Is counter-attack justified against a state-sponsored cyber attack? It’s a legal grey area

The US has charged and sanctioned nine Iranians and an Iranian company for cyber attacks. Parmida Rahimi/Flickr, CC BY-SA

On March 23, the US Department of Justice commenced perhaps the largest prosecution of a state-sponsored cyber attack. It indicted nine Iranians for carrying out:

a coordinated campaign of cyber intrusions into computer systems belonging to 144 US universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies … [and] the United Nations…

At least 31.5 terabytes of data was allegedly stolen and Australian universities were targeted, although specific institutions are not named.

History suggests that this response is unlikely to deter future attacks, and that counter-attacks are a more effective strategy. But would it be justified? Current international law focuses on armed attack, not cyber attack as a justification for state action taken in self-defence.

As cyber attacks become more common, international law needs to clear up this grey area.

How they did it and what was taken

The indictment alleges that defendants Gholamreza Rafatnejad and Ehsan Mohammadi are founders of Mabna Institute – an organisation established for the purpose of scientific espionage. Mabna is alleged to have contracted with Iranian governmental agencies (including the Islamic Revolutionary guard) to conduct hacking on their behalf.

Read more: Following the developing Iranian cyberthreat

The defendants allegedly engaged in a conspiracy to compromise computer accounts of thousands of professors to steal research data and intellectual property, costing the US approximately US$3.4 billion. They allegedly conducted surveillance and sent professors targeted “spearphishing” emails to lure them into providing access to their computer systems.

Valuable data was transferred from the compromised IT systems to the hackers, according the the indictment. Over 100,000 professors were apparently targeted and approximately 8,000 email accounts compromised.

Private companies were also targeted – none Australian – via “password spraying”, said the US Department of Justice. This is a technique whereby the attacker identifies the email accounts of a target via public search and gains access to the account using common or default passwords.

Prosecution is an insufficient response

The defendants are charged with committing fraud and related activity in connection with computers, conspiracy, wire fraud, unauthorised access of a computer, and identity theft. Each charge carries a prison sentence ranging from two years to 20 years.

The prosecution is a necessary, but insufficient response to these cyber attacks.

The defendants are based in Iran and are unlikely to be brought to justice. Previously, US prosecutors have charged Iranian hackers with attacks against financial institutions and a dam in New York to no avail.

And hacking has escalated – the US accused Russia of compromising the US electricity grid and attacks against other countries are also alleged.

Counter-attack a better deterrent

Rogue states such as Iran, Russia, and North Korea are only likely to be deterred against conducting cyber attacks if their targets have robust self-defense and counter-attack capabilities. However, the legal status of cyber attacks and the appropriate responses are not clear in international law.

Under the UN Charter, states have an obligation to refrain “from the threat or use of force against the territorial integrity or political independence of any state”. Crucially, states possess an “inherent right of individual or collective self-defence if an armed attack occurs”.

Read more: Cybersecurity of the power grid: A growing challenge

The key questions then are whether a cyber attack amounts to a “use of force”, whether hacking attributable to a state amounts to an “armed attack”, and if a cyber attack violates “territorial integrity”. Traditionally, international law has answered these questions with reference to acts of physical violence – conventional military strikes.

It’s likely that a large scale cyber attack against a state that has physical consequences within its territory may be characterised as a “use of force”, and may violate “territorial integrity” under the charter. For instance, attacks that turn self-driving cars into weapons, knock out nuclear stations or paralyse the power grid might reach this threshold.

But what if the attack is designed to sow confusion or generate internal discord, such as in the case of Russian hacking of the US election? Or attacks directed beyond a particular country? This is a harder question and not settled currently. Similarly, it’s not certain that even large scale hacking would rise to the level of an “armed attack”.

Precedent in international law

In 1984, Nicaragua brought proceedings against the US in response to American support for the Contras (rebels fighting the government). In that case, the International Court of Justice (ICJ) opined that armed attack might also include:

the sending by a State of armed bands on to the territory of another State, if such an operation, because of its scale and effects, would have been classified as an armed attack had it been carried out by regular armed forces.

Crucially, the ICJ underlined the principle of non-intervention:

Intervention is wrongful … [using] methods of coercion, particularly force, either in the direct form of military action or in the indirect form of support for subversive activities in another State.

Based on the Nicaragua case, if a cyber attack has sufficient “scale and effects” it may amount to an armed attack. More importantly, if the attacks are attributable to a state (in this case the Islamic Revolutionary Guard) – or are within its overall or effective control or direction – it would appear that the armed attack would give rise to the right to self-defence.

Read more: Cyber peacekeeping is integral in an era of cyberwar – here's why

However, this may be difficult to establish in practice – there may not be sufficient evidence connecting the hacker to the state to show control, and hence attribution.

So, what are the permissible self-defence responses under international law? Could the US launch military strikes against Iran or Russia for these incidents if they are found to be behind these attacks? The legality of such strikes is not clear even though the US might claim such status.

The international community should set bright line rules on this matter before an expansive reading of self-defence triggers war. The NATO Cooperative Cyber Defence Centre of Excellence’s Tallinn Manual 2.0 is a start, but a binding instrument is needed. John Bolton’s appointment as US President Donald Trump’s National Security Advisor makes this an urgent priority because a military strike in response to the next major cyber attack is a realistic prospect.