Bronte Munro | Cyber & Technology Fellow
On the 14th and 19th of May 2021, the Israeli military conducted consecutive airstrikes against houses in the Gaza Strip that were allegedly home to Hamas cyber operations. The announcement came via the Israeli Airforce Twitter account, and closely mirrored the Israeli military’s bombing of Hamas cyber bases in 2019. Despite a two-year lapse between the attacks, Israel remains the only nation-state to have responded to cyber threats or cyber attacks through conventional military force. International concerns around the establishment of this precedent largely revolve around the perennial issue of how states can respond proportionately to cyberattacks.
International Law in Cyberspace
Cyber attacks are notoriously difficult to attribute, let alone in a timely and accurate manner. Compounding this challenge, cyberspace is an evolving tool that connects both the public and private sector, making its vulnerabilities largely unknown and constantly changing. Israel’s decision to respond to cyber activity through physical retaliation signifies a move away from the use of soft power diplomacy and covert cyber offensives which have, to date, been the favoured response mechanisms of states. Instead, this physical response has brought to the fore the question of ‘what is an appropriate response to cyber attacks?’ when the impact of a cyber attack is seldom physical, and loss of life is rarely a direct consequence. Existing international law around state behaviour in cyberspace is loosely defined, and efforts by the United Nations to gain consensus on parameters for engagement have been inconclusive. For example, initiatives such as the UN Open-Ended Working Group on cybersecurity failed to develop consensus on cybersecurity laws by its July 2020 deadline.
The reluctance from the international community to define international cybersecurity laws largely boils down the fact that states are benefiting from the relative freedom of cyberspace. The high level of anonymity and stealth that cyberspace enables, acts as a ‘security blanket’ for states to pursue their foreign policy goals without the usual constraints of the physical world. The unspoken understanding that all nations are engaging in cyber offensives has ensured state responses to significant incidents have remained confined to diplomatic reprimand and unattributed retaliation in cyberspace. This mutual understanding is evident in the US’s response to the 2014 hacking of Sony Pictures Entertainment by North Korea, where President Obama limited the US’s retaliations to economic sanctions and public disapproval. Similarly, US cyber offensives against Iran in 2018 elicited responses contained to cyberspace, despite escalating tensions between the two nations at the time.
What Does This Mean for Cyberwarfare?
The extent to which cyberspace can be effectively utilised as a weapon is still largely unknown to the general public. The capacity for cyberwarfare to cause physical destruction was established in the 2009 Stuxnet attack where Iran’s nuclear facilities were targeted by malware, which caused the nuclear centrifuges to spin undetected at unsafe speeds. The resulting physical damage demonstrated how cyberspace could affect conventional military capabilities. The attack was attributed to joint efforts by the US and Israel, but was never publicly claimed by either nation. Regardless, when taken in light of Israel’s aforementioned retaliation to Hamas’ operations, it suggests that Israel remains keen to continue challenging the parameters of cyberwarfare technology and the limited norms that govern state responses to attacks.
What is alarming about Israel’s engagement with cyberspace compared to other nations, is the willingness to punish cyberattacks using physical force. In 2021 alone, the Centre of Strategic and International Studies has recorded over 50 significant state-related cyber incidents. This represents over 50 opportunities for ongoing warfare if other nations were to follow in Israel’s footsteps and retaliate to cyber attacks using conventional military force. When considering that cyber attack attribution is rarely conclusive, and the risk of misplaced retaliation is significant, the danger of Israel’s establishing this precedent is evident. Therefore, whilst the weakness of international law in cyberspace is enabling nations to experiment with their capabilities within the grey areas of acceptable behaviour in cyberspace, the danger lies in the establishment of potentially lethal norms that could increase the likelihood of kinetic warfare.
Going forward, states need to prioritise dialogue around cyberspace that works to develop laws that protect the peace and security of the international community. Cyberspace holds significant potential to be exploited as a destructive weapon, and proactive policy that mitigates the potential risks associated with unchecked cyber developments is crucial. Israel’s bombing of unarmed hackers, whose crimes were contained to cyberspace and had no direct physical consequences, should signify to other states the importance of engaging in cybersecurity dialogue, lest they become the recipient of a similar and unanticipated response.
Bronte Munro is the Cyber & Technology Fellow for Young Australians in International Affairs