PANEL 2 Thresholds & Technologies: Internet & Information Punching on the Edges of the Grey Zone: Iranian Cyber Threats and State Cyber Responses by Colonel (Retired) Gary Corn February 11, 2020 The recent escalation in hostilities between the United States and Iran has raised intense debates about the propriety and legality of both parties’ uses of lethal force. These debates highlight the murky and dangerous terrain of grey-zone conflict, the attendant legal ambiguities, both domestic and international, and the risks inherent in aggressively pressing grey-zone strategies up to and across recognized lines set by the U.N. Charter. Be those debates as they may, one thing seems clear. Despite the temporary pullback from open hostilities, Iran will continue to press its grey-zone strategy through asymmetric means, of which malicious cyber operations are likely to constitute a core component. The need to not just prepare for, but actively counter Iran’s ability to execute cyber operations is, as a result, squarely on the table. So too are the difficult questions of how international law applies in the current context and should inform U.S. options. This reality provides an important backdrop to assessing Chatham House’s recent foray into the debate arena over how international law should govern cyber operations below the use-of-force threshold. In this article, I scrutinize Chatham House’s report on the international law rule of non-intervention and the principle of sovereignty. Iran’s Strategic and Tactical Posture The Iranian cyber threat is nothing new. Since at least 2012, Iran has employed near- continuous malicious cyber operations as a core component to its grey-zone strategy of confronting the United States. It has conducted operations ranging from multiple distributed denial of service (DDOS) salvos against US banks to destroying company data in an operation against the Sands Casino, not to mention a number of substantial operations directed against targets throughout the Middle East. Well before the current crisis, the US Intelligence Community identified Iran as a significant cyber threat actor with the capability and intention to at least cause localized, temporary disruptive effects, and assess that it is actively “preparing for cyber attacks against the United States and our allies.” And as these assessments make clear, the Iranian threat is not limited to cyber effects operations against data and infrastructure. In true copycat fashion, Iran is also positioned to engage in online influence and election interference operations a la Russia. Given this background, it is no surprise that many, like my colleague Paul Rosenzweig, have warned that hostile Iranian cyber operations are likely in the offing. The recent step back from the dangerous escalation of open hostilities that culminated in the strike on Soleimani and Iran’s retaliatory missile strike is at best a strategic pause, and more likely a return to the pre-existing, if not an escalated, grey zone conflict in which asymmetric cyber operations form a key component of Iran’s modus operandi. Indications are that Iran has stepped up its cyber reconnaissance activities since the strikes and some predict it may conduct a substantial cyber operation to exact revenge or send a message. United States Strategy and Tactical Posture And so although the threat is not new, it is now more acute and brings into sharp focus key aspects of the shift in U.S. cyber strategy over the last several years, with its emphasis on persistence and proaction—in particular the concepts of defending forward and persistent engagement. As these strategies and the Command Vision for U.S. Cyber Command make clear, addressing cyber threats such as the one emanating from Iran may require “defend[ing] forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” As anyone with even a passing understanding of the strategic and operational environment of cyberspace knows, the effectiveness of counter-cyber operations will often depend on speed and surprise. Further, the ability to “[i]dentify, counter, disrupt, degrade, and deter” adversary cyber capabilities and operations will often require interaction with globally distributed, adversary owned or illicitly controlled infrastructure. From the perspective of international law, this implicates not only the rights and obligations of the two states involved, but potentially those of third-party states, for example, those in whose territory adversary-controlled infrastructure resides. Orientation to International Law Accounting for the nature of the threat and the particulars of the domain is essential to assessing how international law applies in the cyber context, especially to cyber operations conducted below the use-of-force threshold and how states are likely to approach these issues. In the final analysis, states and states alone are the authors of international law, and they will form views about how the law applies mindful of these realities; realities that will grow increasingly more challenging with the inevitable introduction to cyber arsenals of artificial intelligence, automation, and machine learning. Determining the legal basis for any specific operation aimed at countering or disrupting cyber threats is complex and highly fact specific, and in the absence of clear state practice and opinio juris, general claims to customary rules broadly proscribing states’ response options should be viewed with caution. Chatham House’s Report and Recent State Pronouncements on International Law With its recently released report titled, “The Application of International Law to Cyberspace: Sovereignty and Non-Intervention,” Chatham house has weighed in on important debates about how international law applies to states’ conduct of cyber operations below the threshold of a use of force and outside the context of armed conflict. Focusing on the principle of sovereignty and the rule of prohibited intervention, the report concludes with an overarching recommendation that, given conflicting state views over the normative status of the principle of sovereignty and uncertainties about how it applies in the cyber context, states are better off approaching the regulation of malicious cyber activities through the prism of the customary international law (CIL) prohibition on intervening in the internal affairs of another state. To a certain extent, this is sound advice. The CIL foundations of the non-intervention rule are much firmer and the rule has the potential to address aspects of foreign influence efforts in ways that the purported sovereignty rule would not. Considering the unprecedented scope, scale, and depth of malicious foreign interference campaigns that cyber capabilities now enable, advocating against overly narrow articulations of the non- intervention rule has resonance. But ultimately the recommendation rests on the report’s argument that the rule of prohibited intervention is broader in scope than generally understood, and so it would do much of the same work as the sovereignty rule. However, it is unclear whether the report is arguing a good faith interpretation of existing law or urging states to evolve the rule of prohibited intervention to broaden its ambit in the cyber context. Ultimately, states will have to determine the best role the non- intervention rule can play in addressing foreign interference, and hence the rules acceptable parameters. At present, it is simply unclear. The report’s preference for approaching the regulation of malicious cyber operations through the lens of prohibited intervention is also premised on the recognition that there is disagreement among states, at least those that have opined publicly, over the normative status of the sovereignty principle, and virtually no agreement as to a definable set of criteria for determining what cyber operations would run afoul of a professed sovereignty rule. As the report correctly notes, overstatements about the principle of sovereignty not only crash head on with the reality of ubiquitous state practice, but “as such could increase the risk of confrontation and escalation” since violations of international law give the affected state the right to take countermeasures— actions that are otherwise unlawful—in response. Unfortunately, and in spite of acknowledging the divergence of states’ views on the sovereignty question, the Report throws its weight on the debate scale in favor of the sovereignty-as-a-rule camp. In this regard, its arguments are neither novel nor availing, and its effort to better define the internal content of a sovereignty rule adds little clarity. More on that below, but first, a little more on the rule of prohibited intervention. Prohibited Intervention Russia’s ongoing and concerted campaign to interfere in the elections of numerous democratic states, sow dissension, and undermine democratic institutions more broadly is by now evident and has provided a blueprint for other states like Iran seeking to challenge the existing order and weaken Western democracies. The targets of these efforts have struggled to come up with effective responses, due in no small measure to the legal and policy ambiguities surrounding these sub-use-of-force, grey zone operations. States like Russia and Iran are not so much engaging in novel behavior as much as engaging in traditional, albeit adversarial statecraft through technologically new means and methods. It is the qualitative and quantitative difference in impact that