7 September 2019

The Fifth Domain and Coercive Diplomacy


Background

As part of its retaliation for the tanker incidents in the Strait of Hormuz and the downingof a surveillance drone, the US launched cyber operations against Iran in June 2019. The attack disrupted the shipping traffic database used by the Iranian Revolutionary Guard Corps to track tankers passing through the Persian Gulf. The Iranian Minister for Information and Communication Technology, Mohammad Javad Azari, was adamant that the attack was not only unsuccessful, but that ‘Tehran had neutralised 33 million attacks’ in 2018. The attack came amid heightened tensions between the two nations and was part of a “package” of measures, along with a cancelled US airstrike. Cyber confrontations generally allow for measured “retaliation outside wartime” and are capable of causing widespread infrastructural damage without the usual attendant human casualties.

Comment

Iran is no stranger to US-based cyber-attacks. A joint operation by the US and Israel against Tehran in the 2011 “Operation Olympic Games”, targeted the Natanz nuclear facility damaging its reactors and leaving it close to a nuclear meltdown. The two countries have, at various times, exchanged cyber volleys of increasing strength and sophistication and ever since the Stuxnet attack on the nuclear facility, there has been the risk of loss of human lives.


The main advantage and the disadvantage of utilising cyberspace, the fifth domain, as a theatre of combat operations are, respectively: the limitation of casualties compared to those caused by physical attacks and the potential to cause unforeseen damage that could lead to mass civilian fatalities. The number of cyber-attacks has risen in recent years. They are not always borne out of political necessity, but nonetheless are disruptive. For instance, the WannaCry attack in 2017 and the NotPetya attack in 2018, severely undermined the UK health system and financial institutions respectively. Cyber-attacks could also be used as a method of industrial espionage, to steal sensitive military information and customer data. These tactics have the potential to complement physical combat situations as a mechanism for disrupting enemy defence capabilities, or to compromise individual government employees.

The use of non-state actors in this type of attack, furthermore, has different possible ramifications. It remains to be seen, for instance, if an attack by the Iranians against the US as retaliation for its cyber-attacks is lawful under the “Just War” principle. This also suggests that it will be harder for a country to accuse another of criminality in cyberspace. Additionally, a country’s presence in cyberspace can easily be ‘masked’, or its identity revealed; for instance, a forum used by Hong Kong demonstrators, LIHKG, was attackedby an unknown group. The attack, which originated in mainland China, took place through the use of the distributed denial of service or DDoS method.

Regardless of its other potential outcomes, cyberwarfare is designed to sabotage, disrupt or subvert both state and non-state actors and prevent them achieving their objectives, even when they seek to de-escalate existing tensions. While the idea of war as ‘a continuation of politics by other means’, to bring countries to the negotiation table remains unchanged, cyber-warfare has the potential to be a means of coercive diplomacy without the need for an open conflict. Its value would not, however, be limited by the outbreak of war.

All of this complicates matters, as commonplace terms of war, such as “use of force” and “armed attack”, as well as the legal international humanitarian framework set up by the UN, do not apply to the cyber domain. After all, there is a lack of definition as to what constitutes the “cyber domain”; is it commercial or military in nature, or both? Can state actors posing as non-state actors in the cyber domain be prosecuted? Under which international law would they be prosecuted? The European Union has established a cyber charter, the Convention of Cybercrime, but only signatories are subject to it. Nations such as Russia, China and Iran are not included in that agreement. Those countries happen to be the ones from which most cyber-attacks originate.

Cyber-warfare is designed around “first strike” principles and is relatively low-cost in contrast to total war. Thus, it is not surprising to see countries developing indigenous cyber commands, such as the US Cyber Command and the Australian Cyber Security Centre. In sum, the fifth domain has changed how nation-states perceive the prosecution of war and without a framework of conduct in place, the risks of miscalculations have increased.

No comments: