As the United States and Iran inch closer to confrontation over Tehran's nuclear program, a little-asked question lurks in the background: are the two countries already at war?
In late September, massive denial-of-service attacks—cyber attacks that prevent websites from processing requests from users on the Internet—targeted five American banking institutions. Soon after, Senator Lieberman attributed responsibility to Iran, an accusation that is now reportedly shared by anonymous U.S. officials. While the damage seems to be minimal, the attacks continued in waves for at least five weeks.
This comes on the heels of reports that the United States and Israel jointly conducted the Stuxnet cyber attacks against Iranian nuclear infrastructure. The Stuxnet worm was the most damaging component of a broader cyber campaign to disrupt the Iranian nuclear program, reportedly damaging around one thousand centrifuges at the Natanz enrichment facility.
Are the United States and Iran in a cyber war?
There is no consensus on the definition of cyber warfare. Moreover, such a conflict is a stipulative, theoretical thing; it has yet to occur. As far as we know, while there have been cyber attacks before - maybe even cyber acts of war, like when the CIA allegedly used software to destroy part of a Russian oil pipeline in 1982 - and while cyber espionage is widely reported, we have yet to experience cyber warfare, at least publicly.
And while even the question “what is war?” has no simple, exact answer, our violent history has generated some pretty good ideas. Military theorist Carl von Clausewitz defined war as "violence intended to compel our opponent to fulfill our will" in order to achieve a political end. It is easy to see that some extreme cases of a cyber attacks could meet this definition.
Herald Koh, legal advisor to the State Department, has recently reinforced this point. Speaking at a conference hosted by U.S. Cyber Command, he said, "Cyber activities may in certain circumstances constitute uses of force." For example, consider two nations using cyber attacks to shut down each other's electrical grids in order to force the other to change policies on some issue. If citizens died in the process, which is more than plausible, the action would certainly amount to warfare.
So whatever cyber warfare is, it is war. Just as an air war is warfare using airplanes, or just as naval war is warfare using ships or submarines, cyber war must be warfare using malicious code and cyber weapons.
But what about less extreme cases where the effects are not so devastating and there is no injury to life? In Clausewitz's terms, the question is whether cyber attacks count as war without violence. Whether the United States and Iran are in a state of cyber war hangs in large part on this very question and the answer so far is elusive.
On the one hand, both U.S. and Iranian cyber attacks appear to meet Clausewitz's idea of war in important respects. Both American and Iranian cyber attacks can be considered as acts of force intended to compel an opponent to political ends. Clearly, Stuxnet was part of an effort to interfere with Iran's nuclear program. Iranian denial-of-service attacks against U.S. banks may be considered attempts to defend Iranian sovereignty, demonstrate the potential costs of future attacks or retaliate for sanctions.
On the other hand, it is much less clear that the U.S. and Iranian cyber attacks can be considered forms of violence. In neither instance were human beings physically harmed. Yet, that does not make this an open and shut case. American law implies that the concept of violence is not so straightforward. The U.S. code defines violent crimes in part as "physical force" against a "person or property," which could include nuclear centrifuges or computer systems. Similarly, even under a strict Clausewitzian model, violence is defined in terms of "physical force." Although unlike U.S. law, he did not include property as something that, upon encountering physical force, can be said to have been subjected to violence.