Iran’s Right to Cyber Self Defense
In his weekly column in New Europe, Greg Austin examines the implications of the cyber attacks against Iran, which were designed to set back its nuclear program.
Many people heaved a sigh of relief when United States Secretary of State, Hillary Clinton, cited to CNN on 12 January 2011 a statement of the outgoing head of Israeli intelligence that a “combination of sanctions and covert actions have significantly slowed down the Iranian [nuclear] program”. This appeared to take the much vaunted (possible) military strike by Israel and/or the United States off the table as a near term risk. Yet, the covert action has not eased tension in the strategic confrontation. Risks of escalation have increased.
There were probably several elements to the covert action. The most well known is that sometime before September 2010, a country or countries unknown attacked Iran’s uranium enrichment systems using a cyber “weapon” (Stuxnet) that rendered up to 30 percent of the centrifuges unusable.
The cyber attack was an act of sabotage across state borders and therefore it was – prima facie – a breach of international law. Even if this were a declared war, Iran would have the right of retaliation for self-defense under international law if it could determine which state actor or actors were involved in the attack. This right is not diminished because of the sanctions resolutions of the UN Security Council.
Those states which oppose Iran’s nuclear program could hardly argue that a military attack by Iran against them was imminent, thus giving them a right, based on the principle of their own self-defense, to attack Iran’s nuclear infrastructure. (The assumed position of the perpetrator state or states would be that the attack was a justifiable act since Iran cannot be trusted to keep nuclear weapons – if it had them – out of the hands of terrorists.)
In January 2010, Hillary Clinton, laid out her country’s position on the unlawfulness of cyber attacks: “Countries or individuals that engage in cyber-attacks should face consequences and international condemnation," she said.
So who will punish the perpetrator(s) of the cyber attack on Iran? What actions of cyber self-defense by Iran would be permissible under international law? Retaliation is a time honored convention and recognized as lawful in certain circumstances under customary international law. There is considerable debate about what form retaliation might take, but proportionality is one of the main considerations. There are other considerations, such as absence of recourse to other measures, last resort and, where it applies, “hot pursuit” of the attackers.
Law aside, it is not unreasonable to imagine that some in the Iranian government are arguing for a cyber retaliation. According to some sources, Iran’s cyber warfare capability is in the hands of the Revolutionary Guards. Will Iran retaliate? What form might a cyber response take? If there was retaliation, it could represent an escalation of cyber conflict, and possibly provoke military clashes between Iran and the assumed perpetrator(s).
At the least, this widely-publicized offensive use of the “Stuxnet” cyber weapon may represent a turning point – is the “genie out of the bottle”? Does the use of stuxnet herald a period of uncontrolled tit-for-tat offensive cyber strikes for sabotage and economic disruption in an environment where there are no common international understandings for regulating cyber conflict. This is no longer simply a debate about a gap in international law that needs to be addressed to control conflicts that might arise. Offensive cyber operations are already occurring and on a large scale.
Iran is developing cyber warfare capability, like other major powers. Is its capability good enough to mount a damaging cyber strike in response to the Stuxnet attack? The answer according to some sources is yes. We can only hope that Iran’s leaders lead by example here, exercise restraint and disavow a cyber retaliation, or any retaliation for that matter.