IDF air strike against Hamas hackers shocks infosec world

When is it legitimate for a nation-state to respond to a cyber-attack with the use of force?

An air strike by the Israel Defense Forces (IDF) in retaliation to a cyber-attack by Hamas has raised questions over when – or whether – such a response can be justified.

Last weekend, according to the IDF, Israel was subject to a relatively unsophisticated cyber-attack on an unnamed target and retaliated with a physical strike on the alleged hackers.

“We thwarted an attempted Hamas cyber offensive against Israeli targets,” the IDF tweeted. “Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.”

The tweet makes it clear that Israel regards the cyber-attack as an act of war, justifying the air strike.

And indeed, this isn’t the first time that a nation-state has retaliated to a cyber-attack with physical force.

Back in 2015, the US launched a drone strike to kill top ISIS hacker Junaid Hussain, who was blamed for leaking the personal details of US military and encouraging would-be Jihadists to treat this information as a target list.

However, the IDF bombing does seem to be the first time that a so-called ‘kinetic attack’ has been launched as a direct and immediate response to a cyber-attack. Could this set a dangerous precedent?

Acts of war: Proportionality and attribution

There’s been debate for a number of years over whether cyber-attacks should be regarded as acts of war.

Following the Sony Pictures hack back in 2014, for example, former house speaker Newt Gingrich commented: “You have foreigners coercing an American company, threatening American theaters and proposing to kill Americans. If that isn’t an act of war, what is it?”

In fact, the US has classified the cyber world as an official domain of warfare since 2011. (Cyber is the fifth domain of war alongside land, sea, air, and space.)

A NATO-sponsored academic study – the Tallinn Manual on the International Law Applicable to Cyber Warfare (PDF) – lays out the circumstances where a nation-state might be justified in mounting an armed response to a sufficiently serious cyber-attack.

The manual, compiled by legal experts and practitioners, grapples with the complex tasks of applying the general principles of international law to cyber operations (as part of the revised Tallinn Manual 2.0) and cyber warfare.

One such principle is that it is not permissible to target civilian infrastructures, such as dams and water supplies, even in a time of war.

If an enemy physically bombs a facility, it’s normally fairly straightforward to figure out who did it after the attack.

However, attribution for cyber-attacks is far more complex because of the possibility of launching an attack from compromised systems in a third-party country, among several other possible complications.

There’s also the question of proportionality. Little is known about Hamas’ cyber capabilities – but they’re not believed to be substantial.

The group is known to have targeted soldiers’ mobile devices with spyware, carried out phishing attacks, and breached websites rather than, say, crippling national utilities in a Black Energy or NotPetya-style attack.

“If you just take the air strike independently, it seems vastly out of proportion – the response is way stronger than the initial attack,” Beau Woods, cyber safety innovation fellow at the Atlantic Council, told The Daily Swig.

“If it were the sort of cyber-attack that affected hospitals or infrastructure, utilities, or the cars on the road, it would be different.”

It’s also noteworthy that the airstrike was launched after the attack was thwarted, raising additional questions about whether the bombing could be justified as an act of self-defense.

However, while the cyber-attack may have prompted the airstrike, the building appears to have been used by Hamas intelligence officers, making it a legitimate target in the wider conflict.

From this perspective, it can be viewed as bombing an enemy command center.

As a result, and despite the IDF’s tweet, the air strike may not be the game changer it initially appeared to be.

“I hope we are able to understand how this fits into international norms on cyber-attacks very soon,” says Woods, “so we can use this as a precedent that upholds international law rather than breaking it.”

Additional reporting by John Leyden

RELATED The next arms race: Cyber threats pulled into stark focus at Black Hat Asia