Offensive Cyber Operations as Relief for Citizens Under Internet Blackout

Cyberspace and the internet within it are not disconnected from the “real,” physical world. In 2016, the United Nations (UN) decreed that “offline” human rights must also be protected online. Following the UN resolution “The Promotion, Protection and Enjoyment of Human Rights on the Internet,” access to information and the internet increasingly gained recognition as necessary for enabling freedom of speech and as a human right of its own. This recognition led some to consider internet blackouts or shutdowns—that is “[a]n intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information”—as human rights violations. Furthermore, internet blackouts during conflict or crisis are understood to prevent people from accessing life-saving information and humanitarian aid, thereby adding to the probability of a humanitarian crisis developing. Nonetheless, many governments, including democracies, choose to limit their citizens’ access to the internet, especially during times of conflict and crisis, citing national security concerns and the imperative to protect the state and its citizens from cyberattacks that the enemy would execute. The extent to which restrictions are imposed varies widely, with democratic governments imposing proportional restrictions within strict legal and oversight frameworks, while autocratic regimes impose wide and opaque blackouts that serve their political agendas.

Over the years, internet freedom activists and civil society have made many efforts to mitigate various types of internet connectivity interference by repressive regimes. Usually, these constitute the development of secure, censorship-resistant communication channels, such as TOR Snowflake, and various VPN techniques, such as VLESS. In recent years, an additional major actor has joined the efforts to circumvent such interference: Starlink. The company, which provides global internet connectivity based on a large constellation of low Earth orbit (LEO) satellites, has found itself providing internet access to crisis zones around the world—from the war zone in Ukraine, through zones of natural disasters in Sudan and Tonga, and to Iran during civil unrest. While both the development of censorship-resistant techniques and the willingness of Starlink to step in and provide uncensored internet connectivity are often lauded by human rights and internet freedom activists, all of these initiatives depend on the goodwill of non-state actors. If internet access is truly considered to be a human right and internet blackouts a violation of that right, a pathway for a more robust response by states is required.

One internationally recognized pathway might be the implementation of third-party countermeasures against the state implementing the internet blackout. To be considered legal, such measures must be temporary, proportionate, and expressly intended to elicit corrective behavior from the wrongdoer. Traditionally, these include actions such as asset freezes, sanctions, or travel bans. While these measures, at least theoretically, can compel an offending state to restore free internet connectivity, they would most likely also raise concerns about their proportionality. Conversely, internet blackouts that are implemented at the logical level—that is, the absence of a physical disconnection of networking equipment providing connectivity—allow for a novel countermeasure in the form of offensive cyber operations designed to disrupt, degrade, and deny the ability of the wrongdoer to implement an internet blackout. This idea is not completely unprecedented: The 2022 U.K. National Cyber Strategy mentions the possibility of the U.K. National Cyber Force conducting operations in cyberspace for “intervening in a humanitarian crisis to protect civilians,” specifically by “preserving their ability to access critical information.”

While it is tempting to frame an intervention in the form of a cyber operation designed to disrupt an internet blackout (especially enforced by a warring party against its own citizens) as a humanitarian relief effort, such framing will likely encounter several challenges. First, humanitarian relief efforts, while often facilitated by states and coordinated by the UN Office for the Coordination of Humanitarian Affairs, are delivered by non-state organizations. As the capability required to execute a cyber operation to disrupt an internet blackout is often considered a military capability, it is unlikely that such organizations will be capable and thus require a third-party state to execute it. Second, many states consider sovereignty to apply to cyberspace. Therefore, a cyber operation that disrupts an internet blackout implemented by such a state would be considered by the targeted state a violation of its domaine réservé and, as such, a coercive intervention outside the scope permissible by its commitment to allow and facilitate humanitarian relief. Framing such interventions as countermeasures sidesteps this challenge. This contradiction, inherent in implementing a countermeasure designed not to coerce an offending state to change behavior but to provide humanitarian relief, is likely to raise further questions as to what framework should govern it—those aimed at facilitating and providing humanitarian relief or those that consider countermeasures.

Human rights are erga omnes; thus, there is a consensus that violations should be enforced by the UN Security Council. In its current state, it is unlikely that the Security Council would approve a countermeasure to disrupt an internet blackout. Two of the Security Council’s permanent, veto-holding members (Russia and China) believe that sovereignty fully applies to cyberspace, and such an intervention would be against their political interests. This leads to the consideration of third-party countermeasures as a more probable avenue. While more often contested than Security Council countermeasures, applying third-party countermeasures in the enforcement of erga omnes violations has a substantial body of state practice. Examples of this practice include the decision of EU member states to ban Belarusian airlines from using European airspace in response to a violation of the Chicago Convention or the decision of Gulf Cooperation Council countries—including Saudi Arabia, the United Arab Emirates, Egypt, and Bahrain—to cut diplomatic ties and enforce a naval, land, and air blockade of Qatar in retaliation for its support of international terrorsism and violation of the 2017 Riyadh summit agreements. These examples suggest that third-party countermeasures in response to erga omnes violations are an emerging right under customary international law.

The potential for abuse in the implementation of third-party countermeasures requires even more careful consideration and design. In the case of a cyber operation to disrupt an internet blackout, the countermeasure’s proportionality would be ensured by designing it carefully so that it would only disrupt the computers and networking equipment that are causing the blackout or degrade or deny the state’s capability to implement the blackout by modifying the cyberspace configuration to create a free bypass. As cyber operations are mostly considered temporary and reversible, so would a countermeasure based on them. What’s more, the issue of the willingness of the targeted state to pursue political or legal measures in the face of such countermeasures should also be addressed. Attribution of cyber operations is considered to be technically challenging, as the attacker can take technical measures to obfuscate its origin and identity or plant false flags. Furthermore, legal considerations—such as evidence of responsibility and evidence handling processes—and political considerations—such as internal and foreign audiences reactions and effects on the diplomatic relations with the attributed state—might complicate the issue even more (although a recent analysis suggests that the challenge is becoming easier to overcome). In the absence of a political statement claiming responsibility for the countermeasure by the implementing state, it is unlikely that the targeted state would be able to attribute the source of the countermeasure to an internationally significant technical, legal, or political standard. As it is, the state targeted with the countermeasure cyber operation would be more likely to abandon its initiative to implement an internet blackout than it would be to try to respond and counter the countermeasure.

The Internet Blackout in Iran Amid War with Israel

On June 13, following Israel’s initiation of an airstrike campaign against Iran’s nuclear program, the Iranian Ministry of Communications announced temporary internet restrictions in the country, including throttling and limiting of citizen’s internet access, to prevent cyberattacks and misuse by Israeli forces. As the conflict intensified, and in response to a cyberattack on Bank Sepah by the Predatory Sparrow (a self-proclaimed hacktivist group), these restrictions escalated into an almost complete blackout of internet connectivity for Iranians. Alongside the blackout, the Iranian regime curtailed the ability to make and receive international phone calls and limited satellite TV broadcasts. This left Iranian citizens unable to access crucial information, such as evacuation warnings posted by the Israel Defense Forces on social media, traffic updates, maps, and communication with loved ones in the strike zones to ensure their safety, thereby increasing the risk of further humanitarian consequences from Israeli airstrikes and regime repression.

Drawing from past experiences, activists both within Iran and abroad initiated efforts to counter the newly imposed restrictions. These efforts involved establishing new VPN and TOR Snowflake nodes and petitioning Elon Musk to provide Iranian citizens with access to Starlink and to offer the service for free. Some of these petitions succeeded, leading to Musk’s announcement that Starlink connectivity was now active in Iran. This development gave some Iranian citizens access to crucial information and led to another positive outcome: enabling Starlink’s direct-to-cell functionality, which allows owners of compatible devices to communicate via SMS despite the internet blackout.

While the activation of Starlink connectivity led some observers to declare victory over the internet restrictions imposed by the Islamic Republic’s regime, the reality is more complex. Accessing satellite internet via Starlink requires specialized hardware, which is scarce and difficult to obtain in Iran because of the regime’s ban on acquiring said hardware. Nevertheless, media reports suggest that there are as many as 20,000 Starlink terminals operating within the Islamic Republic of Iran, with some reports claiming up to 30,000 terminals, which would provide satellite internet access to approximately 100,000 people. Even at the highest estimates, Starlink internet access remains inaccessible to most of the roughly 92 million Iranians because of the lack of available terminals. Owning such terminals carries its own risks, potentially exacerbated by emerging jamming and detection techniques, as Iranian authorities consider possession grounds for persecution on espionage charges. Even the direct-to-cell functionality has a limited effect, as its use requires high-end modern devices that are unavailable to most Iranian citizens.

The prospect of Starlink’s unrestricted and unimpeded internet connectivity is indeed thrilling. However, while it serves as a valuable tool in circumventing internet blackouts, the challenges associated with gaining access to the technology raise questions about whether it is the optimal solution. A thorough examination of various reports on internet blackouts in Iran reveals a significant pattern. Although connectivity was severely restricted, leaving most citizens without access, it was not physically severed. Even amid the blackout, the Iranian border gateway routers continued to announce the Iranian IP space to maintain internet connectivity for the regime’s purposes. This suggests that the blackout was implemented at a logical level of cyberspace, that is using software that determined who could and could not communicate with the outside world—a sophisticated, statewide firewall. Research into the physical network structure of the Iranian internet indicates that it was designed with choke points to allow for such interventions. Supporting this, reports from Iranian activists and discussions in online anti-censorship forums suggest similar findings, with claims ranging from identifying gaps in the blocking logic to reports of some users maintaining uninterrupted internet connectivity.

Offensive cyber operations have been shown to be effective in interfering with the software systems, as demonstrated by cases such as widespread disruptions due to ransomware or the Stuxnet malware disrupting software controlling centrifuge operations in Iran. Therefore, if precisely targeted at the systems responsible for the Iranian internet blackout, a cyber operation could potentially disrupt it. Assuming that the blackout results from firewall-like network equipment, preventing some users access to some network destinations, a disruption could be achieved by either removing the blocking rules or simply disabling the network-blocking equipment, for instance, through a malformed firmware update. The limited interconnectedness of the Iranian internet segment, designed to facilitate intervention with internet connectivity, minimizes the risk of unintended consequences often associated with such operations. Targeting the Iranian internet filtering system would directly address the human rights violations inherent in internet blackouts, granting Iranian citizens access to essential information. Moreover, these operations are temporary and reversible; the firmware can be reinstalled, and filtering rules can be rescinded as part of the operation’s dismantling.

The Islamic Republic of Iran posits that the principle of sovereignty fully applies to cyberspace and that controlling internet connectivity is required to preserve its economic, cultural, and social systems. As such, a cyber operation that successfully disrupts, degrades, or denies the Iranian regime’s ability to control the internet would likely be regarded by the Iranian regime as a violation of its sovereignty and domaine réservé and an act of coercive intervention. Despite this, the timing and properties of the proposed operations would likely lead to their being considered legitimate, even if they were conducted by a third party without the authorization of the UN Security Council.

***

If internet shutdowns and blackouts are to be considered human rights violations, the international community should move from strongly worded denunciation and reliance on non-state actors for partial solutions to a more robust response based on third-party countermeasures. In some instances of internet shutdowns, offensive cyber operations create a novel and promising pathway for implementing such measures. As demonstrated through the case study of the internet blackout in Iran following the armed conflict resulting from Israel’s June 13 airstrikes campaign, such operations can be an effective measure. In the context of armed conflict, such measures might be able to move beyond being a countermeasure into the realm of humanitarian relief by providing access to vital information despite their coercive nature.