremost a pragmatic statement of the MdA’s views on its authority to proactively respond to malicious cyber operations and is conspicuously silent on whether and how France, or the MdA, feel international law constrains its own freedom of action. Reports that France conducted a mass crypto-currency mining Botnet takedown across multiple states only weeks after publishing the paper is notable in this regard. Simply put, the Chatham House report, like several commentators, places undue weight on the paper and overstates its conclusions on the sovereignty question.

Notwithstanding the documented divergence of states’ views, the report relies on ICJ pronouncements in a handful of factually inapposite cases to support its conclusion that sovereignty constitutes a primary rule of international law.  This itself raises an import question about the weight to be given ICJ opinions in general as “sources” of international law; a discussion beyond the scope of this post.  Suffice it to say that, although the court’s views should not be dismissed lightly, they are often not in conformity with those of the majority of states, and as is evidenced in Article 38(d) of the ICJ statute, states never intended to imbue the court with the power of stare decisis.

So while it is true that the ICJ has referred in general terms to violations of sovereignty in certain cases such as Corfu Channel, Certain Activities carried out by Nicaragua, and the 1986 Nicaragua decision, the court’s pronouncements were binding only on the parties before it and in each instance the facts ruled on involved substantial military presence, de facto control of territory, and in some instances, violent operations, all of which implicate higher thresholds than the sovereignty-as-a-rule proponents assert.

Further, the pronouncements are often in the form of dicta, which the report relies on selectively. For example, the report ignores the foundational holding in the SS Lotus case that restrictions on states’ sovereignty cannot be presumed, citing instead to dicta that, absent a permissive rule to the contrary, states may not “exercise their power in any form” inside the territory of another state. Again, this is an overbroad proposition at odds with extensive state practice in the area of, among other exercises of state power, espionage.

As the report acknowledges, states routinely send agents into the territory of other states without consent, and those agents often alter physical and virtual conditions inside the territory to permit access to and exploitation of information. These activities are broadly recognized as unregulated in international law. Notwithstanding those facts, in an effort to bolster its sovereignty-as-a-rule position, the report follows the Tallinn Manual 2.0’s lead and attempts to establish a loose syllogism based on the flawed premise that all physical trespasses violate international law. According to this faulty logic, the entry of a state agent into the territory of another state without consent is a breach of sovereignty; therefore the execution of a close-access cyber operation against a state from within its territory is a breach of sovereignty; and a fortiori, remote cyber operations conducted against a state from outside its territory constitute a breach of sovereignty.

The principle of sovereign equality is at the heart of the Lotus principle. Turkey’s exercise of criminal jurisdiction over a French national in that case involved obvious interference in France’s sovereign prerogatives with respect to its national, yet the court found no impediment in law to Turkey’s action. The report disregards the central tenet of the SS Lotus case, which is that states are free to act on the international plane except to the extent that their actions are proscribed by clearly identifiable treaty or customary international law. There is simply no evidence that the Lotus principle does not apply with equal force in the cyber context.

In describing the report, the author states that there is no reason the principle of sovereignty “should not apply in the cyber context as it applies in every other domain of State activity.” This statement is at odds with the report’s own closing observation that in “due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.” More important, the statement assumes, counter factually and historically, that sovereignty and the rules that flow from it operate consistently across every other domain of state activity. It does not, and precisely for reasons grounded in the very bundle of sovereign rights and obligations that the paper references.

States’ rights flowing from internal and external sovereignty are frequently in tension, and it is only through a process of accommodation that states consent to restrictions on their external sovereign prerogatives—accommodations that start from the Lotus principle and are almost always context specific. Even Judge Alvarez, one of the original judges to sit on the ICJ and a staunch advocate of the court having expansive power to “remodel international law” recognized in his Corfu dissent that the rights and obligations that sovereignty confers on states:

are not the same and are not exercised the same way in every sphere of international law.  I have in mind the four traditional spheres—terrestrial, maritime, fluvial and lacustrine—to which must be added three new ones—aerial, polar and floating (floating islands).  The violation of these rights is not of equal gravity in all these different spheres.

Had it existed at the time, he would have certainly added to his list the cyber sphere, and like the accommodation of competing sovereign interests reflected in the rule of transit passage sub judice in Corfu Channel, it remains for states to settle on any prescriptive regime that would limit their external prerogatives in cyberspace beyond the domain agnostic prohibitions against the use of force and prohibited intervention.

Having adopted the sovereignty-as-a-rule approach, the report turns to an unavailing effort at identifying the rule’s content. It points to a number of flaws in the Tallinn Manual 2.0 Rule 4 approach, correctly highlighting the dissension among the Tallinn contributors on how the purported rule operates in practice.  I have commented on these weaknesses (here, here, and here). The report correctly rejects an absolutist view of the purported sovereignty rule as unsupported by state practice and dangerously escalatory. To this critique the report should have added that such an overbroad rule would be too constraining to states’ ability to conduct effective counter-cyber operations by limiting them to the cumbersome and problematic remedy of countermeasures, which Eric Jensen and I have pointed out.

In rejecting this absolutist view, the report claims to take a more holistic approach to the issue and states that some threshold must be at play.  In so doing the report repeats a number of the same unsubstantiated claims as the Tallinn Manual 2.0 and ignores Oppenheim’s admonition that mere interference in the internal affairs of another state is to be distinguished from prohibited intervention. Further, the report provides no evidence of state practice or opinio juris to demonstrate that states agree or that they would declare such a threshold to be anything other than the non-intervention rule. In fact, a number of the examples offered in the report in support of its sovereignty argument directly implicate prohibited interventions. To the author’s credit, on these points the report is more prudent in its approach, concluding that there is currently insufficient evidence to establish governing thresholds as a matter of customary international law.

The paper closes with a number of recommendations to states that, although likely unintentional, lose some persuasion by straying at times from recommendatory to prescriptive, such as telling state intelligence agencies and foreign services how to coordinate their strategic communications. As I noted at the beginning, of greater value is the report’s overarching recommendation that states focus on evolving the rule of non-intervention as the most effective tool for establishing greater normative boundaries around state actions in the cyber domain while preserving space for states to execute effective counter-cyber strategies. The real-world scenario I described involving the threat from Iran is a good case study. It is difficult to imagine states like the United States and others that are increasingly on the receiving end of these malicious activities will rally around the sovereignty rule that Chatham House articulates. In the face of concrete and persistent cyber threats from states like Iran, Russia, China, and North Korea, states will of necessity need to ensure that international law evolves not only to deter irresponsible behavior but to do so in a way that preserves victim states’ ability to detect, disrupt, and counter cyber threats. 

Filed under:
About the Author(s)

Gary Corn

Director of the Technology, Law & Security Program and Adjunct Professor of Cyber and National Security Law at American University Washington College of Law; retired U.S. Army Colonel; served as the Staff Judge Advocate to US Cyber Command and as a Deputy Legal Counsel to the Chairman of the Joint Chiefs of Staff