On May 5, the Israel Defense Forces announced on Twitter that “HamasCyberHQ.exe” had been removed “following our successful cyber defensive operation.” Later, Brig. Gen. “Dalet” (a pseudonym) explained that Israeli fighter aircraft had launched a strike on a building hosting Hamas cyber operatives. He said that they had been engaged in a cyberattack aimed at “harming the quality of life of Israeli citizens.”
This is a big deal in debates over cyber strategy. As cyberwarfare has become an essential instrument of power, the question of how it relates to traditional military force has become increasingly important. When a nation suffers a cyberattack, should it retaliate only through cyberattacks, or should it feel free to use physical force? Is moving from cyberattacks to physical attacks an escalation, which might cause further retaliation? And if a nation moved in the opposite direction — responding to a physical attack with a cyberattack — should that be seen as a dangerous escalation?
No one has good answers to any of these questions. That’s why U.S. cyberwarfare policy experts are talking about Israel’s actions. They want to know if Israel’s actions set an important precedent for the United States and other countries.
Why do people worry about escalation?
The key question is whether Israel, by responding to a cyberattack with a physical attack, engaged in what security experts call “escalation” and retaliated with disproportionate force. Many experts worry that cyberattacks might trigger escalatory “spirals,” in which nations retaliate against each other with increasing ferocity. Because cyberattacks often have unpredictable consequences, and because governments don’t yet share understandings about how to think about such attacks, these experts fear escalation.
During the Obama administration, worries about escalation reportedly tempered the use of cyberwarfare operations; instead, that administration developed strategies focused on deterring cyberattacks while focusing on U.S. State Department efforts to develop norms.
However, in recent years scholars conducting big data analyses, survey experiments, war games and theoretical analyses have found little evidence that cyberwarfare operations are likely to trigger escalation into physical aggression. So far, such operations usually involve tit-for-tat cyberattacks, or responses through legal, diplomatic or economic approaches.
For example, after the Stuxnet cyberattacks that damaged its nuclear program, Iran’s purported response was widely considered to be both feeble and late: A year after Iran discovered the attack, it launched technically unsophisticated cyberattacks against the U.S. financial system.
Did the U.S. ‘hack back’ at Russia? Here’s why this matters in cyberwarfare.
Similarly, the U.S. government responded to North Korean cyberattacks on Sony and its 2017 WannaCry ransomware attacks through indictments and sanctions.
More recently, the Trump administration has shifted to a more proactive stance to contest adversaries preemptively and in their own networks, based on the idea that the best defense can sometimes involve offense.
Did Israel escalate by using physical force to counter a cyberattack?
Given this background, at first glance, Israel appears to have escalated when it responded to a cyberattack by crossing the threshold into using physical force. Its response was also far more rapid than the only other publicly known instance of physical retaliation against cyberwarfare activities — when in 2015, the United States launched a drone campaign against Islamic State social media operatives. The United States took a long time to launch physical attacks against ISIS; Israel responded nearly immediately.
But there’s good reason to think that Israel’s response wasn’t a game changer. First, even if it were escalatory, it might have been a one-off — a single action is unlikely to change the rules of the game, since it runs counter to nearly everything else that has been happening.
Second, it may not even count as escalation. Israel’s airstrike took place in the midst of ongoing military operations against Hamas, prompted by the firing of 600 rockets from the Gaza Strip into Israel and the worst violence since 2004. In this context, a single airstrike in response to a cyberattack isn’t really escalation, since both Israel and Hamas were already using military violence.
Moreover, Israel didn’t escalate the overall conflict. Less than a day after the airstrike, both sides agreed to a cease-fire. It is entirely plausible that Israel seized on a low-cost, low-risk opportunity to neutralize Hamas cyberwarfare talent in the context of a current crisis.
Key takeaways from the Israeli election
However, it’s notable that the only two examples we know about where physical force was used to respond to a cyberattack both involved stronger countries using force against organizations that weren’t official national governments: the United States against the Islamic State and Israel against Hamas. It may be that countries are more willing to use violence against cyberwarfare adversaries with limited military force, which will probably have a hard time escalating in turn.
All this suggests that emerging scholarly evidence about limited escalation may be right. Hamas’s cyberattack did not set off Israel’s use of conventional military force. Nor was Israel’s response to a cyberattack more intense than the force it was already using elsewhere. However, Israel may have explicitly linked its airstrike to a cyberwarfare operation because it thinks that changing norms about restraint would help Israel deter future cyberattacks.
Norms that prevent governments from responding to cyberattacks with physical retaliation make it harder for states to credibly deter cyberwarfare adversaries from attacking them. Israel may have made it easier for digitally dependent nation states to deter weaker nongovernmental groups in the future.
Cyberwarfare may be less dangerous than we think.
Both those who fear escalation to physical violence and those who think it would be a good thing are likely to interpret this new incident in ways that flatter their preconceptions.
Erica D. Borghard is an assistant professor at the Army Cyber Institute at the U.S. Military Academy at West Point. Follow her on Twitter @eborghard.
Jacquelyn Schneider is an assistant professor and a core faculty member of the Cyber and Innovation Policy Institute at the Naval War College. Follow her on Twitter @jackiegschneid.
The opinions expressed here are the authors’ own and do not represent those of the Army Cyber Institute, U.S. Military Academy, U.S. Army, U.S. Navy, the Naval War College or the Department of Defense.