Operation Olympic Games -- A Legal Setback and a Strategic Opportunity -- A Guest Post from Ernesto J. Sanchez

Several weeks ago I noted that Iran had announced its intention to sue the developers of the Stuxnet virus.  As I said, it was an almost perfect Lawfare type question -- in what court? under what theories? etc.?   I offered to post any interesting answers here on Lawfare.  Today, I'm pleased to bring you this short essay "Operation Olympic Games -- A Legal Setback and a Strategic Opportunity" by Ernesto J. Sanchez.  Mr Sanchez is a 2004 graduate of the University of Pennsylvania Law School and a member of the ABA Section on International Law, with a solo practice in Miami, Florida.  He is also a a senior analyst for Wikistrat, an online geostrategic forecasting consultancy. Herewith his thoughts:

Many thanks to Paul Rosenzweig and the rest of the Lawfare Blog team for allowing me to take up the challenge of describing legal actions that Iran might take with respect to Operation Olympic Games, the U.S. cyberattacks on Iranian nuclear facilities and other targets that began in 2008 and that may be continuing today. Much about the attacks and their effects remains unclear. But the so-called “Stuxnet” virus attacks between 2008 and 2010 disrupted the operation of gas centrifuges used to enrich uranium, a process that can both produce fuel for nuclear reactors and fissile material for nuclear weapons, at the nuclear facilities. Iran could consequently charge the U.S. with an unlawful use of force before the International Court of Justice (ICJ). Akin to Nicaragua’s successful ICJ action against the U.S. during the 1980’s for supporting the contra insurgency and mining Nicaraguan harbors, Iran could further construe the Olympic Games cyberattacks as part of a greater U.S. regime change effort that violates its sovereignty. These possible legal consequences, however, are not as significant as the fact that the operation apparently did not slow Iran’s nuclear program and resulted in the spread of a template for what computer security experts have called the most dangerous cyberweapon ever. U.S. and other states’ officials, concerned over Iran’s continued backing for proxy terrorist groups (e.g., Hezbollah) to pursue regional geostrategic objectives, believe Iran seeks to build nuclear weapons. Iranian leaders contend that their nuclear program is meant to develop an alternative means of generating electricity to maximize oil sales to other states and provide fuel for medical reactors. The Bush administration commenced and the Obama administration accelerated the Olympic Games operation in the wake of International Atomic Energy Agency (IAEA) concerns over the lack of transparency surrounding the nuclear program and a 2006 U.N. Security Council resolution ordering Iran to suspend its uranium enrichment activities. Until its worldwide spread and discovery due to a programming error in July 2010, the Stuxnet attacks proved to be an effective alternative to traditional military strikes, causing Iranian nuclear facilities’ centrifuges to malfunction and explode. Despite a reported accident at Iran’s Natanz facility in 2009, no injuries, deaths, or damages to other computer systems appear to have occurred. Subsequent viral infections (e.g., Duqu, Flame) of Iranian computer networks involved intelligence collection by, among other things, recording keyboard activity and network traffic and copying text files. The extent to which these latter infections actually disrupted or destroyed stored information remains unclear. Former NSA and CIA director Michael Hayden has viewed Stuxnet’s use as “the first attack of a major nature in which a cyberattack was used to effect physical destruction,” as opposed to simply slowing down or stealing data from another computer. He thus represents a consensus among U.S. policymakers and military leaders that computer network attacks by a state causing injury, death, damage, or destruction to another state’s citizens and property amount to uses of force under the law of armed conflict. On those grounds, the Stuxnet attacks, at the very least, violated the U.N. Charter’s prohibition on threats or uses of force “against the territorial integrity or political independence of any state, or in any other manner inconsistent with the [p]urposes of the [U.N.].” The precise targeting that apparently enabled Stuxnet to have little, if any, effects beyond Iranian nuclear facilities, certainly reflect U.S. concerns over the principles of proportionality, distinction between military and civilian targets, humanity, and necessity underlying the law of armed conflict. But the Charter only allows unilateral (i.e., without Security Council approval) military strikes for purposes of “individual or collective self-defense” in the wake of an “armed attack.” The more flexible customary international law standard of anticipatory self-defense likely will not apply to Stuxnet either. A state can act in anticipatory self-defense when (1) an armed attack is immediately threatened; (2) an urgent necessity exists for defensive action; (3) there exists no practicable alternative but to act; and (4) the action taken is limited to the needs of defense. The widely accepted “Caroline doctrine,” in turn, provides that a threat becomes immediate when (1) an aggressor is committed to an armed attack and (2) a delayed response will hinder the victim’s ability to defend itself. These guidelines indicate that the Stuxnet attacks, despite Iranian leaders’ consistently hateful rhetoric against Israel, would only have been lawful if reliable intelligence had indicated that Iran was, at the absolute least, on the verge of developing a nuclear weapon. Yet international disagreements as to the Iranian nuclear program’s actual status and nature remain, as the Israeli government’s current rift with the U.S. over the need for a military strike on Iranian nuclear facilities sooner rather than later shows. A sense of public crisis among governments questioning Iran’s intentions did not really set in until last fall, but an IAEA report last May still did not definitively state whether Iran was seeking to develop nuclear weapons. Nor have the IAEA or U.N. Security Council specifically concluded in prior issuances or resolutions respectively that Iran has actually violated its obligations under the Nuclear Non-Proliferation Treaty (NPT). Finally, no Iranian activities that could themselves qualify as aggressive – sponsorship of foreign terrorist acts, covert support of insurgents against U.S. troops in Iraq before the U.S. troop withdrawal, and reported assistance to the Taliban in Afghanistan – correlate with the country’s nuclear program. Iran could proceed to strengthen an ICJ claim by construing the Olympic Games operation as part of a greater U.S. regime change effort, along the lines charged by Nicaragua in the 1980’s. In that regard, the Iranian government could, for example, cite to how:

• The Stuxnet attacks were already under way during the so-called “Green Revolution” – the mass protests between June 2009 and February 2010 against President Mahmoud Ahmadinejad’s disputed reelection victory – and distracted from government efforts to restore order;

• The U.S. has, on account of the 2006 Iran Freedom and Support Act, funded Iranian opposition groups and, through the use of special forces, allegedly trained Iranian opposition militias;

• The Bush administration reportedly authorized covert campaigns of propaganda and manipulation of Iran’s currency and foreign financial transactions;

• U.S. intelligence, surveillance, and reconnaissance flights have violated Iranian airspace, as demonstrated by Iran’s capture of a U.S. RQ-170 Predator unmanned aerial vehicle in December 2011; and

• The U.S. has facilitated an extensive international economic sanctions regime outside U.N. auspices.

Violations of state sovereignty under customary international law, which encompass uses of force, include entrance into another state’s territory and inhibiting rights of free travel, communications, and commerce or otherwise seeking to coercively influence a state’s political, economic, social, and/or cultural system and/or foreign policy. The ICJ’s Nicaragua decision explicitly condemned foreign support of domestic armed opposition movements. And neither of the U.S. measures above stemmed from a Security Council mandate, so they likely could not qualify as exercises of the increasingly accepted “responsibility to protect” another states’ citizens from mass atrocities (even in the unlikely event that the ICJ were to conclude that the Iranian government has committed such atrocities). But like the U.S. refused to appear in the Nicaragua matter after the ICJ ruled it had jurisdiction over the dispute, the U.S. can refuse to defend against any Iranian ICJ claim. The U.S., in fact, rejected compulsory ICJ jurisdiction at that time. Most states have done the same. And if an action proceeds under the 1955 U.S.-Iran Treaty of Amity concerning most aspects of U.S.-Iranian relations, a basis for two prior ICJ cases, the U.S. can repeat its response to the adverse Nicaragua judgment and veto any Security Council enforcement effort. Whether one agrees with U.S. policy toward Iran or not, the fact remains that nothing, as State Department Legal Adviser Abraham Sofaer said in 1985 with respect to the Nicaragua case, requires the U.S. to “surrender to [the ICJ] the power to pass on our efforts to guarantee the safety and security of this nation and of its allies.” But these international law issues only reflect the greater strategic reality of how the U.S. has gradually lost its leverage over Iran. The IAEA has indicated since 2011 that Iran has overcome Stuxnet’s setbacks, while the U.S. today remains overstretched by its diplomatic and other efforts to influence events in Egypt and Syria. Current U.S.-Israeli differences over how to address the Iranian nuclear program have also damaged a previously united front. The possibility of a quiet alliance between Israel and its Arab neighbors in countering Iran also appears to have been a product of wishful thinking. Despite differences over the Syrian uprising, for example, Saudi-Iranian tensions appear to have cooled somewhat following this summer’s meeting between President Ahmadinejad and King Abdullah of Saudi Arabia at a gathering for the Organization for Islamic Cooperation in Mecca. Saudi Arabia has also threatened to shoot down any Israeli aircraft flying to Iran to engage in a military strike. A Sino-Saudi nuclear cooperation agreement calling for the construction of 16 commercial nuclear reactors in Saudi Arabia by 2030 conceivably points to a future where Arab states will not view the U.S. as the region’s sole guarantor of security, nuclear or otherwise. Moreover, representatives of the Non-Aligned Movement, which has a membership of 120 states, passed a resolution supporting Iran’s right to develop nuclear technology for peaceful purposes while meeting in Tehran last month. These factors compound the obstacles that the U.S. and its allies on the Iranian nuclear matter face in convincing Russia, China, and perhaps most of the world that the mere risk of a nuclear-armed Iran is simply unacceptable. The NPT’s integrity, however, demands that Iran commit to full transparency for its nuclear program and that the U.S. accept a peaceful Iranian nuclear capability. In the coming weeks before President Ahmadinejad’s visit to address the U.N. General Assembly, then, the U.S. should do its diplomatic best to compel this transparency, even at other regional objectives’ expense and, if necessary, publicizing intelligence gained from the Olympic Games operation that indicates any belligerent Iranian motives. At the same time, the U.S., having led the way to the enactment of multilateral conventions on the use of nuclear weapons after having created the atomic bomb itself, should now seize the opportunity to advocate for an analogous cyberwarfare convention. Charges of hypocrisy in the short term are inevitable, but international law in practice depends on the intelligence gathering that the Olympic Games operation facilitated, especially with respect to the military capabilities of states that, as President Eisenhower said, make “a fetish of secrecy.” In the end, the fact remains that Stuxnet and related viruses demonstrated targeting of unprecedented precision and, despite Stuxnet’s spread, actual specifications for a multinational cyberwarfare accord that might prevent an apocalyptic cyberattack on the U.S.