Earlier today, NBC reported, and the New York Times confirmed, that the United States conducted a “covert” cyber operation against an Iranian ship in the Red Sea, the MV Behshad, over a week ago. The MV Behshad is a merchant vessel registered to the Rahbaran Omid Darya Ship Management Company. It is believed to have been used by Iran’s Islamic Revolutionary Guard Corps to provide the Houthis with real-time intelligence to guide strikes on ships transiting the Red Sea.
Unnamed U.S. officials are reported to have described the operation as aimed at inhibiting the ship’s “ability to share intelligence with Houthi rebels in Yemen,” who have been attacking mostly cargo ships in the Red Sea since November and have vowed to do so until Israel ceases military operations against Hamas in Gaza. The officials also said, however, that the U.S. operation was “part of the Biden administration’s response to the drone attack by Iranian-backed militias in Iraq that killed three U.S. service members in Jordan late last month and wounded dozens of others [at Tower 22].”
Here are a few key questions to address as more details emerge:
What was the nature of the “cyber attack”? “Cyber attack” can mean many different things – the specific facts of any cyber operation matter, both in terms of legal and policy implications. Was this a simple jamming operation that interfered with transmission of information? Or another type of cyber operation that would likely fall below the threshold of a use of force (perhaps deleting or modifying data, which could potentially explain the Houthis’ seemingly errant attack last week on a cargo ship bound for Iran)? If the operation did not constitute a use of force, did it violate any other potentially applicable international laws (such as duties related to sovereignty and non-intervention) and, if so, was the operation viewed by the United States as a lawful countermeasure – an otherwise unlawful action short of armed force that is designed to induce compliance with international law on the part of a breaching state?
If a use of force, was it necessary in self-defense? If the operation rose to the level of a use of force (possibly by permanently destroying infrastructure on the Iranian ship, although this seems unlikely based on what has been reported to date), it would of course not be a lawful act of self-defense in response to the attack on Tower 22 in Jordan. Instead, it is clearly related to Houthi attacks on shipping in the Red Sea. U.S. officials have reportedly said “Iran uses the ship to provide targeting information to the Houthis so their attacks on the ships can be more effective.“ What is the relationship between the “Iranian spy ship” and Houthi attacks on vessels in the Red Sea? Does the United States believe Iran bears State responsibility for the Houthi attacks?
How is Iran likely to respond? Iran has been vocal about the MV Behshad in the past two weeks, stressing that it would retaliate for an attack on the ship. In a video posted on its Telegram channel on Feb. 11, the Iranian Army claimed the MV Behshad was engaged in a mission to “counteract piracy” in the Red Sea and the Gulf of Aden. The video urged the United States not to attack, warning that “those engaging in terrorist activities against the MV Behshad or similar vessels, jeopardize international maritime routes, security and assume global responsibility for potential future international risks.” Iran has a large cyber arsenal that includes an ability to conduct sophisticated data deletion and Supervisory Control and Data Acquisition (SCADA) attacks on critical infrastructure, capabilities that could be deployed against U.S. ships or military assets in the region.
What are the implications for potential conflict escalation – or de-escalation – with Iran? U.S. and Iranian redlines in cyberspace are unclear, and even non-lethal cyber attacks may have unintended consequences. Signaling in cyberspace is notoriously complex, and it is difficult to predict and control the impact of malware, for example, once it has been released (the Stuxnet virus that targeted Iranian nuclear facilities at Natanz, for example, also infected computers around the world, including at U.S. oil refineries).
It is striking that the unnamed U.S. officials framed the operation as a response to the attack on Tower 22 in Jordan carried out by Iran-backed militia groups in that region, as opposed to part of its efforts to protect against Houthi attacks on vessels in the Red Sea. The common denominator is a level of Iranian involvement, although precisely what level is unclear. If this operation was intended to signal to Tehran that the United States holds Iran accountable for the actions of both sets of non-state actors, and will respond in kind, does it increase the likelihood of direct confrontation between U.S. and Iranian armed forces? Alternatively, if the operation fell below the level of a use of force (which again, seems quite plausible based on what has been reported thus far), does it signal potential room for de-escalation through the use of non-kinetic and non-lethal levers of coercion?