Crossing the cyber Rubicon: Views from both sides of the river

On the weekend of May 5, a month after a truce was agreed between Israel and Hamas forces in the Gaza Strip, violence again rose to levels not seen since 2014. Reports indicate that over 600 rockets were fired into Israel by Palestinian militants and were met by Israeli airstrikes on more than 300 targets. Upwards of twenty-three Palestinians and four Israelis were killed.

But the headlines from the weekend—at least in cybersecurity circles—focused on a single strike by the Israel Defense Forces (IDF) against an office building in Hamas territory. According to a May 5 tweet from the IDF, after successfully preventing an alleged Hamas cyberattack against Israeli civilian targets, IDF forces targeted and destroyed the building housing Hamas’s cyber capability.

While the IDF tag line was flippant—“HamasCyberHQ.exe has been removed”—the implications of the strike are serious enough: did the IDF’s airstrike ‘cross the Rubicon’ by using lethal force in response to hacking? A lot of talk, and a lot of tweets, have sprung up since the strike discussing this issue. But is this actually that big of a deal? Has the die truly been cast?

On the one hand…  

First and foremost, this is the first time in history that offensive hackers have (so publicly) been considered ‘fair game’ for lethal physical retaliation. “I think we just crossed a line we haven’t crossed before,” F-Secure Chief Research Officer Mikko Hyppönen tweeted May 6. Consequently, it is conceivable that this strike could set a precedent that would allow an authoritarian nation to justify their use of lethal capabilities in response to arguably benign cyber activity. This could be the first step onto a very slippery slope.

Secondly, the lack of information released by IDF regarding the nature of the alleged cyberattack and what Israeli systems were targeted raises additional questions. They stated that the goal of the cyberattack was “harming the quality of life of Israeli citizens” and that it was simplistic in nature. But without additional public information regarding the cyberattack, it is difficult to analyze whether or not this kinetic response was justified, necessary, or proportional. While states are not obligated to divulge sensitive threat intelligence information, a lack of transparency in this context is alarming due to the disparity in power between the two sides.

Finally, we should remember that in this context, these hackers were divorced from the theater of conflict—they were unarmed, and not a present and immediate threat to life. Jake Williams, a former member of the US National Security Agency’s Tailored Access Operations hacking group, used this fact to differentiate these actors from traditional combatants. “The key difference is that traditional combatants represent a clear threat to life that the hackers do not. If ISIS targets our troops on the ground in Iraq, people clearly understand they are in the line of fire. If ISIS targeted troops processing payroll in Fort Gordon, that’s a less legitimate target, even though those troops are combatants.”

But on the other hand…

As noted by Dragos’ VP of Threat Intelligence Sergio Caltagirone, targeting and killing remote operators has been a part of legitimate military operations since the 1950s. If you are engaged in a persistent battle against another force, you can—and should—expect your offensive actions to be met by any one of the many arrows in your opponent’s quiver. According to the commander of the IDF’s Cyber Division, Hamas’s cyber operations came during intense rocket fire between the two sides and was aimed at “harming the quality of life of Israeli citizens.” In this context, the Israeli airstrike is not surprising and is consistent with typical military actions.

Even in the context of US policy, this strike is not some global harbinger of things to come. While it is true that since 2011 US policy has been to reserve the right to retaliate with military force against a cyberattack, in reality this policy has lacked credibility. As stated by Michelle Markoff, deputy coordinator for cyber issues at the US Department of State, in respect to an isolated cyberattack against the United States outside the rules of engagement (that is, not part of an existing armed conflict), the United States would not in fact respond with military action as, absent loss of life directly caused by a cyberattack, doing so would be contrary to international law and US policy. Conversely, as is the case with the IDF strike, if a cyberattack against the United States was conducted inside the rules of engagement, the normal rules of armed conflict would apply, and the United States’ ability to respond with military action would be inherent—expressed policy or not. The IDF strike has not given—nor will it give—the United States any further power to respond with kinetic strikes to a cyberattack, meaning the above policy is still effectively ”meaningless.”

Perhaps this airstrike is important not for the precedent it sets, but rather for reminding everyone that cyberspace is actually nothing special: it can be bootstrapped by poor, non-state actors; it can and will be deployed in real time as part of traditional warfare; and in this modern age of hybrid warfare, states will not and should not feel limited to a like-for-like response to aggressive actions.

Conclusion

It remains to be seen whether this single airstrike will go down in history, but it has raised several important questions that must be answered: Who is or is not a legitimate target for a force defending against a cyberattack? Who gets to make the decision to use lethal force, with what level of transparency? What is the threshold for an action in cyberspace that provokes a lethal response?

One thing is certain: as warfare truly becomes hybrid warfare, and these types of actions and conversations become more commonplace, we should be careful to ensure that the rules around cyberspace and its place in warfare are shaped through foresight and guiding principles, rather than action and reaction.

Jack Watson is a program assistant in the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative.

William Loomis is an intern in the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative.

Image: A missile lands as smoke rises during Israeli air strikes in Gaza City May 5, 2019. REUTERS/Mohammed Salem TPX IMAGES OF THE DAY