On Thursday the Justice Department indicted seven Iranians for distributed denial of service (“DDoS”) attacks in 2011-2013 against 46 companies (mostly in the financial sector). The indictment alleges that Iran’s Revolutionary Guard sponsored the attacks.
David Sanger of the New York Times reports that intelligence experts have long speculated that attacks "were intended to be retaliation for an American-led cyberattack on Iran’s main nuclear enrichment plant.” Sanger adds that “Iran’s computer networks have been a primary target of the National Security Agency for years, and it is likely that in penetrating those networks — for intelligence purposes or potential sabotage — the N.S.A. could have traced the attacks to specific computers, IP addresses or individuals.”
Assuming these experts’ speculations are right, the Iranians were indicted for retaliating against U.S. cyberattacks on Iran’s nuclear weapons infrastructure, and they got caught because the NSA had penetrated Iranian networks. On its face this seems hypocritical. Might the U.S. indictments nonetheless be justified?
One way to answer this question is to ask what the U.S. government would do if Iran named and indicted the NSA officers reportedly behind the penetration of and attacks on Iran’s nuclear weapons facility. How might the United States distinguish its cyber cyberattacks on Iran’s infrastructure from Iran’s responsive cyberattacks on U.S. infrastructure?
The United States would first need to explain how its attacks on Iran’s nuclear weapons facilities are consistent with the principles laid down by Secretary of State Kerry for responsible behavior in cyberspace :
The basic rules of international law apply in cyberspace. Acts of aggression are not permissible. And countries that are hurt by an attack have a right to respond in ways that are appropriate, proportional, and that minimize harm to innocent parties. We also support a set of additional principles that, if observed, can contribute substantially to conflict prevention and stability in time of peace. We view these as universal concepts that should be appealing to all responsible states, and they are already gaining traction.
First, no country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure.
The United States would likely argue that the cyberattacks on Iran complied with international law because they were taken in its or Israel’s self-defense in the face of an imminent attack by Iran. If the United States’ actions were legitimate self-defense, Iran’s actions in response could not be justified as lawful self-defense.
However, the United States might have a tough time arguing self-defense. Iran was, in the worst-case scenario, months away from having an operational nuclear weapon, and the United States would have to rely on a controversial “prevention” argument under international law to justify its attacks. Iran might argue, to the contrary, that the U.S. cyberattacks were not legitimate self-defense but were instead “armed attacks” that under Article 51 of the U.N. Charter justified Iran in exercising its own self-defense. Iran might even invoke Secretary of State Kerry’s principles. Indeed, in the abstract, the U.S. cyberattack on Iran’s nuclear weapons facilities—which reportedly sabotaged 1,000 or so centrifuges, among other damage—more likely counts as a “use of force” or “armed attack” under the U.N. Charter than Iran’s DD0S attacks, which apparently caused no lasting damage.
These international law arguments are technical and contested. They are also beside the point, and not just because the United States is not going to explain or justify its cyberattacks on Iran. The U.S. indictment is not premised on an international law violation. It is based on violation of U.S. law for harm the Iranians caused inside the United States. The Iranians could invoke precisely the same principle: An Iran indictment for the U.S. cyberattacks would be based on a violation of Iranian domestic law for harm caused in Iran by U.S. officers. In short, the cyberattacks from each nation violated the criminal laws of the other nation.
The United States is likely less concerned with charges of hypocrisy than with deterring attacks on its financial infrastructure. Attorney General Lynch said yesterday that the indictment sends “a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.” FBI Director James B. Comey added: “By calling out the individuals and nations who use cyber-attacks to threaten American enterprise, as we have done in this indictment, we will change behavior.”
But will the indictments change behavior? The Iranians will almost certainly never appear in the United States and thus never go to trial. John Carlin, the Justice Department’s top national security lawyer, argued late last year that indictments for cybercrimes can contribute to deterrence even if the defendants are never prosecuted because they expose the responsible actors and demonstrate more broadly that the United States has powerful tools to discover and identify those behind cyberattacks. “The world is small, and our memories are long,” Director Comey said yesterday, explaining the government’s deterrence logic. “People often like to travel for vacation or education, and we want them looking over their shoulder.”
It is hard to assess whether the deterrence effect of the indictments will be large enough to stop further attacks on financial infrastructure or so small that they invite more attacks. Moreover, any deterrence achieved by the indictments comes at the cost of exposing U.S. intelligence capabilities and inviting similarly theatric retaliatory indictments. So it’s not clear that the United States has an obviously winning cost-benefit tradeoff here. As usual in this context, one suspects (and hopes) that there is much more going on than meets the eye.