A few weeks ago, the conflict between Israel and Palestine returned to the limelight once again. As we have seen many times before, the Israel Defense Forces (IDF) bombed Gaza in response to a rocket attack.
This exchange wouldn’t be out of the ordinary if it weren’t for one fact that may have major repercussions, given that it sets a precedent: one of the IDF’s operations didn’t happen as an Israeli response to a Palestinian attack; rather, it happened after detecting cyberattack actions from Hamas.
According to the IDF spokesperson, Ronen Manelis, the attack on the building where the supposed Palestinian hacker operations center was meant that “Hamas no longer has cyber capabilities after our strike,” The commander of the IDF’s Cyber Division revealed that the Palestinian organization’s cyberattack of the previous day aimed at “harming the quality of life of Israeli citizens.” The IDF didn’t go into further details about the specific targets of the cyberattack.
Cyberwar without borders_
The IDF bombing isn’t the first physical military response to a cyberattack: in 2015, the US armed forces eliminated an ISIS cyberattacker. Nevertheless, it can be seen as the first military reaction to a cyberattack from another territory. The question of the authorship of the attack is very important, since cyberwar provokes certain doubts about how states should deal with it.
Rules for how to deal with relationships between belligerent states in conventional warfare have been around for centuries. After the Peace of Westphalia, states drew up treaties and international standards to prevent conflicts. These treaties also aimed to ensure that, in the case that conflicts broke out, they proceeded in as limited and proportional a way possible.
But cyberwar is a far more complex chapter. In cyberspace, borders are much harder to define, and cyberattackers don’ behave like regular soldiers and cannot easily be identified. What’s more, they can now use goodware applications and scripts as weapons, which, in many cases, can slip past cyberdefenses. However, some of them can be just as dangerous as malicious tools, if not more so.
Action and reaction_
In practice, it is not that easy to determine the legitimacy or degree of the reaction to a cyberattack. This is especially true in the context of hybrid wars, where the damage caused by cyberattacks may transcend systems and computers to affect critical infrastructures to the point where human lives could be endangered.
Firstly, identifying the exact origin of the cyberattack is a complex process. Investigations into attribution often lead to groups whose links to states cannot be irrefutably proven, as has been the case with cyberattacks that have been launched between states over the years.
But even if state responsibility were to be proven, Vasileios Karagiannopoulos, Senior Lecturer in Law and Cybercrime, and Mark Leiser, Assistant Professor of Law and Digital Technologies explain that a military attack in response to a cyberattack would violate article 2.4 of the Charter of the United Nations, which protects territorial integrity and political structures. The exception to this point is the right to self-defense. If the state that has been attacked intends to respond, it must allege that it is defending against an “armed attack”.
Better solutions, shorter times, better decisions_
Given that war—and cyberwar—are, as the military theorist Carl von Clausewitz said, “Merely the continuation of policy by other means,” it is up to leaders to decide what the optimum response to large-scale cyberattacks is.
For this reason, the cyberarmies and SOCs of these states need to have access to advanced solutions. These solutions must be able to identify and respond to all kinds of cyberthreats in the shortest time possible, especially those that are harder to detect. It is important to remember that many new kinds of cyberattacks are not detected, and that the average time to detect breaches is now 175 days according to an M-Trends report.
Such as Orion, Cytomic’s Threat Hunting and incident Response solution, which allows SOCs to speed up the process of identifying, investigating, containing and resolving advanced cyberthreats that use Living-off-the-Land (LotL) techniques, such as scripts or pre-installed code, as well as hacking attacks.
Thanks to the standardization of the investigation processes, the detailed visibility that our telemetry provides, and the agility of access and analysis of data intelligence, threat hunting teams can drastically reduce the mean time to detect (MTTD) and the meant time to repair (MTTR) of incidents.
This way, with better solutions, standardization of its processes and shorter times to identify and remediate threats, SOCs can make better decisions based on data, establishing protocols and taking actions.