The world shook at the news in early January that a US drone strike had killed Iran’s top military general, Qassem Soleimani, outside Baghdad’s airport. According to the Pentagon, the attack was conducted as a decisive defensive action at the direction of President Donald Trump to protect US personnel abroad.
There are widespread concerns that these events might fuel further conflict between the two countries. Considering the importance of information networks and cyberspace for our everyday lives, there is also concern that this conflict might not only take place in the physical world but could take the form of cyber-attacks. These could have serious consequences, particularly since Iran has demonstrated an increase in its cyber-capability in the past decade.
The most memorable cyber-attack between Iran and the US was the Stuxnet virus which infected Iranian uranium enrichment facilities and caused their centrifuges to malfunction in 2010. Although no country claimed responsibility, it is widely considered to be the work of state-supported US and Israeli experts.
At the moment, US cyberwarfare capabilities are multifaceted, organised and of a very high level. In October 2019, US officials told Reuters the US had launched a secret cyber-operation against Iran’s propaganda infrastructure following an alleged Iranian drone and missile attack on Saudi Arabian oil facilities.
On the other side, it was discovered in 2013 that Iranian hackers who allegedly perform work for the Iranian government had penetrated the computer controls of a small dam north of New York city. These same hackers also launched cyber-attacks against dozens of large financial institutions and blocked customers from accessing their accounts online.
In the current climate, Iran could consider using its cyber-attack capability as part of its retaliation for the killing of Soleimani. Acknowledging the possibility of a spate of cyber-attacks from Iran-affiliated parties, US Homeland Security warned US companies to consider and assess the possible impact such an attack could have on their business.
Contrary to these concerns, Iran’s capability to launch major cyber-attacks that could affect a large part of the US population has been downplayed by some cybersecurity experts. Others have argued that cyber-attacks might not be aggressive enough retaliation for Iran, which is more vulnerable than it is capable online.
It’s one thing to talk about cyber-attacks by hackers with a political or nationalist motivation – of which there has been a reported increase in the wake of Soleimani’s death. But it’s another issue altogether to talk about acts that are so forceful and monumental that they could amount to cyberwar.
Cyberwarfare is far more serious and could amount to taking control of critical infrastructure to disable military targets or seriously harm sections of the public. Acts of war involve states and relate to actions led by governments or military forces. But it’s often difficult to attribute a certain cyber-attack to a particular government. Attacks can be perpetrated at a distance and by hacker groups not openly employed by the government involved.
Under international law, countries can legitimately defend themselves if they come under armed attack – which could include an equally serious cyber-attack. The US has explicitly reserved the right to respond to cyber-attacks with military force. But the justification for any counter-strike would be weakened if it’s unclear whether the state accused of being behind a cyber-attack had explicit knowledge that the attack was going on.
From cyber to physical attacks
In the current climate, there is a serious concern that a cyber-attack – even if it’s not successful – could lead to physical retaliation. The memory of an Israeli missile attack in May 2019 against Hamas hackers, accused by the Israeli Defence Force of attacking Israeli targets, is still fresh.
If the US believed that Iran was imminently about to target critical infrastructure in a cyber-attack, this could provide legitimate justification under international law for a pre-emptive physical strike against Iranian targets. But judging when an attack is imminent in cyberspace is challenging: a serious cyber-attack could be planned well in advance or be executed very quickly.
Although the immediate threat of further military violence between the US and Iran seems to be diffusing, the fallout from the strike on Soleimani is taking place in a new era of modern warfare, where basic notions of war and international law are constantly evolving.
Although the world is yet to see a government admit to launching a cyber-attack so grave that it’s been considered an act of war by the target country, the potential for such attacks does exist. Even if such capabilities are not used, the threat of them could provide justification for physical counterattacks with destructive results in future conflicts.