In April 2020, a serious cyberattack hit Israel’s water infrastructure facilities. Iran, Israeli officials alleged, had carried out the attack with the goal of tampering with the water chlorine levels—and Israel reportedly responded with a cyberattack against Iranian port facilities.
Recently, three more cyberattacks have hit Israeli companies. While Israel has not yet publicly attributed the attacks to any foreign state, media outlets report that Israeli cybersecurity experts have tied the operations of the main hacker groups behind these attacks—BlackShadow and Pay2Kitten—to Iran. These three attacks may represent the tip of the iceberg of an extensive campaign carried out against numerous Israeli companies. And in response, Israel seems to be increasingly turning toward international law to guide its approach to hostile activities in cyberspace—as suggested by recent remarks by Roy Schöndorf, Israel’s deputy attorney general for international law.
The first incident involved a ransomware attack against a major Israeli insurance company, Shirbit, which the company acknowledged on Dec. 1. Following Shirbit’s refusal to pay the ransom, the hacking group, known as Black Shadow, announced that it had started selling the private information of insured clients stolen from the company’s servers.
The second and third attacks were carried out by a group called Pay2Kitten, which used the ransomware Pay2Key. In late November or early December, the group hacked client data from the servers of Amital Data, a mid-size Israeli technology company that provides software solutions in the field of importation and logistics. The hackers made no ransom request—a fact that led to speculations that the attack had not been motivated by financial gains but, rather, was strategic in nature, aimed at harvesting information about the supply chain serving parts of Israeli critical infrastructure. Finally, in mid-December, Pay2Kitten leaked information stolen from the servers of artificial intelligence (AI) processor company Habana Labs, which is owned by Intel. The material related to the company’s "Goya" chip. This time, the group did make a ransomware demand—which Habana Labs has not yet agreed to pay.
It was against the backdrop of this escalating cybersecurity situation that Schöndorf spoke on Dec. 8 at the Naval War College. In his remarks, Schöndorf laid out for the first time the main contours of Israel’s positions regarding the application of international law to attacks in cyberspace. The speech appears to follow recent efforts by other states active in cyberspace—such as the U.K., Australia and Finland—to explain their legal positions after a period of time in which most states opted for silence and ambiguity.
In his speech, Schöndorf made the following key points, reflecting official Israeli positions on central themes in the law governing international cyber conflicts. First, he confirmed Israel’s position that the customary prohibition on the threat or use of force—by either a state or non-state actor, is applicable in the cyber domain—and that states have an inherent right to self-defense against actual or imminent use of force in the cyber domain, which amounts to an armed attack. Schöndorf did suggest, however, that under existing law a use of force must involve actual or expected, direct or indirect, physical damage, injury or death.
Second, Schöndorf opined that the fundamental principles of international humanitarian law (IHL) apply to cyber operations conducted in the context of an armed conflict. Here, too, attacks must be expected to cause physical damage to tangible objects. Still, even operations causing mere loss or impairment of infrastructure functionality could violate IHL obligations—for example, if the compromised infrastructure serves medical purposes, an attack could violate the obligation to respect and protect medical units under IHL.
Schöndorf stated that Israel does not currently have a position on the precise scope of the legal protection afforded under international law to the legitimate sovereignty interest of states in protecting their cyber infrastructure and data—whether that data and infrastructure is located inside or outside the state’s territory. But he did question the adequacy of the traditional understanding of the rule against nonintervention that has focused on coercive military interventions. According to Schöndorf, the rule can also cover support given by foreign states to armed groups operating in the cyber domain, such as providing them with information regarding the cyber vulnerabilities of the victim state.
As for due diligence, Schöndorf said, Israel considers that there has not been as of yet sufficiently widespread state practice, nor opinio juris, which could justify extending to the cyber domain customary international law rules of due diligence developed in the other domains. Finally, he noted that attribution remains a mostly technical matter that should not be overregulated; that the choice of whether or not to disclose information supporting attribution claims remains at the exclusive discretion of the state; and that there is no absolute duty under international law to notify the hostile foreign state in advance of taking cyber countermeasures against it, given the concern that preannouncing a cyber countermeasure might render the countermeasure obsolete.
The timing of the speech could suggest that in response to increasingly devastating cyberattacks, Israel is opting for more explicit reliance on international law as part of its cybersecurity policy. Neither this predicament nor the strategic decision in response is unique. In fact, it appears that the U.S. is at a similar crossroads. It is currently subject to a serious and highly sophisticated string of attacks directed at U.S. government agencies (such as the Department of Energy) and private industries (for example, Microsoft). And a number of influential voices inside the U.S. private and public sectors, including Microsoft President Brad Smith and President-elect Joe Biden, have called for a greater reliance on international rules and for a multilateral response to violations.
Israel has historically dealt with cyberattacks through upgrading defensive capabilities and engaging in under-the-radar deterrence and retaliation. But as such attacks become more frequent, dangerous and harmful, Israel—like other countries—appears to increasingly consider reliance on this strategy alone to be inadequate. The turn to international law appears to add more tools to the cybersecurity toolbox: both as a basis for tighter standards of conduct, including in the field of nonintervention and espionage, and with respect to the protection of data and influence campaigns; and as grounds for attribution of attacks, imposition accountability and sanctions. Arguably, a greater reliance on international law offers states the possibility of dealing with cyber threats through public diplomacy and multilateral sanctions. Such a reliance might also encourage them to accept mutual restraint in cross-border cyber operations and to exercise more intensive control over non-state actors active in this field. It remains to be seen, however, whether this approach will prove itself more effective than the existing and more informal paradigm.