Only time will tell if countries eventually establish proper cyber rules of engagement and punish those who break them
Cyberspace has been added to the fighting doctrine of almost all militaries today and for good reasons. One of the greatest advantages of attacking an enemy state through cyberspace is plausible deniability. Even if in the post-mortem of an attack the researchers are able to attribute it to a specific attacker, the attacker can always deny it, an option that doesn’t exist in clashes that take place in the “real world”. This provides a massive operational leeway to military operations in cyberspace, enabling governments to take actions without risking an all-out war. The low risk of offensive cyber operations translates to decision makers being much more trigger-happy when it comes to approving them. However, the attitude towards nation-state attacks seems to be changing, especially considering that attacks carried out in cyberspace can have kinetic implications in the real world.
Probably the most famous example of a nation state-backed cyber attack that affected the real world is Stuxnet. Attributed to the NSA and the Israeli military, the operation code-named “Olympic Games”, has inserted a malware to the computer network of the Natnaz nuclear facility in Iran, targeting SCADA systems and causing centrifuges used to separate nuclear material to spin out of control. Despite that the attribution was fairly clear and it was known who was most likely behind the attack, there wasn’t a firm response, and the situation did not escalate. This was a good case study for the benefits that cyber attacks have had all these years – it caused real world impact, yet despite being discovered and the likely attribution, there wasn’t an immediate retaliation.
This incident is in stark contrast to the more recent cyber skirmishes between Iran and Israel, which are still on-going as part of a larger campaign that is currently taking place. In April 2020, six facilities that were a part of Israel’s water infrastructure suffered a cyber attack that was attributed to Iran, succeeding to impact some systems but eventually caused no disruptions to Israel’s water supply. Unlike Stuxnet from a decade earlier, Israel responded and did so in force. According to US officials, Israel was behind a massive cyber attack in May 2020 that disrupted the operations of Iran’s largest sea ports to such an extent that it had to halt its operations, causing large financial damages. A Western official stated that the attack was a retaliation to Iran’s attack on Israel’s water infrastructure. If these claims are true, the attack on Shahid Rajaee port served as a message that cyber attacks would be answered in kind. Apparently, the threat has not deterred the Iranians as two additional attacks against Israel’s water infrastructure have been reported.
Retaliation to cyber attacks is not exclusive to Israel and Iran. During the Brussels Summit in June this year, the Heads of State and Government participating in the summit have issued a statement claiming that going forward NATO will consider treating cyber attacks against its members and its allies the same as it will physical attacks. This means that an attack against one member will be considered an attack on all alliance members. Furthermore, the issue insinuates that a military response is not off the table. NATO considers a wide variety of incidents as cyber attacks that may deem a response, including interfering in elections and other democratic processes, disinformation campaigns, as well as turning a bling eye to cyber criminals operating from a certain country’s territory (suggesting this statement was directed at Russia). While claims of retaliation to cyber attacks have been made in the past by others and did not eventually amount to any concrete action being taken, it does help shape public perception and indicate where the wind is blowing.
Cyber attacks have real world consequences and major impact to civilians’ lives. The Colonial pipeline attack serves as a real-world example of that. In Israel’s case, based on the reports, if the attacks on the water infrastructure would have been successful, it may have resulted in Chlorine contamination of the water and an ensued tragedy. We can no longer separate cyberspace and the real world and it seems that more policy makers indeed no longer see them as separate. Retaliation to cyber attacks may add a real cost to what is now low-risk military operations and could eventually remove the finger from the trigger when approving them. That said, it is becoming crucial that any retaliation is directed at the real attacker, which has always been tricky in this space, as well as make sure that civilians on the other side are not to be punished for the decisions of their government. Ever since nation states have entered the game, cyber has become a vastly more complicated subject both technically and at times morally. Only time will tell if countries eventually establish proper rules of engagement and punish those who break them.