Israel will take part in a cyber arms race with its enemies, but it’s not clear which attacks will be permissible in the legal regime that’s slowly taking shape, writes a former deputy military advocate general.
“Israel faces a complex and challenging period in which we can expect both a cyber arms race with the participation of state and non-state entities, and a massive battle between East and West over the character of the future legal regime,” writes Col. Sharon Afek in a study crafted as part of his research at the National Defense College.
Afek presents a number of possible directions in which cyber law could develop, but he doesn’t believe that formal regulations will be drawn up in the near term. He says only an event like a “Pearl Harbor or Twin Towers attack in cyberspace” would spur efforts in this area.
The guiding principle is that force is to be avoided at all costs, with countries meant to find other ways to resolve disputes, Afek writes. Political or economic pressure is not considered force, but what about a cyber attack?
According to Afek, existing law already bans cyber operations that would directly cause death, injury or property damage, such as diverting a train off its tracks or undermining a dam. Thus every country must consider the likely result of an action, even if the attack is “virtual.”
Pretexts for war
But what about cyber operations that don’t cause physical damage but could still cause significant harm?
“One can create effects in cyberspace that fundamentally undermine the stability of nations through operations that are not kinetic,” writes Afek, referring to operations that don’t involve conventional weapons. “Cybernetic tools and capabilities that no one thought to forbid are liable to bring results perceived as a pretext for war.”
If a country’s citizens cannot surf the Internet, this could undermine faith in the banking system, paralyze the stock exchange or shut down government services, Afek notes. People would feel distress no less than during a conventional military operation.
“Such a country would feel a need to respond and would feel justified in doing so,” Afek writes. “The legal realm must provide a response to these types of cyber operations as well.”
Afek says that for a cyber action to be considered force, it must exceed a certain level of seriousness, like an operation that would significantly harm banking information and have an immediate financial impact.
Afek, however, says spying and information-gathering from computer systems in foreign countries are not considered “forbidden intervention.”
It gets even more complicated if a cyber attack takes place in the context of conventional warfare. Israel, for example, had to cope with cyber attacks during two operations against Hamas and other groups in the Gaza Strip – Operation Cast Lead in the winter of 2008-9 and Operation Pillar of Defense in November 2012.
“Cybernetic operations during an armed conflict could bring about a kinetic response against military targets and the rival’s fighters,” Afek writes.
Afek’s work was published as part of the Eshtonot series of military publications issued by the National Defense College’s Research Center. It analyses key cyber attacks, including the 2007 attack on Estonia that plagued the websites of government agencies, banks and media outlets.
Meanwhile, the Stuxnet virus set back the Iranian nuclear program. According to foreign media reports, the Israel Defense Forces took part in developing that computer worm, with the United States also playing a key role.
Israel is portrayed around the world as a cyber power, so Afek suggests that Jerusalem closely follow international developments and develop specialists in the field. The IDF has already appointed a legal adviser with the rank of major to deal solely with cyber issues.
Want to enjoy 'Zen' reading - with no ads and just the article? Subscribe todaySubscribe now