It is not every day that the response to an attack in cyberspace includes a destroyed building and potentially dozens of dead bodies. Sunday was such a day.
In the morning hours of May 5, the Israeli Defense Forces victoriously tweeted that “we thwarted an attempted Hamas cyber offense against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.” ZDNet’s Catalin Cimpanu called it the first time that “Israel has used brute military force to respond to a Hamas cyber-attack.”
Naturally, the incident sparked heated discussions among analysts and pundits alike. Central to all their deliberations were two questions: Was the IDF’s response proportional to the harm suffered? And will this incident shift the debate about norms on deterrence and state behavior in cyberspace?
Let’s look at the legal angle first.
The concept of deterrence-by-punishment is the most widely discussed approach to deterrence in cyberspace, though it remains in its infancy in both theory and practice. If we accept the logic of the Tallinn Manual — an influential guide to applying international law to cyberspace — and the ongoing discussions on norms in cyberspace (and that is a big “if”), then deterrence by punishment is only acceptable in reaction to a nation-state cyber operation that caused—or will cause—severe harm. When such an attack is confidently attributed to a state, “the victim state may respond forcefully in self-defense [within a relatively short period of time] so long as doing so is consistent with the criteria of necessity and proportionality,” wrote Michael Schmidt, who edited the Tallinn Manual. Yet if the “passive cyber defenses are effectively foiling the attack, the victim state may not launch cyber or kinetic responses that would amount to a use of force.”
Does this apply to the IDF situation?
Yes and no. Under the Tallinn Manual, the focus on “passive” cyber defenses essentially implies that the attacker failed despite the defender being unaware of the attack even occurring. In practical terms, this is like an anti-virus program that quarantines a malicious file before the user even clicks on it. By contrast, an “active” cyber defense requires the user to act to counter an infection or intrusion. This could range from physically pulling a system’s power plug to capturing intrusion data for recovery purposes.
Unless the Israeli government publishes further details on Hamas’ cyber attack, we only have the IDF’s declaration that it would have harmed “the quality of life of Israeli citizens.”
So was the IDF’s response proportional?
Media reports do not give a precise timeline. But Hamas conducted its cyber attack between 9 a.m. Israel time on May 4 — when the first of several hundred rockets rained down in southern Israel—and 5:55 p.m. the following day, when the IDF announced on Twitter that they had destroyed the group’s cyber HQ.
The IDF is essentially declaring two things of legal import: that Hamas’ cyber operatives actively participated in the ensuing conflict and are therefore lawful enemy combatants, and that the IDF responded within hours – if not instantly – after the attack, which legally puts it in the temporal context of self-defense.
Was the kinetic strike proportional to the harm suffered?
No. But that is the wrong legal question. The bombing of Hamas’ cyber headquarters occurred within the broader conflict between Hamas and the IDF, which over the course of 48 hours saw more than 600-plus rockets fired at Israel and around 280 targets in Gaza destroyed. For all legal matters and purposes, this was a full-fledged war. Meaning, Hamas’ cyber HQ falls in the same category as other legitimate military targets, such as the group’s Military Intelligence and General Security Offices, its weapons manufacturing compounds, and rocket launching sites. In other words, the destruction of Hamas’ Cyber HQ would have been lawful even if Hamas had not conducted any related cyber attack.
Will this incident change deterrence and state behavior in cyberspace?
It depends. The DoD’s 2015 Law of War Manual says, “There is no legal requirement that the response in self-defense to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.” Little to nothing is known about the DoD’s offensive cyber operations and combat support missions in places like Iraq and Afghanistan. But Maj. Gen. James D. Bryan, who founded the DoD’s Joint Task Force – Computer Network Operation, explained in a 2012 speech that the 9/11 attacks “really changed the dynamics for us. We were about a 70/30 split between defense and offense…We’d actually treated cyber offensive missions as a kinetic effect generating things in terms of progress.” In 2015, the United States geo-located ISIS hacker Junaid Hussain with the help a malicious link and subsequently killed him with a Hellfire missile at a petrol station in Raqqa, Syria. Was it proportional? Probably not. Was it effective? No doubt about it.
While some pundits have noted that Junaid was targeted years after beginning his hacking activities, while the IDF bombed Hamas’ cyber headquarters in near real-time, it would be good to recall President Obama’s words from 2016: “I think there is no doubt that when any foreign government tries to impact the integrity of our elections…we need to take action. And we will — at a time and place of our own choosing. Some of it may be explicit and publicized; some of it may not be.”
On May 5, the combined efforts of the IDF, military intelligence, and the internal security service Shin Bet culminated in the Israeli government choosing the time and place to publicly liquidate Hamas’ cyber operatives.