In late March, Microsoft reported that it had taken down 99 websites which had been used by a company referred to as Phosphorus to target the computer systems of businesses and government agencies, as well as activists and journalists involved in advocacy and reporting on issues relating to unrest in the Middle East. Microsoft obtained a federal judge’s approval on March 15 to disable the websites that it detected and had been tracking for six years. Although multiple intelligence agencies and groups pointed to Iran as the culprit, the difficulty of attributing cyber-attacks and operations to particular state actors and the lack of international legal frameworks to deal with cyber issues makes it highly likely that Iran will escape international condemnation.
To begin, effective attribution of attacks to state actors is difficult, complex, and highly time consuming. Most hackers have the technical capability to cover their tracks extremely well and an attack, even if it can be connected to a computer or a facility, often cannot be connected indelibly to specific individuals or groups. Further, because the process of global investigation requires the investigator to follow official, and at times bureaucratic, legal channels to request assistance, investigations can end up being subordinated to political agendas or to the whims of particular states. Thus, while the ability to conceal the source of attacks does become imminently more difficult as the attacks increase in both sophistication and in scale, it is still possible for deception, deflection, and misinformation to make it unclear exactly who is responsible for cyber-attacks.
Even in seemingly clear-cut cases, there is often significant skepticism about the source of attacks. For example, after the Obama Administration pinned the 2014 Sony hack on the Democratic People’s Republic of Korea, a variety of academics and hackers expressed public skepticism, pointing to things like a seeming insider’s knowledge of Sony systems and the ability of IP addresses to be used across geographies as evidence that the DPRK was not the Sony hacker. This uncertainty was also present in a hack discovered by McAfee which spanned 72 networks globally, including the United Nations, governments, and corporations. In characterizing the source of this attack, an expert at the Center for Strategic and International Studies said that the attack was “very likely” undertaken by China, while the Chinese said nothing and the Defense Department said that “it is unknown who is perpetuating these intrusions,” although it is known that China has been pursuing similar capabilities. Even in cases with clear motives, state actors retain significant capacity for plausible deniability.
Another equally pressing issue regarding cyber warfare is the relative absence of international legal standards governing cyber actions. In February 2018, UN Secretary-General Antonio Guterres gave two speeches in which he argued that a lack of rules governing cyber warfare and cyber conduct constituted a global threat. While some sources have argued that international legal standards already apply to cyber warfare and conduct, the United Nations (“UN”) Group of Governmental Experts (“GGE”) on Developments in the Field of Information and Telecommunications in the Context of International Security stated in 2013 that “the application of norms derived from existing international law . . . is essential to reduce risks to international peace, security and stability.” Such derivation requires extensive debate, discussion and, eventually, agreement, and thus cannot be merely extrapolated from existing laws. Unfortunately, consensus has yet to emerge, as GGE talks broke down in 2017, leaving the international legal community without agreed upon standards for applying existing international law to the cyber domain.
There is a set of guidelines derived from existing international law and generally accepted (at least implicitly) by Western countries – the Tallinn Manual. It is not followed by many countries, most notably Russia, due to the perception of Western bias in the manual itself. Russia has thus developed a similar, but not exactly parallel, set of standards based on the UN Charter, which specifically emphasizes respect for national sovereignty and non-interference.
Unfortunately, as there is insufficient evidence to support claims of a distinct customary international law rule of territorial sovereignty applicable to cyberspace operations, current norms remain insufficient to parse out the legal space in which cyber-attacks and warfare exist. Further, because the principle of sovereignty is differentially applied to different domains (land, sea, air, space), there would have to be legal consensus on how it applies to the domain of cyberspace before the principle could hold any legal weight.
The lack of easy, universal application of current international legal norms to cyber warfare is compounded by the tendency of powerful states such as Russia and the United States to use the development of cyber norms as a conduit by which to score policy wins. In October 2018, it was reported that “Russia [was] planning to submit two UN resolutions, one on a code of conduct to regulate states behavior in cyberspace and one on a new UN cybercrime convention.” The US, in response, publicly announced Russian complicity in multiple hacks, using this revelation to damage Russian progress on its resolutions. This oppositional approach has been consistent between the two countries, making it unlikely that any comprehensive international legal norms on cyber warfare will be agreed upon anytime soon.
In the absence of agreed upon norms, rogue actors such as Iran and Russia will be able to use cyber warfare with relative impunity. For example, by exploiting the gaps in the existing international structure regarding cyber-attacks – the difficulty of attribution and the lack of international legal norms – Russia has been able to win significant strategic victories with very little pushback from the international community. In Estonia in 2007, in Georgia in 2008, and in Ukraine beginning in 2014, the Russian government used cyber weapons to attack infrastructure and to produce widespread confusion. Specifically, in Ukraine, there has been a significant number of attacks. On December 23, 2015, malicious actors opened breakers at some 30 distribution substations in the capital city Kiev and western Ivano-Frankivsk region, causing more than 200,000 consumers to lose power. Nearly a year later, another substation was rendered powerless. Explaining the Russian strategy regarding these sorts of cyber-attacks, Thomas Rid, a professor in the War Studies department at King’s College London, put it simply: “They’re testing out red lines, what they can get away with…You push and see if you’re pushed back. If not, you try the next step”.
Given the poor track record of the international community and the United States in responding strongly to Russian cyber-attacks, it seems highly likely that they will fail to respond politically to Iranian (and other state actors) actions as well.
Evan Schleicher is an Editorial Intern with the International Enforcement Law Reporter. He is also an MA candidate in Security Policy Studies at George Washington University’s Elliott School of International Affairs.