On 20 June 2019, the United States conducted a major cyberattack against Iran in response to Iran’s (alleged) attacks on oil tankers in the Hormuz Strait and the downing of an American surveillance drone. The attack was widely reported at the time, but on 28 August the New York Times published important new details, which included information about the legal-strategic thinking of the Americans. Specifically, it was reported that the US cybercampaign against Iran was “calibrated to stay well below the threshold of war”. Translated into legalese, this seems to imply that the Americans aim to keep their activities at a level that undoubtedly fall short of legal thresholds like article 2(4) of the UN Charter, which defines use of force, and common article 2 of the Geneva Conventions, which de facto triggers the laws of war. In this post, I discuss whether the Americans succeeded in keeping their distance from such thresholds.
In the original reporting on the attack by Yahoo! News, it was noted that the operation targeted “an Iranian spy group” with “ties to the Iranian Revolutionary Guard Corps”, which supported attacks on commercial ships in the Hormuz Strait. The precise object of attack was not specified, but it was mentioned that the group had “over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz”.
The New York Times’ report explains that the cyberattack successfully “wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily”. The Iranians, it is noted, are “still trying to recover information destroyed in the June 20 attack and restart some of the computer systems — including military communications networks — taken offline”. Accordingly, the attack seems to have crippled the targeted system in a way that has taken it offline and, presumably, rendered it useless for months. The effects of the attack were “designed to be temporary”, officials said, but had “lasted longer than expected”. In terms of the specific target of the attack, it was reported that the target was the Iranian Revolutionary Guards’ intelligence group. Finally, it was noted that previous media reports (see, for example, the Washington Post and New York Times) about the attack having targeted Iranian air defence and missile systems were inaccurate.
The legal standards
As mentioned above, the most obvious legal standards to apply to this situation are article 2(4) of the UN Charter and common article 2 of the Geneva Conventions. As is commonly held, however, even basic infringements of the prohibition of the use of force would technically activate the laws of war. As noted by the ICRC in its commentary to common article 2, “there is no requirement that the use of armed force between the Parties reach a certain level of intensity before it can be said that an [international] armed conflict exists.” As such, while there is no direct link between finding that use of force has been applied, within the meaning of UN Charter, and a finding under the Geneva conventions that an international armed conflict has been triggered, the closeness of the two standards mean that – for the narrow purposes of this post – it only seems necessary to deal with former. Therefore, I will focus on article 2(4) in the following.
The use of (cyber) force
It is commonly accepted that article 2(4) covers only ‘armed’ force, thus excluding concepts like economic or political coercion. Accordingly, the article bans only one particular means of coercion: ‘armed’ force. This does not mean, however, that States have to use such force directly, in the sense of applying kinetic force to damage or destroy objects, or injure or kill people. According to the International Court of Justice’s (ICJ) Nicaragua decision, indirect actions, such as the arming and training of insurgents, can be considered use of force – although actions that are a bit more indirect, such as the mere funding of such groups, fall below the threshold. As such, while the force applied has to be ‘armed’ in some sense, the concept is not limited to firing guns and dropping bombs. These are roughly the criteria that we have to work with, however.
When trying to fit cyberattacks into the legal mould of article 2(4), much disagreement arises. The most widely accepted approach, however, is to look principally at the effects of cyberattacks and to hold that if these effects are comparable to the effects of a kinetic attack, they should be treated similarly. This approach leans on the pronouncement of the ICJ in its Nuclear Weapons advisory opinion, which notes that article 2(4) applies to “any use of force, regardless of the weapons employed.” Thus, if cyberattacks result in physical damage, the answer is simple: Cyberattacks can constitute use of force. For many lawyers, the conversation stops here. To me, however, this should not be the case. Essentially, article 2(4) was written to keep powerful States from using the sharpest tool in their coercive toolbox – military might – to interfere with other, less powerful States. Accordingly, the central issue cannot be the exact way that these States dispense of their military might, beyond certain de minimis standards and militaristic features. Indeed, given that kinetic force was never the defining feature of ‘armed’ force (just look at biological and chemical weapons), and that the Nicaragua decision included indirect methods of warfare under article 2(4), there seems to be little reason to cling to strict, conventional concepts of physical force and effects. Put in another way: if we imagine that the Americans had dropped a bomb in Iran, which destroyed Iranian hardware in a way that degraded their military capabilities similarly to the present case, this would surely be use of force. The same, I believe, would be the case if, say, a canister of gas was released, which through a chemical reaction damaged metals and wires in Iranian hardware, thus destroying it and thereby degrading Iranian capabilities. While the immediate effect in this case would be physical, the important element seems to rather be the broader effect of the attack: the actual degrading of capabilities. The same seems true with cyberattacks, where digital means are used to, essentially, change 1’s and 0’s in software in order to reach similar results. While one could frame this digital approach as having a third kind of ‘physical’ effect – the damage done to a hard drive through the manipulation of its magnetic polarity, for example – I believe that the strict physicality of the immediate effect, while clearly important, can hardly be decisive. The broader effects of an attack should be considered too, physical or otherwise.
While a bit non-committal on the issue, this seems to be a perspective acknowledged by the International Group of Experts behind the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. So, if a cyberattack only result in ‘non-physical’ damage, as is apparently the case in the present situation, a more thorough examination is warranted – and for this purpose, the Tallinn Manual notes a pertinent method for doing so.
Examining the American cyberattack
In Rule 69 of the Tallinn Manual, the experts employed a conventional approach to defining use of force within the cyber domain, relying on the scale and effects of attacks. Acknowledging, however, that this approach did not resolve the difficult question of ‘non-physical’ damage, the experts took notice of an approach that was originally developed by Michael N. Schmitt. This approach aims to determine the likelihood that States will characterize a cyberattack as use of force and thus provides a useful tool for present purposes: to conduct a prima facie assessment of the US’ aim of staying “well below” legal thresholds of war. On this basis elements such as the severity, immediacy, directness, invasiveness, measurability, military character, state involvement, and presumptive legality of international conduct should be examined.
Going through these criteria, it seems reasonable to conclude that their application points towards classifying the US cyberattack as use of force. Specifically, in terms of the severity, invasiveness, State involvement, and military character of the attack, it is noteworthy that it was conducted by a US military unit (US Cyber Command) against Iranian military assets, which were apparently critical to Iran’s capabilities in the Hormuz Strait, and that the attack deleted or made unavailable information and took computer systems – including military communications networks – offline for several months. Additionally, in terms of the immediacy and directness criteria, the effects of the attack seem to have occurred immediately and with direct causality between the attack and the harm done. Furthermore, the harm seems clearly measurable in the sense that there has been significant publicity about the target and effects of the attack. Finally, the militaristic nature of the attack seems to dispense with the presumptive legality issue. As such, this method points towards finding a use of force.
Whether one finds the above method persuasive, it seems clear that at least a plausible prima facie case can be made that the US attack constituted use of force. In other words, it seems reasonable to conclude that when a military unit from one State (the US) conducts a cyber operation against a military unit from another State (Iran), which degrades the latter’s military capabilities for a significant amount of time, this could plausibly amount to use of force under article 2(4) of the UN Charter – even though no ‘physical’ damage is done. At this point in time, however, no one can say so authoritatively. Still, given that the goal of the US was to “stay well below the threshold of war”, it seems the US fell short of its goal.