Cyber & Technology

The Legal Context for CYBERCOM’s Reported Operations Against Iran

By Robert Chesney
Monday, June 24, 2019, 4:25 PM

Following news that Iran shot down a U.S. Navy Global Hawk—an unmanned surveillance aircraft—the Trump administration came close to ordering a responsive set of airstrikes but ultimately elected not to do so. Then we learned (first from Yahoo! News and then with key details supplied by the Washington Post and New York Times) that this was not the complete story: U.S. Cyber Command (CYBERCOM) had proceeded to conduct one or more operations against Iran in the cyber domain. Details remains sparse, and so the analysis that follows is necessarily subject to revision as more emerges. That said, my aim is to place the available information in legal and policy context.

1. What Exactly Happened?

For starters, it is critical to bear in mind that this news did not emerge against a backdrop of ordinary, peaceful relations. I don’t mean just the most recent and public episodes (i.e., Iran shooting down the Global Hawk and allegedly setting off mines on tankers), though of course they loom large. I mean something that is probably obvious to most readers: The United States and Iran have had a hostile relationship for a very, very long time, and a catalogue of the actions involved—particularly those taking place in the shadows—would take a long time to compile. Drawing lines to separate one episode from the next, in this setting, is a rather arbitrary exercise.

Let’s focus here simply on the most recent events, from the point of view of the claims made by the U.S. government. As far as the U.S. government is concerned, Iran recently launched unprovoked kinetic attacks (in the form of mines) on foreign-flagged tankers moving in international waters and then followed that up by attacking and destroying a U.S. Navy aircraft in international airspace (though they claim it was in Iranian airspace). All this is said to occur, moreover, against the backdrop of claims that Iran is accelerating its already-substantial campaign to damage public and private U.S. computer systems through ransomware and wiper-style attacks. Understandably, the destruction of the U.S. aircraft loomed especially large and apparently brought President Trump quite close to ordering airstrikes. In the end he refrained, but we soon learned that CYBERCOM—at about the same time—may have conducted a set of operations in the cyber domain intended to destroy the functionality of certain systems associated with the Iranian Republican Guard Corps (IRGC).

The initial report from Yahoo! News indicated that the CYBERCOM operation was prompted specifically by the Iranian attack on the tankers, writing that the operation targeted an IRGC-related organization “that supported last week’s limpet mine attacks on commercial ships.” And though the report was noncommittal regarding the precise functionality of the systems CYBERCOM apparently had targeted, it did emphasize that the organization in question “has over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz.” Follow-up reporting from the Washington Post confirmed that the tanker attacks were the original prompt for the operation but added a critical detail that suggested the operation’s scope became broader in the end in light of the attack on the Global Hawk: The operation was intended to “disable[] Iranian computer systems used to control rocket and missile launches.” And the New York Times further clarified the plans, expressly asserting that there were multiple operations, including efforts both to target and disrupt the systems of the group associated with the tanker attacks and to do the same in relation to “computer systems that control Iranian missile launches[,]” echoing earlier New York Times reporting on the use of cyber means to disrupt North Korean missile capabilities at the left-of-launch stage.

2. Is This an Example of “Defense Forward” and “Persistent Engagement”?

Yes and no.

When CYBERCOM embraced the “defense forward” and “persistent engagement” frameworks, it excited a great deal of commentary (here’s an earlier post from me on the topic, if the phrases are not familiar to you), not to mention a great deal of anxiety in some quarters. The phrases certainly do herald an intent for CYBERCOM to operate in foreign networks much more readily than in the past, and so it is understandable that the phrases to some extent have become a tempting shorthand for all out-of-network operations that CYBERCOM might perform. It certainly fits if we are talking about efforts by CYBERCOM to establish access into other systems in order to monitor adversary cyber activities from within and, on some occasions, to disrupt those activities at their source or en route. Whether the labels precisely map on to other scenarios, such as holding at risk at least some aspects of Russia’s electrical grid, or the anti-IRGC and anti-missile operations described above, is less clear to me. One might argue that defending forward and persistent engagement are, at their core, concerned with the ability to head-off hostile cyber operations at their source, whereas out-of-network cyber operations conducted for other purposes—whether deterrence, as in the Russian case, or to achieve direct operational effect, as in the case of Iranian missile launch capability—is a separate (though of course very important) matter.

It’s possible that CYBERCOM itself also understands these phrases to have broader application. At any rate, I’m doubtful that much turns on this particular categorization question in practice. The important questions concern other labels. Let’s turn to those.

3. Could Affirmative Domestic Authority Be Invoked for These Operations?

Writing recently about reports claiming that CYBERCOM has malware in place to hold at risk at least parts of the Russian electrical grid, I provided an analysis of recent statutory changes that appear to provide affirmative legal authority in U.S. law for CYBERCOM to conduct such operations (specifically, Section 1642 of last year’s National Defense Authorization Act). Could the same authority be invoked here?

It’s complicated. Section 1642 can be used only in relation to certain states, but Iran is on that shortlist. So far, so good. Section 1642 also requires that there be “an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace,” including (but not limited to, critically) attempts to impact our political processes. Iran certainly could be said to be engaged in such a cyberspace campaign against U.S. entities (see here for the Department of Homeland Security’s assertion on this point), so this condition seems met as well. But what follows? Section 1642 in these circumstances authorizes CYBERCOM to “take appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter such attacks.” So, the table is set for CYBERCOM to conduct operations to disrupt Iranian cyberattacks, and quite clearly in my view. But that does not seem to be what the CYBERCOM’s reported operations against Iran concern. As noted, the operations appear to be designed to (1) disrupt missile command-and-control and (2) disrupt the functionality of the IRGC component that gathers intelligence (or perhaps conducts operations?) on international shipping and foreign warships near Iran. Section 1642 does not apply to the former at all, and it would be quite a stretch for the latter.

It is not necessary, however, for CYBERCOM to turn to Section 1642 for domestic law authorization to carry out these activities.

Particularly in light of Iran’s destruction of a U.S. Navy aircraft, it seems to me that CYBERCOM operations to disrupt Iranian missile-launch capabilities fall squarely within the president’s Article II authority, at least insofar as the operations are proportional in scope to a demonstrated and ongoing threat. And lest there be any doubt that the Department of Defense may conduct cyber operations when appropriately ordered by the president to do so, 10 U.S.C. § 394 makes clear that cyber domain operations are within the department’s scope (even if conducted on a clandestine basis).

What about the seemingly-separate operation to disrupt unspecified systems associated with the IRGC unit that provided intelligence (and perhaps other) support for the recent mine attack on foreign-flag tankers? This one is a bit more complicated (especially since the details remain scarce), but in my opinion, the operation also falls within the president’s Article II authority. The nature and effect of the operation appear to fall far, far below the threshold of “war” or “hostilities” that would warrant hard debates about the separation of war powers and the War Powers Resolution, even without embracing the quite-robust conception of executive branch discretion on both dimensions that the Obama administration championed in relation to the extended use of airstrikes in Libya in 2011.

4. Should This Activity Be Categorized as Title 50 “Covert Action”?

That used to be a very interesting question, but not anymore. Last year’s National Defense Authorization Act put an end to such debates, requiring such CYBERCOM activity to be treated instead as “traditional military activity” exempt from the Title 50 definition of covert action. There still are multiple reporting requirements by statute, but they run through the congressional armed services committees rather than the House and Senate intelligence committees.

5. What About International Law?

There are good analyses of the international law questions raised by a potential kinetic U.S. response here by Ashley Deeks and Scott Anderson and here by Mike Schmitt. What about the parallel CYBERCOM operations we now have been told actually occurred? I will offer a cursory, first-cut analysis before concluding this already-too-long post.

Any engagement with this question is greatly complicated by the factor I noted at the outset of this post: Iran and the United States have been engaged in gray-zone conflict for a very long time, and it is indeed somewhat arbitrary to begin the analysis with the events of the past week or so. Still, if we do that, the analysis might go something like the following: First, the U.S. government might well argue that both aspects of the CYBERCOM operations fall below the level of a “use of force,” mooting the U.N. Charter Article 2(4) question and removing the need to conduct an Article 51 self-defense or collective-self-defense argument. Second, the U.S. might argue in the alternative that the CYBERCOM operation relating to the missile attack is a necessary and proportional self-defense response to an armed attack and that the operation involving the IRGC entity that attacked the tankers is a necessary and proportional matter of collective self-defense (though this would require a request for assistance by the impacted flag states, which so far have been silent). Third, the U.S. government would likely claim that there is no further need for a separate “sovereignty” analysis apart from the Article 2(4) “use of force” analysis but also that any such concern would be adequately satisfied by a countermeasures claim.

6. What Comes Next?

Not surprisingly, it seems we are likely to have more such operations in the near future. We likely are in for an extended period of mixed-domain, escalation-management games as the United States and Iran each seek maximum leverage without tipping over into overt, traditional conflict.