Smoke rises from an explosion caused by an Israeli airstrike in Gaza City, Saturday, May 4, 2019.

Smoke rises from an explosion caused by an Israeli airstrike in Gaza City, Saturday, May 4, 2019. AP Photo/Hatem Moussa

Ideas

States Must Explain When a Cyber Attack Might Draw a Violent Reprisal

Without clear explanations that affirm rules of the road, countries make it easier for conflicts to spiral out of control.

Jonathan Reiber

|
Jonathan Reiber
By Jonathan Reiber
Senior Director, Cybersecurity Strategy and Policy, AttackIQ

When conducting a kinetic military response to a cyberattack, it’s better to explain why and how you are doing so.

A month ago, the Israeli Defense Forces, or IDF, responded to a Hamas cyberattack with an online counter-attack against the hackers followed by an airstrike that destroyed their building in Gaza. It remains unclear whether any Hamas cyberspace operators died in the operation.

This was the first time that a military has conducted a kinetic operation directly in response to a cyberattack in real time. It occurred in the context of decades-long hostilities between Israel and Hamas, and amid the worst fighting between the parties since 2014. 

The operation may have been warranted. Unfortunately, the IDF didn’t explain much about it, so the world cannot tell. We don’t know what Hamas was trying to achieve, why the IDF felt that the strike was justified, or just what Israel’s policy is for countering cyberspace operations.

Related: NATO Getting More Aggressive on Offensive Cyber

Related: Did Israel Have the Right to Bomb Hamas’ Cyber HQ?

Related: Cyber Deterrence Done Right: The Coordinated Actions Against Huawei

Here’s the problem: the internet, itself just 36 years old, is still a relatively new domain of warfare. As a historic first, this operation needed Israel to explain itself a little more than it did. What did Israel think Hamas was trying to achieve? Why was the response warranted? 

All Israel needed to say was something like “Hamas was targeting our military/hospital/government infrastructure and we deemed their operations to be a threat to our national security. On that basis, after conducting a cyberspace operation against Hamas, we determined that the appropriate course was to neutralize the threat. This operation occurred within the law of armed conflict just like any other operation.” But Israel chose to say no such thing. 

Absent clear explanations that affirm rules of the road, countries risk setting a dangerous escalatory course for themselves and others. In the future, if State A conducts mass online banking theft during the course of hostilities, would a military response to the hackers be warranted? The short answer is: maybe. The onus would fall on the escalating country to explain how and why it felt that an escalatory operation (of any kind) was warranted and just.    

There is already policy precedent for kinetic operations against hackers. In 2011, for example, the Obama administration declared in its International Strategy for Cyberspace that “When warranted the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” 

What are some possible scenarios for how states could respond kinetically to cyberspace operations in the future? We can map at least three hypothetical scenarios. 

A cyber event crosses a conflict-initiation threshold. If a State A, not otherwise at war, launches a cyberattack that cripples State B’s critical infrastructure, the latter could respond by launching a kinetic operation to decapitate State A’s cyber command-and-control structure. In this instance, it would be up to State B to determine whether State A’s activity warranted a military response. In the United States, as we said in the 2015 DoD cyber strategy, cyberattacks and potential responses to them “are assessed on a case-by-case and fact-specific basis by the President and the U.S. national security team.” Just as importantly, when the United States has responded to a cyber attack, the government has tried to explain its rationale for response, whether that response is indictments or sanctions or kinetic operations.  Explanations can help to affirm the law of armed conflict, establish rules of the road, and set a course for the future. 

A cyberattack amid a wider conflict draws an immediate kinetic retaliation. This is similar to the case of Israel and Hamas. There are a range of international disputes that could trigger conflict in cyberspace or kinetically. Imagine a crippling hack in India (or Pakistan) that leads the country’s military to bomb its adversary’s cyberspace command centers. The responding state would have to explain how and why it made the choice that it did.

An authoritarian government uses kinetic attacks to suppress domestic protestors. As we mark the 30th anniversary of the deadly crackdown in Tiananmen Square, imagine a group of dissident Chinese hackers who launch a cyberattack in a bid to weaken China’s state control of the internet — and the government’s likely response. This scenario is by no means unique to China; a narrative of online resistance and kinetic response could play out in a range of authoritarian states.

In some instances, states may be justified in deploying kinetic options against cyberattackers. In others, they may not. For any government that hopes to maintain political legitimacy during an internal or external conflict, it is up to its officials to explain their strategic choices to the public and to situate the operation within appropriate legal norms. Public statements will help countries to develop a language of restraint and proportionality in the evolving landscape of war.

NEXT STORY: A New Industrial Base Is Taking Shape. Call It the Military-AI Complex.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.