For decades now there has been something of a tacit agreement among nations that spying and hacking are not enough to constitute acts of war, and that these battles are to be kept in the shadows for the most part. The general public is occasionally impacted by this quiet cyber war in the form of a personal information breach or a state-sponsored raid on the confidential assets of a private company, but attackers have generally stopped short of executing virtual attacks that create real damage in the physical world.
Israel and Iran have crossed that line in recent months, and may be redefining the terms of cyber warfare. Attacks by each on the opposite’s public utilities and ports have caused physical disruptions that impact the general civilian population, a move that could force a change in the unspoken rules of cyber defense as non-government entities are increasingly drawn into the fray.
The global cold cyberwar
Incursions by rivals (and sometimes even allies) are practically routine throughout the world. They are tolerated without serious consideration of physical retaliation, and often without the public even being notified, so long as they stick to espionage and perhaps the occasional ransom attempt or destruction of data.
A late April incident in Israel appears to have upped the ante. An attack on Israeli water and sewer facilities created some temporary disruptions in certain local water systems. The Israeli government initially reported it as a technical malfunction, but later blamed an attack from Iran routed through United States and European servers.
Israel appears to have retaliated in early May. A cyber attack on Shahid Rajaee Port targeted the operating systems of private shipping companies, disrupting operations and causing a chain reaction of road and waterway congestion that lasted for several days. Anonymous Iranian officials later told the Washington Post that the attack was believed to have come from Tel Aviv.
Neither of these attacks rises far beyond the level of cyber mischief, in that they did not cause damage that was lasting or a serious threat to the well-being of the population. However, they did cross an established line in the unspoken global cyber war regulations; while nations regularly probe each other’s public utilities for vulnerabilities and ways to set up a persistent presence, they almost never escalate to actually executing an attack.
The use of cyber war methods to cause real-world damage dates back to the Stuxnet attack a decade ago, which both Israel and Iran were involved in. The attack was directed at Iran’s plutonium enrichment facilities, and consisted of a worm that caused centrifuges to spin so fast that they became inoperable. Israel is widely believed to have collaborated with the United States on the attack.
Iran is among the more active nations in the world in terms of maintaining state-backed advanced persistent threat (APT) groups that engage in cyber war activities against rival nations. The country has about 10 named APT groups including Charming Kitten (the group that hacked HBO and leaked Game of Thrones scripts) and MuddyWater (a group that has been very active in attempting to steal cryptocurrency since Bitcoin prices spiked in 2017). These groups are generally not among the world’s most sophisticated, but they are extremely active and persistent. On the opposite side, Israel’s Ministry of Defense is not known to maintain APT groups but does have some of the world’s most advanced cyber war capabilities.
If attacks of this nature stay close to the “mischief” level, the prospect of physical retaliation remains very unlikely. However, a shift to open targeting of civilians and public assets raises the possibility of an attack getting out of control and going too far. The more common these sorts of attacks become, the more likely it is that an unplanned “black swan” incident emerges and changes the game entirely. Such a thing nearly happened with the Stuxnet attack, which escaped the target systems in Iran and made it around the world including to systems back in the United States.
The international rules of cyber war
Conventional war is governed by an extensive range of agreements and treaties. Cyber war has almost nothing equivalent in terms of international agreements.
Some commentators believe that Israel’s evasive answer about responsibility for the retaliatory attack on the Iranian port was meant to be an indirect drawing of a line, the message being that the country is willing to escalate if it is attacked in a similar manner again.
27 United Nations member states signed on to an agreement to develop an “evolving framework” for cyber warfare rules in 2019, but Israel is not among them and Iran is not a member. In the absence of formal guidelines, each state has to draw its own national security policies in what could turn out to be a very dangerous game of “chicken.”