Did the US Stay “Well Below the Threshold of War” With its June Cyberattack on Iran?

Written by

On 20 June 2019, the United States conducted a major cyberattack against Iran in response to Iran’s (alleged) attacks on oil tankers in the Hormuz Strait and the downing of an American surveillance drone. The attack was widely reported at the time, but on 28 August the New York Times published important new details, which included information about the legal-strategic thinking of the Americans. Specifically, it was reported that the US cybercampaign against Iran was “calibrated to stay well below the threshold of war”. Translated into legalese, this seems to imply that the Americans aim to keep their activities at a level that undoubtedly fall short of legal thresholds like article 2(4) of the UN Charter, which defines use of force, and common article 2 of the Geneva Conventions, which de facto triggers the laws of war. In this post, I discuss whether the Americans succeeded in keeping their distance from such thresholds.

The attack

In the original reporting on the attack by Yahoo! News, it was noted that the operation targeted “an Iranian spy group” with “ties to the Iranian Revolutionary Guard Corps”, which supported attacks on commercial ships in the Hormuz Strait. The precise object of attack was not specified, but it was mentioned that the group had “over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz”.

The New York Times’ report explains that the cyberattack successfully “wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily”. The Iranians, it is noted, are “still trying to recover information destroyed in the June 20 attack and restart some of the computer systems — including military communications networks — taken offline”. Accordingly, the attack seems to have crippled the targeted system in a way that has taken it offline and, presumably, rendered it useless for months. The effects of the attack were “designed to be temporary”, officials said, but had “lasted longer than expected”. In terms of the specific target of the attack, it was reported that the target was the Iranian Revolutionary Guards’ intelligence group. Finally, it was noted that previous media reports (see, for example, the Washington Post and New York Times) about the attack having targeted Iranian air defence and missile systems were inaccurate.

The legal standards

As mentioned above, the most obvious legal standards to apply to this situation are article 2(4) of the UN Charter and common article 2 of the Geneva Conventions. As is commonly held, however, even basic infringements of the prohibition of the use of force would technically activate the laws of war. As noted by the ICRC in its commentary to common article 2, “there is no requirement that the use of armed force between the Parties reach a certain level of intensity before it can be said that an [international] armed conflict exists.” As such, while there is no direct link between finding that use of force has been applied, within the meaning of UN Charter, and a finding under the Geneva conventions that an international armed conflict has been triggered, the closeness of the two standards mean that – for the narrow purposes of this post – it only seems necessary to deal with former. Therefore, I will focus on article 2(4) in the following.

The use of (cyber) force

It is commonly accepted that article 2(4) covers only ‘armed’ force, thus excluding concepts like economic or political coercion. Accordingly, the article bans only one particular means of coercion: ‘armed’ force. This does not mean, however, that States have to use such force directly, in the sense of applying kinetic force to damage or destroy objects, or injure or kill people. According to the International Court of Justice’s (ICJ) Nicaragua decision, indirect actions, such as the arming and training of insurgents, can be considered use of force – although actions that are a bit more indirect, such as the mere funding of such groups, fall below the threshold. As such, while the force applied has to be ‘armed’ in some sense, the concept is not limited to firing guns and dropping bombs. These are roughly the criteria that we have to work with, however.

When trying to fit cyberattacks into the legal mould of article 2(4), much disagreement arises. The most widely accepted approach, however, is to look principally at the effects of cyberattacks and to hold that if these effects are comparable to the effects of a kinetic attack, they should be treated similarly. This approach leans on the pronouncement of the ICJ in its Nuclear Weapons advisory opinion, which notes that article 2(4) applies to “any use of force, regardless of the weapons employed.” Thus, if cyberattacks result in physical damage, the answer is simple: Cyberattacks can constitute use of force. For many lawyers, the conversation stops here. To me, however, this should not be the case. Essentially, article 2(4) was written to keep powerful States from using the sharpest tool in their coercive toolbox – military might – to interfere with other, less powerful States. Accordingly, the central issue cannot be the exact way that these States dispense of their military might, beyond certain de minimis standards and militaristic features. Indeed, given that kinetic force was never the defining feature of ‘armed’ force (just look at biological and chemical weapons), and that the Nicaragua decision included indirect methods of warfare under article 2(4), there seems to be little reason to cling to strict, conventional concepts of physical force and effects. Put in another way: if we imagine that the Americans had dropped a bomb in Iran, which destroyed Iranian hardware in a way that degraded their military capabilities similarly to the present case, this would surely be use of force. The same, I believe, would be the case if, say, a canister of gas was released, which through a chemical reaction damaged metals and wires in Iranian hardware, thus destroying it and thereby degrading Iranian capabilities. While the immediate effect in this case would be physical, the important element seems to rather be the broader effect of the attack: the actual degrading of capabilities. The same seems true with cyberattacks, where digital means are used to, essentially, change 1’s and 0’s in software in order to reach similar results. While one could frame this digital approach as having a third kind of ‘physical’ effect – the damage done to a hard drive through the manipulation of its magnetic polarity, for example – I believe that the strict physicality of the immediate effect, while clearly important, can hardly be decisive. The broader effects of an attack should be considered too, physical or otherwise.

While a bit non-committal on the issue, this seems to be a perspective acknowledged by the International Group of Experts behind the Tallinn Manual 2.0 on the International Law Applicable to Cyber OperationsSo, if a cyberattack only result in ‘non-physical’ damage, as is apparently the case in the present situation, a more thorough examination is warranted – and for this purpose, the Tallinn Manual notes a pertinent method for doing so.

Examining the American cyberattack

In Rule 69 of the Tallinn Manual, the experts employed a conventional approach to defining use of force within the cyber domain, relying on the scale and effects of attacks. Acknowledging, however, that this approach did not resolve the difficult question of ‘non-physical’ damage, the experts took notice of an approach that was originally developed by Michael N. Schmitt. This approach aims to determine the likelihood that States will characterize a cyberattack as use of force and thus provides a useful tool for present purposes: to conduct a prima facie assessment of the US’ aim of staying “well below” legal thresholds of war. On this basis elements such as the severity, immediacy, directness, invasiveness, measurability, military character, state involvement, and presumptive legality of international conduct should be examined.

Going through these criteria, it seems reasonable to conclude that their application points towards classifying the US cyberattack as use of force. Specifically, in terms of the severity, invasiveness, State involvement, and military character of the attack, it is noteworthy that it was conducted by a US military unit (US Cyber Command) against Iranian military assets, which were apparently critical to Iran’s capabilities in the Hormuz Strait, and that the attack deleted or made unavailable information and took computer systems – including military communications networks – offline for several months. Additionally, in terms of the immediacy and directness criteria, the effects of the attack seem to have occurred immediately and with direct causality between the attack and the harm done. Furthermore, the harm seems clearly measurable in the sense that there has been significant publicity about the target and effects of the attack. Finally, the militaristic nature of the attack seems to dispense with the presumptive legality issue. As such, this method points towards finding a use of force.

Conclusions

Whether one finds the above method persuasive, it seems clear that at least a plausible prima facie case can be made that the US attack constituted use of force. In other words, it seems reasonable to conclude that when a military unit from one State (the US) conducts a cyber operation against a military unit from another State (Iran), which degrades the latter’s military capabilities for a significant amount of time, this could plausibly amount to use of force under article 2(4) of the UN Charter – even though no ‘physical’ damage is done. At this point in time, however, no one can say so authoritatively. Still, given that the goal of the US was to “stay well below the threshold of war”, it seems the US fell short of its goal.

Print Friendly, PDF & Email

Categories

  • EJIL Analysis
  • Iran
  • Self Defence
  • Use of Force

    • Tags

  • cyber
  • Hormuz
  • Iran
  • Tallinn Manual
  • use of force

    • Leave a Comment

    Comments for this post are closed

    Comments

    Mary Ellen O'Connell says

    September 3, 2019

    I have reached a different view, Marc, on the choice of law governing US cyber operations against Iran.

    I look to the law of countermeasures, not the UN Charter prohibition on the use of force in Article 2(4). Not all coercive action, even with kinetic effects, comes within the scope of Article 2(4). Coast Guard fishing enforcement vessels shooting over the bows of ships to arrest them do not violate 2(4). They might be unlawful countermeasures.

    Not all uses of force that do violate Article 2(4) will result in a right of self-defense per Article 51 according to the plain text and ICJ judgments.

    The 1949 Geneva Conventions apply in cases of “declared war or other armed conflict” and in situations of occupation. Regardless of the ICRC commentary, it is impractical to attempt to apply the Convention principles to one off or intermittent attacks and states do not do so as confirmed in ILA Use of Force Committee Report on the Meaning of Armed Conflict (2010).

    The law of countermeasures is suited to regulating cyber operations outside armed conflict. In the Iran case U.S. operations failed to meet 3 of 4 conditions: 1.) There must be a prior wrong. U.S. officials report the cyber attacks respond to the 20 June Iranian destruction of a U.S. drone. The evidence around that incident, however, does not meet the requisite clear and convincing standard. 2.) The U.S. failed to notify Iran that it intended to take countermeasures and failed to allow Iran to communicate its position on U.S. claims. 3.) The cyber operations do not comply with the principle of necessity. Indeed, according to the New York Times, Iran is continuing its own unlawful cyber operations undeterred. But, 4.), the U.S. operations might be proportional as U.S. officials claim.

    Unfortunately for the U.S., it must meet all four conditions, not just proportionality.

    Marc Schack says

    September 6, 2019

    Dear Mary Ellen,

    Thank you for your comment.

    I completely agree that not all (kinetic) coercive action constitute use of force within the meaning of the UN Charter, and I agree that not all uses of force give rise to a right of self-defense under art. 51. In the post, I merely make the case that the (military) characteristics of this specific cyberattack makes it reasonable/possible to conclude that it fits within art. 2(4) - irrespective of its limited physical character. If one reaches the conclusion that it does not, however, I would completely agree that the situation should be analyzed within the framework of countermeasures, and that the analysis that you sketch out would be the way to approach the problem.

    Best, Marc

    Charles Dunlap says

    September 9, 2019

    I gather Mary Ellen is relying upon the ICJ’s 1997 Gabcikovo-Nagymaros Project case for her understanding of the law of countermeasures. Although, with the caveat noted below, I find it rather clear that the U.S. action in this instance complied with the law so defined, I do think it’s helpful to remind ourselves from time to time that the ICJ is not a court of precedent. As Eric De Brabandere has pointed out, its “decisions are not formally a source of general obligation for states,” that is, there is an “absence of any form of stare decisis in international law.”

    In my view the law of countermeasures as applied to cyber operations is a bit murkier than Mary Ellen’s post suggests. In the area of cyber in particular, I think state practice – especially by specially-affected states – is quite influential.

    Thus, while I personally agree with Marc’s analysis, I’ve come to accept that states appear to be taking a much more conservative and traditional view of what constitutes force in the cyber realm.

    Essentially, this seems to mean that the operation must cause rather directly (and in the near term) some level of physical harm…and the extended loss of functionality of some systems not affecting civilians or civilian objects doesn’t seem to be sufficient. The issue is further complicated by the fact that the U.S. takes the iconoclastic position that there is no difference in terms of a self-defense trigger between “force” as used in the Article 2 (4) of the Charter and “armed attack” as used in Article 51.

    Having said all this, I also think that a case of self-defense could be made as a result of the Iranian attacks. However, it doesn’t appear that either party especially wants to pursue that analytical course.

    Regards, Charlie