On Iran and Pre-Emptive Cyber Attacks

irancyberEarly in February of 2013, many news outlets came out with articles about the US Government having a ‘secret legal review‘ on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to ‘legitimately’ having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack.  As many nations are developing their own Cyber program, and some nations are very actively using cyber attacks to get a definite leg up, nobody really expected any other outcome. A very damning report by Mandiant on “APT1” recently emphasised yet again how professional and broad-scoped China’s cyber espionage apparatus has become, and the United States finds itself a major target in these operations. Even though this same report is heavily criticized by experts for having critical analytical faults, it is hard to deny that Cyber is still increasing in overall popularity on the world’s geopolitical stage.

Some say that this ‘right to strike pre-emptively’ is a warning shot across the bow of China, but it cannot be said that it is a timely revelation in any respect. After all, not having formally asserted this right to strike pre-emptively did not deter the cyber attack against Iran’s nuclear enrichment facilities in Natanz, which was devised during the Bush Jr. administration but was executed under Obama. A cynical view might take that to mean that not one, but two separate administrations had already asserted that right years before. Also, even though it was never confirmed officially, the Washington Post published an article in 2012 that claimed Flame, a piece of malware dubbed the successor to Stuxnet, was also developed by the US government years before, and launched against Iran in roughly the same period of time, also with the intent of slowing down Iran’s nuclear enrichment program.

What makes this all especially interesting is the recent publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, as commissioned by NATO’s Cooperative Cyber Defence Center of Excellence in Estonia. It’s lead author, Michael D. Schmitt, is also a professor of international law at the US Naval War College in Newport. In a recent interview with the Washington Times professor Schmitt revealed that the collective of authors who worked on the Tallinn Manual were of the opinion that the Stuxnet attack was indeed an Act of Force. These are “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force”. This is significant because it means that by the opinion of the worlds leading legal minds on Cyber Law (lead by an American, no less), Iran has a legitimate legal reason to declare war against the United States. I should point out that the reverse is not the case, even ifIran is actively seeking nuclear weapons (which does seem likely, seeing as how it would level the geopolitical playing field for them).

Given the already volatile nature of the Middle East as a whole, you’d have to wonder if cyber weapons are a blessing or a curse. The threshold to their use seems to be significantly lower than kinetic means, but this –in turn- may quickly give legitimate claim to escalate matters into the kinetic spectrum. Whatever else may happen, on this front it will be a most interesting decade.

Real Bullets for Digital Attacks

In May of last year, the US Government published its International Strategy for Cyberspace. The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table. More specifically, the US government stated that it ‘encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate’ [emphasis mine]. This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems. Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.

Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation’s Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF). In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn’t have to read it all to get to the end. One especially important aspect of this discussion is the much-debated problem of attribution. Since retalliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario’s such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences. Suffice to say that if you, as an attacker, hide your tracks well enough (don’t forget the cyber intelligence aspect!), you won’t have much problems with retalliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retalliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.  

You might be wondering what the point is of declaring retalliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution – No problem. So why make a public statement about how you’re going to strike back if everyone knows its highly unlikely? Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won’t copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides. Besides, and here is the succint point of it all, even though you declare that you may use kinetic military options as a retalliatory measure doesn’t mean you are immediately obliged to actually do so.

In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy. It doesn’t worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it. See the “Questions from .GOV” series. I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?