The Magazine

Boasting Without Explaining

Not a good national security approach—even in cyberspace.

Jun 18, 2012, Vol. 17, No. 38 • By JEREMY RABKIN & ARIEL RABKIN
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

We don’t know whether the Obama administration regards this proviso as applicable to its cyber attacks on the Iranian nuclear program. Perhaps it thinks the restriction does not cover the National Security Agency because it is arguably distinct from the Defense Department, though it has all sorts of very close operational ties to the Pentagon. Perhaps it thinks such restrictions can’t bind the commander in chief when he decides that national security requires him to disregard “the law of armed conflict”​—​though that is not a position articulated by Obama officials in public.

If the administration does accept the notion that “the law of armed conflict” applies to its cyber attacks on Iranian nuclear facilities, however, a lot of new questions arise. Most analysts assume that “the law of armed conflict” includes the jus ad bellum​—​the law governing resort to force. And most analysts view that law as governed by the U.N. Charter, limiting resort to force to actions authorized by the Security Council or in self-defense “if an armed attack occurs.” Do these categories apply here?

The Security Council has passed several resolutions imposing sanctions on Iran for failing to cooperate with international inspections (required under the Nuclear Non-Proliferation Treaty). Does the Obama administration think those resolutions justify resort to armed force to stop the Iranian nuclear program? Most analysts acknowledge that “self-defense” may justify a preemptive action when an “armed attack” is imminent. Does the Obama administration think the Iranian nuclear program is so inherently threatening that an attack on the program is justified as a preemptive measure, to forestall an impending Iranian nuclear strike?

These are questions the Obama administration might prefer not to answer for various reasons, some better than others. But it’s one thing to maintain a posture of ambiguity about measures not yet taken. It is something else entirely to acknowledge cyber attacks and refuse to say what they mean or why they were (in the American view) justified. Silence invites the view that the administration regards cyber attacks as quite different from “armed attack.” That might be a defensible view, even if Congress seems to have said otherwise. But that view has its own complications. The silence of the administration invites all sorts of awkward inferences​—​not least by other governments assessing their own options for cyber attacks.

One thing the New York Times report made clear was that President Obama was very concerned to avoid collateral damage to civilian objects when he approved cyber attacks on the Iranian nuclear program. That might comport with the president’s personal idea of what is required by jus in bello​—​that part of the law of armed conflict dealing with permissible tactics. But the Iranians claim that their entire nuclear program is dedicated to civilian purposes and is not, therefore, a military target. How does Obama think lines should be drawn between permissible and unlawful targets?

The reason this may matter a lot​—​and sooner than the White House seems to think​—​is that Iran has been developing its own capacity to launch cyber attacks. Suppose Iran retaliates by hitting nonmilitary targets in the United States. Do we say they can’t disable an electric power plant because it’s “civilian”​—​even if it also supplies power to a nearby military base or a defense contractor? Are we prepared to retaliate with force​—​actual bombing, with inevitable civilian casualties​—​for a cyber attack that imposes much economic dislocation here but does not actually cause direct loss of life?

It may be more prudent to retaliate for an Iranian cyber attack with a reprisal in kind by, for example, shutting down the Iranian power grid for a time, imposing considerable pain on civilian infrastructure but not causing direct loss of life. It might actually be more dangerous to launch cyber attacks on Iranian military infrastructure, threatening loss of command and control functions and emboldening some isolated Revolutionary Guards commander to think he should launch missiles before he loses even that degree of operational control. The administration has no public doctrine about what it thinks it can or can’t do in a crisis provoked by cyber attacks.

Recent Blog Posts

The Weekly Standard Archives

Browse 19 Years of the Weekly Standard

Old covers