On August 18, the General Staff of the Iranian Armed Forces released a statement outlining its views on how international law applies in cyberspace. The detailed statement is the first of its kind issued from a major non-Western cyber power (with the possible exception of China’s International Strategy of Cooperation on Cyberspace) and therefore merits particularly close attention and scrutiny.
This article analyzes the substance of the statement. However, before proceeding with this analysis, some words of caution are in order. First, although the statement was released by the General Staff of Iran’s Armed Forces and not the Iranian government per se, we can safely assume that it represents the views of the Iranian State, since the statement itself notes that “under the command of the Supreme Leader […] all relevant organizations and institutions shall have coordination and synergy with [the] armed forces” on matters concerning national defense and “cyberspace constitutes a new area in the field of defense and security.” It therefore seems clear that the statement is intended to guide and inform cyberspace policy of all State agencies.
Second, the English translation of the document has been promulgated by Iranian news agencies and the translation is at times, choppy, containing grammatical errors and peculiar wording. At the moment of writing, it cannot be ascertained whether this is an official translation of the Persian text or whether a better translation will (hopefully) be submitted by Iran (for instance to the United Nations Open-ended Working Group (OEWG)).
The statement starts by reiterating that cyberspace should be used by States in a peaceful manner and all States “shall act responsibly regarding cyberspace,” distributing the benefits and advantages of cyberspace resources based on the principles of equal access and “equitable sovereignty.” It emphasizes the obligation of all States to act responsibly within the cyberspace domain, but, interestingly, stresses that States have “common but different responsibilities because of resources and technologies available for each state.” This passage seems to refer to the principles of “common but differentiated responsibilities,” typically used with respect to environmental obligations (see Principle 7 of the 1992 Rio Declaration on Environment and Development), and sustainable development (see the United Nations 2030 Agenda for Sustainable Development). The principle of sustainability has so far played only a minor role in cybersecurity discussions, mainly in the context of voluntary confidence-building measures (see para. 21(f) of the 2015 U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications (UNGGE) report). The Iranian statement is, to my knowledge, the first reference to the application of international law to State conduct in cyberspace referring to sustainability.
The substantive part of the document starts with a discussion of sovereignty. The document recalls that modern international law implies the existence of territory within fixed geographical borders, within which a State exercises its sovereignty to the exclusion of other States. Although geographical borders do not exist in cyberspace, the information and communication technology (ICT) infrastructure which makes up the physical layer of cyberspace has a defined physical location and thus, “according to the armed forces of the Islamic Republic of Iran, the territorial sovereignty and jurisdiction of the states are also extended to all elements of the cyberspace.” This reflects the consensus view formulated in the UNGGE report, which states that “States have jurisdiction over the ICT infrastructure located within their territory” and that “[i]n their use of ICTs, States must observe, among other principles of international law, State sovereignty.”
While the claim that the principles of sovereignty and jurisdiction extend to cyberspace may sound unambiguous, upon closer inspection the statement does not offer much guidance on how exactly sovereignty applies in cyberspace. In fact, the question of which actions in cyberspace fall within the sphere of the exclusive authority of a State and whether certain cyber operations may be prohibited by a rule of customary international law requiring States to respect the (territorial) sovereignty of other States is one of the most hotly debated cybersecurity issues in recent years. While the United Kingdom and the United States Department of Defense argue that, as U.K. Attorney General Jeremy Wright puts it, one cannot “currently extrapolate from that general principle [of sovereignty] a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention [and therefore] there is no such rule as a matter of current international law,” several other States such as Austria, the Czech Republic, France, and the Netherlands have recently taken the opposite view, suggesting that sovereignty is not only a principle, but also a rule of international law which applies to conduct in cyberspace.
In its statement on international law in cyberspace, Iran joins the discussion and declares itself in favor of the “sovereignty-as-a-rule” position, claiming that:
Any intentional use of cyber-force with tangible or non-tangible implications which is or can be a threat to the national security or may, due to political, economic, social, and cultural destabilization, result in destabilization of national security constitutes a violation of the sovereignty of the state. … Any utilization of cyberspace if and when [it] involves unlawful intrusion to the (public or private) cyber structures which [are] under the control of another state [may constitute a] violation of the sovereignty of the targeted state.
Two implications of this statement are worth noting.
First, a State’s sovereignty may be violated by cyber operations (the term “cyber-force” used in the English translation of the statement is imprecise, but it is clear from the context that it is not limited to use of force situations, but rather signifies cyber operations as such), irrespective of the nature – tangible or intangible – of its intended effects. Rather, what counts are the adverse effects on national security. References to national security and “political, economic, social and cultural destabilization” are not terribly precise and, given that authoritarian regimes often tend to explain human rights violations by citing “national security” needs, this aspect of this statement is not particularly helpful in determining the scope of actions prohibited by a rule requiring respect for the sovereignty of another State in cyberspace. Nevertheless, the focus on both tangible and intangible effects of cyber operations to determine whether they violate the rule of sovereignty is very similar to the approach proposed first by the Tallinn Manual 2.0, and later adopted by the Netherlands and the Czech Republic, under which the lawfulness of a cyber operation under the sovereignty rule would be assessed on two bases: first, the degree of infringement upon the target State’s territorial integrity; and second, the interference with or usurpation of inherently governmental functions.
The second noteworthy implication of the quoted section of the statement is that Iran goes even further than the Tallinn Manual and the Czech and Dutch statements, arguing that any intrusion into the (public or private) cyber infrastructure under the control of another State may constitute a violation of that State’s sovereignty. This is very similar to the French “penetration”-based approach, under which “[a]ny unauthorized penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty.” The French – and now Iranian – views in this regard are quite attractive for offering a clear threshold upon which a violation of the rule of sovereignty may be assessed, avoiding certain inconsistencies of the opposite approach (for more on this penetration or “intrusion” based approach, see here). Nevertheless, both the French document of September 2019 and now the Iranian statement do not offer any views on whether they would consider non-consensual cyber espionage operations as constituting an unauthorized penetration of or intrusion into computer systems on the territory of another State to violate the target State’s sovereignty.
In its last paragraph on sovereignty, the statement recalls the link between sovereignty and other fundamental international legal principles, such as non-intervention, self-determination and sovereign equality. From this it concludes that “any limiting and freezing measure, including sanctions, constitutes [a] violation of the sovereignty of independent states because of not respecting the sovereignty of target states.” While understandable from Iran’s policy perspective, this statement is too broad and does not reflect the current state of international law. Sanctions and restrictive measures such as asset freezes and travel bans targeting individuals fall within the applying State’s jurisdiction and – without additional measures – are not violative of the sovereignty of the target state. Of course, sanctions must still be in accordance with the applying State’s obligations, such as for instance human rights and investment protection treaties.
On the principle of non-intervention, the statement recalls its status as a rule under customary international law and repeats the international consensus position that armed intervention or any attempt to subject a State in the exercise of its sovereign rights to the will of another State would constitute a breach of that rule. Regrettably, the statement uses imprecise language and does not directly refer to the two elements of a prohibited intervention – interference with matters falling into another State’s domaine réservé and the element of coercion – so it is not clear whether Iran regards all attempts to “threaten against the personality of state or political, economic, social, and cultural organs of it through cyber and any other tools” as a violation of the non-intervention principle, or only those which are of a coercive nature (which would conform to the established view). However, the statement offers some examples of actions which Iran would regard as illegal interventions:
Measures like cyber manipulation of elections or engineering [of] public opinions on the eve of the elections may … constitute … examples of gross intervention. The intervention, also, covers situations in which the non-cyber measures may occur in the cyber activities relating to the internal and external affairs of the other state. Cyber activities paralyzing websites in a state to provoke internal tensions and conflicts or sending mass messages in a widespread manner to the voters to affect the result of the elections in other states is also considered as [a] forbidden intervention.
Furthermore, it argues that:
Every state enjoys the inherent right to the full development of information system[s] and mass media and their employment, without intervention, to advance their own political, social, economic, and cultural interests and aspirations. Any measure resulting in impediment, denying, and or restricting operation of signals and means of information transfer and providing control systems and exercising the sovereignty of the state is regarded as unlawful.
Two things are particularly noteworthy here. First, in declaring the manipulation of elections by cyber means as an example of a prohibited intervention, Iran joins established democracies such as Australia, the U.K., and the United States, which have already argued that cyber operations manipulating electoral processes or election results amount to illegal forms of intervention. Second, however, Iran seems to go even further in arguing that influence operations aimed at affecting voter behavior (e.g. “engineering of public opinion” or “sending mass messages to voters”) would also qualify as a legally prohibited intervention. After Russia’s interference in the U.S. 2016 presidential election, this issue is, of course, hotly debated in the legal community (see e.g. contributions on this topic by Kilovaty, Lahmann, Moynihan and Ohlin). However, qualifying influence operations as interventions finds a major obstacle in the legal requirement that any intervention must be conducted by coercive methods. The International Court of Justice (ICJ), in its 1986 Nicaragua judgment, calls the element of coercion “the very essence of prohibited intervention.” It would be difficult to establish that even a very sophisticated cyber influence operation conducted through social media or – using the Iranian example – “sending mass messages to voters,” would rise to the level of coercion.
Moreover, if the dissemination of information (even if it is incorrect; or true, but released without the holder’s permission) alone, without the use of coercive methods, were sufficient to constitute an intervention, this could potentially jeopardize freedom of speech and the free flow of information – two core rights that the United States and its allies rightly seek to protect against authoritarian curtailment in cyberspace. For these reasons, States have so far refrained from counting disinformation operations as interventions, although for instance the Netherlands noted that “[t]he development of advanced digital technologies has given states more opportunities to exert influence outside their own borders and to interfere in the affairs of other states [and a]ttempts to influence election outcomes via social media are an example of this phenomenon.” Nevertheless, the problem posed by targeted disinformation campaigns is very real and it will be interesting to see whether States will follow up on Iran’s initiative and offer views on the relationship between disinformation operations and the principle of non-intervention.
Use of force
Finally, on the prohibition of the use of force in cyberspace, Iran’s view is worth quoting in full:
Armed forces of the Islamic Republic of Iran believe that certainly, those cyber operations resulting in material damage to property and/or persons in the widespread and grave manner and or it logically is probable to result in such implications constitutes [a] use of force. Should such operations affect … vital national infrastructures, including defensive infrastructures – whether owned by the public or private sector – they shall violate the principle of the non-use of force.
Armed forces of the Islamic Republic of Iran, also, believe that their right to self-defense shall be reserved if the gravity of the cyber operation against … vital infrastructure of the state is reached in the threshold of the conventionally armed attack.
It is quite interesting that with respect to the prohibition on the use of force, Iran appears to join the mainstream position, held by a majority of States that have offered views on this matter. States such as the United States, U.K., Germany, France, the Netherlands, and others (as well as the Tallinn Manuals), have endorsed the “scale-and-effects” test, whereby a cyber operation constitutes a use of force when its scale and effects are comparable to the use of conventional force. Such comparability exists when a cyber operation leads to loss of life, injury, or severe material damage. Moreover, the U.K. and the United States have explicitly included cyber operations against certain critical infrastructure components such as nuclear reactors, air traffic control systems, and essential medical services, within their examples of actions that would violate the prohibition on the use of force.
In the second paragraph, Iran seems to contend that the right of self-defense against cyber operations exists once those cyber operations reach the “gravity” (i.e. scale and effects) of a conventional armed attack. Here again, Iran endorses the majority view, which in turn is based on the ICJ’s Nicaragua judgement, wherein the Court first formulated the scale and effects test.
A Shift in Iran’s Posture Toward International Law in Cyberspace?
Iran’s recent statement offers a useful contribution on three major topics concerning the application of international law to cyber operations: sovereignty, the principle of non-intervention, and the prohibition on the use of force. It adds to the debate by sometimes endorsing the mainstream view, sometimes expanding upon it, and other times proposing Iran’s own, somewhat unique interpretation of applicable law. While not every view offered by the Iranian General Staff corresponds to the views of States such as France, the Netherlands or the United States, the mere fact that Iran – a major non-Western cyber power – has joined the debate in a constructive way deserves praise and appreciation. It should also be noted that in September 2019, Iran argued against the interpretative process whereby existing international legal norms would be transferred, where feasible, to cyber operations, and in favor of instead establishing new international rules and norms, stating:
The existing international law should be adjusted in a way to become applicable to ICT environment. The legal gaps should be filled by new international legal rules and norms. … The applicable international law on ICT environment should not be open to interpretation.
Even in its April 2020 comments to the OEWG pre-draft report, Iran argued that:
[T]he pre-draft seems to be driven to, and by, the assumption that the existing international law is applicable to state’s use of ICTs. This is obvious that the existing international law has not been able to preserve the ICTs peaceful nature. Accordingly, OEWG is expected to continue discussions on “to what extent,” and “how,” the existing international law applies and, more importantly, what kind of international binding instrument, including an ICT-specific convention should be developed.
Thus, this most recent statement by Iran’s General Staff appears to represent a rather sharp departure from the country’s previous position vis-à-vis the applicability of general public international law to the realm of cyber operations. Whether the statement truly signifies a change of Iran’s attitude towards the ongoing process of determining the content of international law applicable to cyber operations remains to be seen. Nevertheless, any statement on the subject, even (and perhaps especially) if it comes from an adversarial cyber power, should be taken seriously and studied very carefully by the international policy and legal communities. Such statements help to clarify and develop the applicable law and ultimately serve to promote a rules-based order in cyberspace. What remains to be seen, however, is whether Iran will practice what it preaches in this key domain.