Noteworthy Releases of International Cyber Law Positions—PART II: Iran

Last week, Iran’s Armed Forces released its “Declaration of General Staff of the Armed Forces of the Islamic Republic of Iran Regarding International Law Applicable to the Cyberspace.” Noting that the military has a “mandate…under the command of the Supreme Leader” to deter hostile cyber operations and defend the nation against them, the Declaration asserts that Iran does “not initiate any conflict in cyberspace” and that the legal policy expressed in the instrument is the “framework for [its] actions in confronting any threat in cyberspace.”

This article deconstructs and assesses the General Staff’s legal positions, which are more granular than earlier Iranian statements, such as its 2019 submission to the UN’s Open-ended Working Group on cyber.

By way of background, the suggestion that Iranian operations are purely defensive is clearly counter-factual. Iran has conducted hostile cyber operations such as the 2012 cyber-attack on Saudi Aramco for years, and continues to do so today (see here and here). Its cyber activities are well-organized, with a Supreme Council of Cyberspace that coordinates the nation’s offensive and defensive operations. The Islamic Revolutionary Guard Corps oversees offensive cyber operations. Within the armed forces the Cyber Defence Command conducts them, as does a paramilitary force, the Basij Cyber Council. And the nation regularly turns to proxies to conduct hostile cyber operations. Of course, Iran itself has been the target of cyber operations, most notably Stuxnet, but more recently the 2019 U.S. operations in response to the downing of a U.S. drone and attacks on Saudi oil facilities.

Operational reality aside, the views expressed by the Iranian General Staff are significant. The resolution of the many unsettled issues of international law’s application in the cyber context depends not only on the cyber practices of States, but also on the accumulation of a critical mass of interpretative positions as to how the rules apply. The Declaration is of particular influence because previous legal statements on the subject that have garnered the most attention have been issued by Western States, such as Australia, France (see here, here, and here), the Netherlands, the United Kingdom, the United States, and, jointly, NATO member States.

The Declaration is composed of only a preamble and four articles. Although the legal points are made somewhat inelegantly (partially as a result of poor translation), they focus on three topics that are currently of particular interest among States—sovereignty, intervention, and the use of force. The Declaration also cites other legal rules and principles, including good faith, jurisdiction, aggression and self-determination, albeit without discussing them. Interestingly, in light of its issuance by the General Staff, it makes no mention of international humanitarian law—an omission that likely reflects international disagreement over referring to that body of law in the cyber context.

Article I: General Points

Article I sets forth the Iranian Armed Force’s purported approach to cyberspace. It begins with the uncontroversial observation that cyberspace is a commons that should be accessible to all States pursuant to the legal principle of sovereign equality, reflected in the UN Charter, Article 2(1). Along the same lines, it emphasizes the need for States to act responsibly in cyberspace, albeit cautioning that States “have common but different responsibilities because of resources and technologies available for each state.”

Presumably, that statement is meant to confirm Iran’s support for the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications’ so-called “voluntary norms of responsible state behavior.” As an example, the 2015 GGE Report (endorsed without objection by the General Assembly) observed that responsible States should take measures to protect their critical infrastructure and avoid activities that endanger that of other States. Whether or not Iran operates in accordance with this and other such norms, it is encouraging that the General Staff at least expresses fidelity to them. This thereby opens the door to international condemnation should Iran act “irresponsibly.

Article II: Sovereignty

Article II addresses the topic of sovereignty, one that has bedeviled Western legal unity. As discussed in Part I, the United Kingdom is of the view that there is no rule of sovereignty in international law. According to this position, a cyber operation mounted by one State into another never violates the latter’s sovereignty. Every other nation that has taken a public stance on the issue takes the opposite view. For most States, their focus is on identifying the threshold at which a cyber operation violates sovereignty, not the existence of the rule itself. The Iranian General Staff unambiguously adopts this latter position, observing that “the sovereignty of states is not an extra-legal matter.”

While most States that have spoken on the issue at least consider cyber operations that cause injury, illness, or damage (including the loss of the targeted infrastructure’s functionality) to be violations of international law, the General Staff goes further. It opines that cyber operations having either physical or non-physical consequences that threaten national security violate sovereignty. And it casts that net broadly by suggesting that the threat may result from “political, economic, social, and cultural destabilization.” Indeed, the Declaration asserts, “Any utilization of cyberspace if and when [it] involves unlawful intrusion to the (public or private) cyber structures which is under the control of another state, maybe constituted as the violation of the sovereignty of the targeted state [sic].”

This is as far as any State has gone in interpreting the obligation to respect the sovereignty of other States in the cyber context. The closest analogue is that of the French Ministry of the Armies. In a 2019 statement on international law and cyberspace, the Ministry declared that “Any unauthorised penetration by a State of French systems or any production of effects on French territory via a digital vector may constitute, at the least, a breach of sovereignty.” Thus, whereas the Iranian General Staff approaches sovereignty from the perspective of intrusion, the French Ministry of the Armies does so from both the perspective of intrusion into government cyber infrastructure and the causation of effects. The two positions need to be more fully mapped, but in practice their application is likely to prove a distinction without much difference.

Article II concludes by asserting,

… the sovereignty of states is subject to the principle of equality and the sovereignty of any state is not above the sovereignty of the other states. Therefore, any limiting and freezing measure, including sanctions, constitutes the violation of the sovereignty of independent states because of not respecting the sovereignty of target states.”

This is going too far. Of course, States are subject to the principle of sovereign equality. But that principle does not render asset freezes or many other sanctions sovereignty violations. Such activities occur outside the target State territory and generally do not interfere with its “inherently governmental functions.” Thus, the two bases generally understood to animate the obligation to respect sovereignty (Tallinn Manual 2.0, Rule 4) are absent. Instead, most sanctions are acts of “retorsion,” which, albeit unfriendly, are not unlawful under international law. Self-evidently, the General Staff’s characterization reflects the fact that Iran has long has been the subject of multilateral and unilateral sanctions.

Article III: Intervention

Article III addresses the prohibition on intervention into the internal or external affairs of other States. The existence of this rule is uncontroversial. It has been recognized in both the 2013 and 2015 GGE reports and appeared in most articulations of State views on international law in cyberspace (see, for example, the 2020 DoD General Counsel’s remarks). As is correctly noted in the Declaration, “The principle of non-intervention, without any doubt, is an independent principle of customary international law.” Nor is there disagreement over the two constitutive elements of the violation: (1) coercion with respect to (2) the target State’s internal or external affairs (domaine réservé) (see Tallinn Manual 2.0, Rule 66). The General Staff reflects both when it states,

All explicit and dainty forms and complicated techniques of duress, overthrow, and outrage (whether Cyber or non-cyber) [i.e., coercion] to intrigue in the political, social, or economic order of other states or destabilizing governments seeking liberalization of their own economic, political and cultural system form control [i.e., intervention as described in the Nicaragua judgment, para. 205] or intervention of foreigners, is unlawful.

The challenge is determining where to draw the line between influencing and coercing another State, as well as identifying activities that fall within a State’s domaine réservé. Some cases are clear. The Declaration cites two paradigmatic ones: forceful regime change—as recognized by the ICJ in its Nicaragua judgment—and cyber manipulation of elections—which is also the example proffered by, among others, the experts who authored Tallinn Manual 2.0 and which governments, including the United States and United Kingdom, tend to cite.

However, other examples of intervention pointed to within the Declaration are questionable. It labels “engineering the public opinions on the eve of the elections” as “gross intervention.” Similarly, “paralyzing websites in a state to provoke internal tensions” and “sending mass messages in a widespread manner to the voters to affect the result of the elections” are characterized as “forbidden intervention.” Depending on how such operations are carried out and their precise consequences, they might constitute either intervention or a violation of sovereignty, or both. But the sweeping characterization of them as unlawful goes well beyond the prevailing understanding of intervention. It is not intervention to merely try to sway voting behavior in another country, even when doing so proves effective. Rather, the manner in which it is done—as in supporting one candidate online (not intervention) or using technical means to block the electoral messaging of another candidate (intervention)— determines the legal characterization of the activity. The General Staff’s examples are particularly interesting in light of U.S. allegations that Iran will join China and Russia in attempting to influence the 2020 Presidential elections.

Finally, the General Staff argues that “Any measure resulting in impediment, denying, and or restricting operation of signals and means of information transfer and providing control systems and exercising the sovereignty of the state is regarded as unlawful.” The scope of this assertion is difficult to discern. It is intervention to impede or block (coerce) cyber communications in an effort to deprive a State of its ability to conduct (or force it to conduct) activities that fall within its sovereign prerogatives, such as interfering with the ability of the State to engage in crisis management during a pandemic. But merely interfering with cyber communications is not intervention. For instance, the activity may be criminal or malicious, rather than designed to coerce, or it might not fall within the domaine réservé, as with conducting cyber operations meant to compel the target State’s compliance with human rights obligations.

Article IV: Use of Force

The final article, Article IV, deals with the “use of force.” UN Charter Article 2(4) and customary law prohibit uses of force unless they have been authorized by the Security Council under Chapter VII or amount to acts of self-defense pursuant to Article 51 and customary international law in the face of an “armed attack.” It is universally accepted that some cyber means may amount to uses of force (see 2015 GGE Report). In that all armed attacks under Article 51 are uses of force, the right to self-defense can be activated by means of a cyber use of force of sufficient severity (see Tallinn Manual 2.0, Rules 69 and 71). Likewise, an armed attack, whether cyber or non-cyber in character, may be responded to by a cyber operation at the use of force level.

Interestingly, the General Staff adopts a fairly restrictive position as to when a cyber operation qualifies as a use of force.

… certainly, those cyber operations resulting in material damage to property and/or persons in the widespread and grave manner and or it logically is probable to result in such implications constitutes use of force. Should such operations affect the vital national infrastructures, including defensive infrastructures—whether owned by the public or private sector—they shall violate the principle of the non-use of force.

Although the possibility that Iran might characterize a cyber operation that is neither destructive nor injurious—or a destructive or injurious operation that affects aspects other than vital national infrastructure—as a use of force is not ruled out, the text appears to set a high threshold.

By contrast, the general trend is in the other direction. The French Ministry of the Armies, for instance, has cautioned,

France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.

For its part, the Netherlands raised a question that is at the forefront of use of force threshold discussions when it observed in 2019 that “at this time it cannot be ruled out that a cyber operation with a very serious financial or economic impact may qualify as the use of force.”  And increasingly, States are adopting an approach first proffered by the Tallinn Manual 2.0 experts. This approach suggests that such operations are judged by their scale and effects, rather than simply the nature (destructive or injurious) of the consequences (Tallinn Manual 2.0, Rule 69). As noted in Part 1, this is NATO’s approach, and is one also adopted by non-NATO States like Australia.

As to the right to self-defense, the Declaration notes that the “right to self-defense shall be reserved if the gravity of the cyber operation against the vital infrastructure of the state is reached in the threshold of the conventionally armed attack.” This formula seems to suggest that Iran adheres to the ICJ’s interpretation of self-defense as articulated in Nicaragua (para 191). There, the court distinguished between a use of force and an armed attack, holding that the latter was the “most great form[] of the use of force.”

Importantly, the United States has long taken the position that there is no distinction between a use of force and an armed attack (DoD Law of War Manual, section 1.11.5.2). By its interpretation, every cyber use of force equally qualifies as an armed attack to which it may respond forcibly by cyber or non-cyber means, subject to the conditions of necessity and proportionality.

Concluding Thoughts

The Declaration concludes with a warning that “the Armed forces of the Islamic Republic of Iran reserve the right to react to any threat at any level in a firmed and decisive manner if any of the policies included in the present instrument may be violated by any state, group, or any other person or entity supported, controlled or directed by any state.” In fact, international law provides a robust menu of response options that include acts of retorsion, countermeasures (see Articles on State Responsibility, Article 22), the plea of necessity (see Articles on State Responsibility, Article 25), and self-defense. Assuming a cyber operation directed against Iran satisfies the conditions precedent for taking such actions, a firm and decisive response by that nation would be lawful. By the principle of sovereign equality embraced so firmly by the Declaration, however, the same is true for any nation that is the object of qualifying Iranian cyber operations.

As to the General Staff’s legal positions, the sovereignty and intervention thresholds are low, whereas those for a use of force violation and triggering the right of self-defense appear fairly high. Although it is only speculation, a possible explanation is that Iran wants to be in a position to style operations directed against it as unlawful but is concerned that a low threshold for the use of force would open the door to a forceful cyber or non-cyber response by an adversary. In particular, the General Staff obviously understands the extent to which the United States enjoys asymmetrical advantages in both cyberspace and in terms of hard power. And it wants to avoid providing the United States any legal rationale that might justify the use of that advantage in response to hostile Iranian cyber operations.

***

Michael N. Schmitt is the G. Norman Lieber Distinguished Scholar at the United States Military Academy. He is also Professor of Public International Law at the University of Reading, Strauss Center Distinguished Scholar and Visiting Professor of Law at the University of Texas, and Charles H. Stockton Distinguished Scholar-in-Residence at the United States Naval War College.