Despite the importance of cyberattacks, little has been written about the relationship between these attacks and the applicable law. States are still struggling with controversies involving definitions, even though there is wide applicability of both laws and norms in this context. As a result, cyberspace remains relatively anarchic and the continued controversies have impeded further progress. The 2020 report by EU Cyber Direct illustrated this by indicating how the lack of legal clarity has prevented states from taking legal action in response to cyberattacks. Thus, state-conducted cyberattacks have been left formally unattributed and unchallenged by the law. Although cyber-focused governments in Europe and elsewhere have offered formal and public legal clarifications through statements about the applicability of international law in cyberspace, many states either lag behind in such developments or have simply refused to articulate their views. If, however, international law was globally applied in this context, states could clarify limits of acceptable behavior in this growing battlefield. Although the global discussion has only just begun, it is clear that the rising prevalence of state-led cyber operations warrants a thoughtful, innovative, and immediate regulatory response.
Pressure has been building on the governments of the Middle East to join the conversation as their relevance and power in the cyber domain grows. The discrepancy between regional governments’ investment into development and implementation of cyber capabilities has also contributed to the ambiguity. In July 2020, however, Iran became the first Middle Eastern government to offer formal, public statements on its stance toward the applicability of international law in cyberspace. As of December 2020, both Iran and Israel have asserted themselves in this domain with targeted legal statements, released by the General Staff of the Iranian Armed Forces and the Israeli Deputy Attorney General of International Law, which attempt to give context to their respective strategies in cyberspace.
But why do formal statements on international law’s application in cyberspace matter? They very often do not bring greater clarity nor are they legally binding. If anything, they show how unclear and easily disputable the law is in the context of cyberspace. Such statements also do not definitively set legal precedent or confirm attribution or responsibility for malign behavior in cyberspace. And yet, these statements are, in many cases, the only recourse for states to articulate strategy, propose policy, and conduct diplomacy. In a broader sense, such statements serve as a way to manage public relations as states actively work to send a message to their allies and adversaries.
Statements by governments that outline their position on how international law applies to foreign and national cyber activities generally articulate: (1) which powers and behaviors they are willing to sacrifice in the pursuit of peace, (2) which powers they are unwilling to renounce, and (3) which behaviors and policies they deem acceptable. Although, of course, such statements do not definitively confirm what a government will or will not do, they often clarify what the country perceives as good and bad behavior and allow states to align their legal and political aims and reactions.
Crucially, the Iranian and Israeli statements constitute particularly significant voices in the cyber domain; Iran is viewed as one of the largest threats to national (particularly U.S.) cybersecurity, while Israel is a leader in both state-run cybersecurity and on the private-sector cybersecurity market. Their opposition to one another, combined with their influence in the region, make these statements likely to shape future stances, behavior, and actions by less cyber-focused regional powers. In other words, by looking for clues about these states’ legal frameworks in cyberspace, legal observers can begin to decipher to what extent each state (1) is willing to limit itself by international law, (2) relies on cyber capabilities as part of their international affairs and behavior, and (3) aims to conduct cyber operations in accordance with these norms in the future.
The statements’ motivations, effects, and what they tell us about each state’s aims in cyberspace
It is worth considering why Iran and Israel voiced their respective legal positions on cybersecurity. Beyond their respective significance in cyberspace (albeit on starkly different grounds), the ongoing conflicts between Israel and Iran give some context to the issuance of each statement. By issuing a statement prior to Israel, Iran may have hoped to gain the favor of European governments, through the expression of commitment to and respect for international law. Israel, which often adopts a reserved stance in its commitments to international standards in order to protect itself from its adversaries, appears to have a more retaliatory intention behind its statement. Israel’s clandestine position is not limited to the cyber domain, and is perhaps typical of its foreign policy. Intelligence gathering, attacks, and defense all operate in a relatively secretive manner in cyberspace, making these legal statements even less useful, except in their ability to reveal underlying motivations. Unless the details surrounding the attacks themselves are clarified, the rules that regulate such acts cannot be appropriately understood. Let us then look first to the motivations and execution of these statements.
Iran’s position in the world and in cyberspace feeds into its motivations for releasing this statement. Firstly, by releasing the statement in July 2020, it was the first of the U.S.’ adversaries to articulate its position, outside of collective discussions such as the Open-ended Working Group. The statement by Iran has been widely celebrated, which provides an incentive for other states to follow suit. Beyond this, it suggests a commitment to international law that European governments are likely to view favorably. Secondly, the Iranian statement was made by the General Staff of the Iranian Armed Forces and is a military (or at least governmental) articulation of how international law applies in cyberspace. Israel’s statement is subtly different, as it comments mostly on the issues related to applying international law in cyberspace, as opposed to the law’s operation. The direct link to the military also suggests a slightly more strategic commitment. Third, while the statement can be viewed as a tool to excuse Iranian actions, it also opens a clearer avenue to condemn Iranian behavior if it fails to uphold its commitments. Cautiously, public international law lecturer Przemysław Rogusski noted in his commentary that it "remains to be seen" whether Iran will adhere to its self-declared limits. Only weeks after Iran released its statement, it went beyond its limits by meddling in the 2020 U.S elections, namely by sending threatening mass messages to voters. Iran thus appears to have acted unlawfully by the standards it set within its own statement. It is not yet clear how the U.S. and others will react to this offense in cyberspace. Iran’s recent cyber activity begs the question whether the statement to some degree functioned instead as a test of what the Iranian regime can get away with.
The Israeli statement, written by the country’s Deputy Attorney General of International Law, Roy Schöndorf, strikes the tone of academic legal analysis rather than a policy statement. It is longer, more suspicious of the law’s applicability to cyberattacks that do not cause physical destruction or death, and is crucially titled, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (emphasis on "issues" added). Despite these differences, the statement also offers a much more realistic view of many complex legal issues in cyberspace, and shows a much more sophisticated understanding of the broader security context. The release itself, only a few months after Iran made its statement, suggests that it may have been released in response to the Iranian statement, possibly to offer regional governments an alternative to the Iranian approach. It is unlikely that Israel would have articulated such a position in the absence of an Iranian statement, as this would have contradicted Israel’s tendency to not publicly comment on security matters. Israel, as a major player in cyberspace and aligned with U.S interests (another cyber superpower), has a crucial interest in participating in the formation of international law in cyberspace. Israel’s ambitions are further illustrated by the statement’s many references to the private sector, which has proven a fertile ground for Israel’s growth in the cyber domain and more broadly on the international stage. Due to both its international standing and national investments, Iran’s role is limited in the private cybersecurity market, particularly internationally. Because of this, Iran focuses much more on defense and almost entirely disregards the relevance of private actors in its statement. Israel, in contrast, both invests and legally positions itself to defend an open and competitive cybersecurity market.
By writing these statements, both governments show in which ways and to what degree they are open to the future development of regulation in cyberspace. Israel lengthily explores the complexities of regulation in cyberspace and articulates a reluctance to accept further legal limits to actions. The matter of international law in cyberspace, Israel argues, is not about the creation of new laws, but the consideration and application of existing laws. However, Israel is cautious even in its application of existing law, leaving cyberspace in a "legal vacuum" in which it is free to act. Schöndorf also points out that the discussion of law in cyberspace is in its early days and argues that much more state behavior and norm development should precede new rules. So the question remains: what do these statements tell us about the states’ position on existing legal norms for acceptable behavior in cyberspace?
"The matter of international law in cyberspace, Israel argues, is not about the creation of new laws, but the consideration and application of existing laws. However, Israel is cautious even in its application of existing law, leaving cyberspace in a 'legal vacuum' in which it is free to act."
Legal thresholds and how they indicate a willingness to restrict behavior through law
Setting legal thresholds allows states to indicate their interpretation and varying acceptance of applicable international laws in cyberspace. Iran’s position on the principles of non-intervention and sovereignty has been described as setting a low legal threshold. This means that the state tends to perceive its own behavior and that of others as heavily regulated by legal controls. It sets a wide scope for what behavior falls under legal restrictions and in turn, exposes state and non-state actors, including itself, to legal and international condemnation. While it enables other governments to condemn Iran for a large range of actions, Iran also preemptively justifies its reactions to almost anything another state might do towards it in this arena.
The extent of the law’s applicability is highlighted in the English translation of the non-intervention principle. It should be noted that because the statement has been translated into English from Farsi, unlike the Israeli statement which was originally written in English, certain passages may seem opaque to the English reader. Thus, in language that appears imprecise in English but reflects a distinctly colorful political message in the original Farsi, Iran claims that:
"[a]ll explicit and dainty forms and complicated techniques of duress, overthrow, and outrage (whether Cyber or non-cyber) to intrigue in the political, social, or economic order of other states or destabilizing governments seeking liberalization of their own economic, political and cultural system form control or intervention of foreigners, is unlawful."
By referring to all "dainty" (read "small" or "insignificant") forms of "duress, overthrow, and outrage," the General Staff positions itself to respond to any actions that are deemed to be inhibiting of or punitive against the regime. It is clear that Iran hopes to stave off attempts at intervention from its repeated invocation of the non-intervention principle and the ambiguous reference to the coercive element. Roguski notes that Iran agrees with the U.S. and others that election interference is an unlawful intervention, but goes further. Iran’s own definition shows that it holds unlawful any "influence operations aimed at affecting voter behavior." Whether publishing anti-regime articles on a site accessible to the Iranian public is unlawful is not made clear, but remains a distinct possibility. Iran’s statement simultaneously shows that conduct by Iran against foreign voters should be deemed an unlawful intervention. Although Iran sets a low legal threshold, it appears mostly to be a way to condemn foreign behavior and justify an aggressive response, rather than real willingness to limit or confront the implications of its own behavior.
Israel’s statement, in sharp contrast, sets a high legal threshold that leaves its behavior relatively untrammeled by international law and its limits. The high threshold means that most behavior in cyberspace can be conducted without fear of legal condemnation or legally justified response. The threshold is defined by factual effects (rather than facts inherent to the attack itself). Such effects include physical damage, severe injury, or death. This is a rather high threshold that goes so far as to reject the standards set by the Group of International Experts in the Tallinn Manuals. By requiring physical damage or injury as a prerequisite for a legal response, both in the context of self-defense and the non-intervention principle, Israel allows itself and others to conduct a significant range of cyberattacks without grounds for recourse. This view is not shared by most other countries, particularly European governments such as Finland and the Netherlands. Israel’s statement does align, however, with the commonly accepted non-intervention principle and its requirement that “State A cannot take actions to ‘coerce’ State B in pursuing a course of action… in matters pertaining to State B’s core internal affairs” and expresses particular respect for the principle’s validity in instances of election interference. Israel’s view “on proven attribution” is more controversial. Israel dismisses the idea that publicly declared and rigorously proven attribution are requirements for a lawful reaction. Israel accomplishes two things through this dismissal. Firstly, it clarifies that it will act covertly in cyberspace rather than publicly naming actors against which it is retaliating. Secondly, Israel illustrates again that it is reluctant to alter its behavior to meet the constraints of international law and aims to maintain its strategic ambiguity and secrecy in cyberspace. This is particularly problematic from the viewpoint of European governments, which prefer to respond and deter cyberattacks with public condemnation and collective self-defense. Israel’s approach is more self-reliant, secretive, and focused on the offensive rather than deterrence.
Significantly, Iran and Israel take a similar approach to the prohibition on the use of force. Both assert a high threshold for what constitutes a use of force, with a focus on the physical impact of an attack (or lack thereof). This is, once again, a rejection of the position stated by the Tallinn Manuals and limits legal response to the degree of proportional self-defense. Israel’s view is clear — only if it damages physical property or persons as a result of a use of force should its actions be condemned. Iran’s position is the same, but for a different reason, according to the Tallinn Manuals expert and legal scholar Michael Schmitt. He argues that Iran, fearing the power of the U.S military, has adopted a conservative stance on the use of force to deny the U.S legal pretext to attack. Although a valid speculation by Schmitt, it remains unproven. In truth, the continued challenge of establishing a cyberattack as a use of force remains a hindrance for possible U.S military attacks and Iran’s safety in this regard.
What general ideas about Israeli and Iranian positions regarding the use of force and intervention can be drawn from these statements on the use of force and intervention? The answers are murky, but some clear patterns quickly emerge. Iran appears to view itself as a victim of foreign attacks, including increasingly onerous sanctions. There, it feels a strong need to be able to defend itself in an adversarial global climate. Although Iran aligns itself with rather progressive statements like those by France and the Netherlands, it treads carefully around discussions of armed conflict. Israel’s stance similarly enables it to act, but more as an originating actor than a defending victim. As Israel typically takes a clandestine approach in other military matters, the release of this statement is rather surprising. However, the wording remains non-committal; by referring to “due diligence” and “sovereignty” as “concepts” and “general concepts” rather than as rules, for example, Israel seems to seek mostly to counter Iran’s attempt at regional leadership on the question of cyberattacks and international law. Unfortunately, both views seem to allow both countries to behave much like they already have, regardless of the chosen response.
The principle of sovereignty and how it represents Israel and Iran’s international behavior
Although a smaller, rather legalistic point, the differing interpretations of the sovereignty principle indicate a crucial discrepancy between the two. Iran once again asserts a low legal threshold for the principle, going so far as to deem any destabilization of a country’s national security a violation of the sovereignty rule. Iran’s stance aligns quite closely with countries like France and the Netherlands, which deem sovereignty a legal rule violated by "any unauthorized penetration by a State on French systems." Schmitt notes that Iran’s declaration “goes further.” Although a somewhat problematic legal interpretation, Iran’s position clearly demonstrates its reluctance to allow interference in its affairs, and its willingness to respond harshly to any such interference.
Israel, instead, views sovereignty as a principle rather than a rule. The concept of sovereignty is a theoretical concept that "connotes independence" while the legal rule, it says, only concerns the notion of "territorial sovereignty." This is a new distinction and appears to have very little legal grounding. The author of Israel’s statement, Roy Schöndorf, argues that a state’s independent will and decision-making over its affairs is only a principle that states attempt, with varying degrees of success, to assert. A true legal violation can only be had against a state’s territory, which in the cyber context is irreducible to the question of land ownership. However, in his example, Schöndorf dismisses the consideration of data in legal determinations, arguing that this is a sovereignty issue, rather than a territorial sovereignty issue. It is unclear what this distinction means, as it is not featured in Schöndorf's other examples, but is clearly in line with the generally high threshold Israel maintains.
The discrepancies between the two approaches illustrate how the two states hope to use their cyber capabilities. While Israel adopts a legal framework that seeks to limit condemnation of its actions abroad, Iran attempts to limit condemnation of its reactions to foreign attacks. Iran’s position is particularly relevant to what has been termed a “gray zone” strategy by Iran against the U.S. This is, in Iran’s perception, a middle ground between peace and war, where the continuous escalations between the two in cyberspace and beyond could justify Iran’s position of defense. In contrast to Iran’s position of aggression through defense, Israel appears offensively defensive through its justification of initiating attacks to stave off aggression from its neighbors.
"The discrepancies between the two approaches illustrate how the two states hope to use their cyber capabilities. While Israel adopts a legal framework that seeks to limit condemnation of its actions abroad, Iran attempts to limit condemnation of its reactions to foreign attacks."
Both the Israeli and the Iranian statements illustrate that the Middle East is an increasingly critical cyber battlefield, as well as a region in which legislative and policy spaces are rapidly forging ahead with unique responses to threats and opportunities. This is especially relevant as most of these discussions have previously stemmed from a U.S.- and Euro-centric views of what cyberspace should be — open, secure, and accessible. Other governments in MENA surely have different views of what cyberspace should be and how to achieve this, and these views are more likely to be more closely aligned with Israeli or Iranian views than those of European governments. This is particularly crucial in the context of the information control regimes which many MENA governments have constructed, and upon which they increasingly rely.
Israel is also a growing leader in the region, as its bonds with previously non-allied states grow stronger. This has been a significant trend following the inception of the Abraham Accords in 2020, which normalized ties between Israel and three (soon to be four) regional neighbors. With a growing division between Israel and Iran and their allies, their respective statements likely indicate which MENA governments will accept similar interpretations of international law. As the United Arab Emirates and Bahrain align closer with Israel and the U.S, their respective stances on international law in cyberspace are likely to echo those views in the near future.
Sarah Johansson is a Graduate Scholar with the Cyber Program at MEI. Her previous work has considered the international legal remits of state perpetrated and sponsored cyberattacks. She received her LL.B. in Law with a Public International Law focus from Queen Mary, University of London. The opinions expressed in this piece are her own.
Photo by Morteza Nikoubazl/NurPhoto via Getty Images