[Editor’s Note: Mad Scientist Laboratory is pleased to publish the latest post by proclaimed Mad Scientist and returning blogger Marie Murphy. In the future operational environment, armed conflict in the traditional sense may be less prevalent, while competition may be the driving force behind national oppositions. On the cusp between these two lies crisis. In the following post, Ms. Murphy examines the threshold for responding to cyber-attacks with kinetic strikes during crises — Enjoy! (Note: Some of the embedded links in this post are best accessed using non-DoD networks.)]
Cyber-attacks are quickly manifesting as a ubiquitous feature of modern warfare. However, the consequences of launching a cyber-attack are becoming more unpredictable and dependent on the individual case. Due to the rapid progression of cyber capabilities worldwide; codified laws, ethics, and norms have not yet caught up for every situation. Clarified by recent events between the Israelis and the Palestinians, the threshold for using kinetic weapons against a cyber-threat or in response to a cyber-attack appears to be when, not if, it is appropriate to cross domains. The U.S. Army needs leaders who are capable of operating in ill-defined spaces which necessitate a decision between engaging in physical violence in response to a cyber-attack and retaliating in the same domain.
There is a small window of opportunity, aptly called the “crisis phase,” to deescalate rising competition-based tensions before the outbreak of all-out conflict in the present cycle oscillating between the two. Whereas it is more easily determined what actions are appropriate in the competition and conflict phases, the crisis phase is a delicate balance of communication, interpretation, analysis, and assumption. Cyber-attacks in general are features of all three stages; however, cyber-attacks which are followed by kinetic responses may more commonly fall into the crisis phase because there’s the possibility for escalation to physical violence – or not, if the violence serves as an effective deterrent or the initial attacker does not have the capabilities to escalate in the physical domain.
On May 5, 2019 Israel responded to an attempted cyber-attack from Hamas by destroying the building which housed Hamas’ cyber operations.i There was concern in the international community that this action had changed the rules of the game by permitting a state to respond with kinetic force to a cyber-attack which had no direct physical ramifications. The significance of Israel’s decision lies in that it is the first openly-acknowledged, immediate kinetic strike in response to a cyber-attack.ii The U.S. was the first state to use physical force in response to cyber activities in an airstrike targeting Junaid Hussain, an ISIS hacker, in 2015. However, this strike was planned months in advance, while the Israeli response to Hamas appeared to be in real-time.iii Appearances can be deceiving. There are several factors that lie under the initial shock of Israel’s retaliation:
– First, the kinetic response was not launched in the middle of a cyber-attack; it was initiated after the attack had already been neutralized.iv
– Second, it is probable that the Israelis had already collected intelligence on this target. The speed of the attack does not necessarily reflect the speed of the Israeli’s ISR technology and analysis.
– Third, Israel’s response could be viewed as a psychological operation as well, reminding the Palestinians that one side possesses overwhelming capabilities and has the will to use them.v
– Finally, this attack must be viewed within the context of wider, ongoing conflict and the power dynamic already established between the parties.
This last point is crucial. While Israel’s response was an unprecedented, even historical step, it occurred within the ongoing continuum of Palestinian/Israeli kinetic strikes and counter-strikes in Gaza. It was not an isolated incident and is not necessarily indicative of future offensive cyber actions being met with physical violence on a global scale. In the multi-domain operations conducted by actors around the world, it is to be expected that domains will begin to be crossed in a single exchange. As the character of warfare changes to become more digitally integrated and more technologically advanced (leading to increased C4ISR capabilities) the context of actions will factor in more greatly to decision-making. This means that standard, “play-book” responses may not apply to every future situation. Dynamism in all phases of conflict, specifically the crisis phase, is critical to avoid misinterpretations with global repercussions.
Cyber-attacks occur on a daily basis worldwide, but very few bleed out into the physical domain or create outbreaks of new conflict.vi There is little evidence to support a claim that cyber-warfare operations alone are likely to escalate into physical violence; responses are usually proportional to and in the same domain as the provocation.vii However, when there is a background of preexisting physical violence, like between the Israelis and the Palestinians, the chance of cross-domain operations increases. Israel’s response did change the status quo to a certain degree as kinetic measures were rapidly deployed instead of a “hack-back” response.viii There is an argument for a slightly disproportional response as a deterrent and show of force, but knowing where to draw the line is also critical.ix Israel’s actions also helped to clarify an ethical quandary about the role of hackers. The debate as to whether they are combatants seems settled: hackers are a viable target if they attack a government or military.x This leads back to the original question about defining the threshold: when to use a kinetic response?
The complexity and relative anonymity of cyber-threats makes them harder to define, but generally speaking today, the rules and norms for acceptable uses of cyber capabilities are determined by the context of the conflict they’re deployed in, what the power dynamic between the relevant parties is, and what the alternative or escalatory options are for each party involved. Every state also interprets cyber norms differently in accordance to what best suits their strategic interests. The U.S. “prefers an effects- or consequences-based interpretation of “force” or “armed attack” with respect to cyber-attacks.” Essentially, the U.S. does not want to “draw boundaries too tight” to the point where its own rules begin to interfere with its own cyber operations.xi There have been international conversations about legislating cyberspace, especially for the purposes of defining warfare and conflict-inducing activities, but nothing has been codified or ratified.xii
The U.S. Department of Defense has long maintained that it reserves the right to use any response, including a kinetic response, against a cyber-attack. The target of the cyber-attack would most likely determine the response: an attack on the U.S. economy, government, or military could warrant both a digital and a kinetic response. The decision rests on the cost-benefit analysis of action versus inaction, if there was a strong likelihood that physical retaliation could spiral into the outbreak of violent conflict, and if the cyber-attack can be positively attributed.xiii
An example of near-war cyber tactics in which the crisis is closer to the competition phase is the EternalBlue attack on Baltimore City. Hackers used this malware to hold city computers and systems hostage. Although no official U.S. Government statement has been made, multiple press outlets, including The New York Times, allege that the program was initially an NSA asset that the organization lost control of in 2017, having utilized it for five years. The vulnerability has since been patched by Microsoft, but hundreds of thousands of computers are allegedly still at risk. This attack hits America at its most susceptible sector– its “aging digital infrastructure.”xiv It also demonstrates how the majority of cyber-attacks are not responded to with physical violence, either because the attack cannot be positively attributed or the parties involved are unwilling or unable to escalate.
Cyber-attacks are becoming normalized facets of the competition, crisis, and conflict cycle. Whether or not using physical violence in response to a cyber-attack crosses legal or ethical lines depends on the context of the relationship between the attacker and the retaliator and prior conflict. With or without established norms and standardized accepted levels of response, cyber-attacks will continue to proliferate in all phases of military interactions. In a future of multi-domain operations, decisions about conflict escalation will likely depend on actions taken that are unseen by the public, so determining what is acceptable and what is escalatory is extremely difficult without understanding the full picture. But for now, there is a precedent for kinetic responses to be acceptable in the context of ongoing conflict. The threshold for using kinetic weapons does not appear to be if, but when, and just as importantly, when not to.
In the post above, Ms. Murphy shared her insights regarding one aspect of the future operational environment. Mad Scientist wants to hear your thoughts on The Operational Environment: What Will Change and What Will Drive It – Today to 2035? Learn more about our current crowdsourcing exercise here and get your submissions in NLT 1700 EDT, 15 July 2019!
If you enjoyed this post, please also see:
– CAPT L. R. Bremseth‘s Emerging Technologies as Threats in Non-Kinetic Engagements
– Ms. Murphy‘s previous posts:
Proclaimed Mad Scientist Marie Murphy is a rising senior at The College of William and Mary in Virginia, studying International Relations and Arabic. She is a regular contributor to the Mad Scientist Laboratory, interned at Headquarters, U.S. Army Training and Doctrine Command (TRADOC) with the Mad Scientist Initiative last summer, and has returned as a consultant this summer. She was a Research Fellow for William and Mary’s Project on International Peace and Security.
Disclaimer: The views expressed in this article do not imply endorsement by the U.S. Army Training and Doctrine Command, the U.S. Army, the Department of Defense, or the U.S. Government. This piece is meant to be thought-provoking and does not reflect the current position of the U.S. Army.
i Borghard, Erica D., Jacquelyn Schneider. “Israel Responded to a Hamas Cyberattack with an Airstrike. That’s Not Such a Big Deal.” Washington Post, May 9, 2019. https://www.washingtonpost.com/politics/2019/05/09/israel-responded-hamas-cyberattack-with-an-airstrike-thats-big-deal/?utm_term=.f51d1c1c3da0
ii O’Flaherty, Kate. “Israel Retaliates to a Cyber-Attack With Immediate Physical Action in a World First.” Forbes, May 6, 2019. https://www.forbes.com/sites/kateoflahertyuk/2019/05/06/israel-retaliates-to-a-cyber-attack-with-immediate-physical-action-in-a-world-first/#627141e5f895
iii Newman, Lily Hay. “What Israel’s Strike on Hamas Hackers Means for Cyberwar.” Wired, May 6, 2019. https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/
iv Gross, Elias. “The Future Is Here, and It Features Hackers Getting Bombed.” Foreign Policy, May 6, 2019. https://foreignpolicy.com/2019/05/06/the-future-is-here-and-it-features-hackers-getting-bombed/
v O’Flaherty, Kate. “Israel Retaliates to a Cyber-Attack With Immediate Physical Action in a World First.” Forbes, May 6, 2019. https://www.forbes.com/sites/kateoflahertyuk/2019/05/06/israel-retaliates-to-a-cyber-attack-with-immediate-physical-action-in-a-world-first/#627141e5f895
vi Newman, Lily Hay. “What Israel’s Strike on Hamas Hackers Means for Cyberwar.” Wired, May 6, 2019. https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/
vii Borghard, Erica D., Jacquelyn Schneider. “Israel Responded to a Hamas Cyberattack with an Airstrike. That’s Not Such a Big Deal.” Washington Post, May 9, 2019. https://www.washingtonpost.com/politics/2019/05/09/israel-responded-hamas-cyberattack-with-an-airstrike-thats-big-deal/?utm_term=.f51d1c1c3da0
viii Cimpanu, Catalin. “In a First, Israel Responds to Hamas Hackers with an Airstrike.” ZDNet, May 5, 2019. https://www.zdnet.com/article/in-a-first-israel-responds-to-hamas-hackers-with-an-air-strike/
ix Baker, Stewart. “Four Principles to Guide the US Response to Cyberattacks.” Fifthdomain.com, February 7, 2019. https://www.fifthdomain.com/thought-leadership/2019/02/07/four-principles-to-guide-the-us-response-to-cyberattacks/
x Gross, Elias. “The Future Is Here, and It Features Hackers Getting Bombed.” Foreign Policy, May 6, 2019. https://foreignpolicy.com/2019/05/06/the-future-is-here-and-it-features-hackers-getting-bombed/
xi Waxman, Matthew C. “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4).” Yale Journal of International Law, Vol. 36, 2011. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1674565
xii O’Flaherty, Kate. “Israel Retaliates to a Cyber-Attack With Immediate Physical Action in a World First.” Forbes, May 6, 2019. https://www.forbes.com/sites/kateoflahertyuk/2019/05/06/israel-retaliates-to-a-cyber-attack-with-immediate-physical-action-in-a-world-first/#627141e5f895
xiii Alexander, David. “U.S. Reserves the Right to Meet Cyber Attack with Force.” Reuters, November 15, 2011. https://www.reuters.com/article/us-usa-defense-cybersecurity/u-s-reserves-right-to-meet-cyber-attack-with-force-idUSTRE7AF02Y20111116
xiv Perlroth, Nicole, Scott Shane. “In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc.” The New York Times, May 25, 2019. https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html