Rule of Law: Obama, Israel and cyber warfare

If the US and Israel were patting themselves on the backs in the first round of cyber warfare, putting off questions about clear rules of engagement and grappling with possible international law limits, the party is over.

With US President Barack Obama in the neighborhood and several recent more defensive-minded moves being taken by Israel, it is worth noting a recent major leaked-announcement the US made about its cyber warfare rules of engagement, which will restrict its attack posture – and possibly Israel’s – in the future, if it hasn’t already.

Before jumping into the maze of cyber warfare law, it is important to state that how and to what extent the law of armed conflict applies and what rules there should be for cyber warfare is highly disputed.

In this vacuum, the US and Israel have launched highly aggressive and successful cyber warfare attacks on Iran, which have been largely credited for slowing down the country’s believed clandestine nuclear weapons program significantly and buying more time for sanctions and diplomacy to handle the issue.

That is why Obama’s new potential rules of restraint with cyber warfare are surprising and may significantly impact Israel’s ability to act aggressively in the future.

Unnamed senior US officials involved in developing the first set of US cyber warfare rules of engagement (essentially self-enforced legal limitations) leaked aspects of the new rules to The New York Times in February.

A few of the rules were highly significant because they impose restrictions not required by the laws of armed conflict.

First, the new rules of engagement state that almost no cyber attack can be carried out without presidential approval – though the law of armed conflict does not stipulate when approval for use of a particular weapon must be made by the head of state.

There are some very limited exceptions, such as shutting off an adversary’s air-defense network prior to an attack on that adversary, but the rule appears to be pretty broad.

Limiting the use of cyber warfare to presidential approval is an extremely restrictive approach, normally limited only to use of nuclear weapons, as getting presidential approval takes time – something that can have a serious cost in warfare.

It also sets a tone of taking a more conservative and defensive approach, sending the message to US cyber operatives that aggressiveness and results may not be as appreciated and may not even be supported if procedures are not carefully followed.

In addition to the more general rule, the US has specifically ruled out automatic counterattacks pending US efforts to more carefully determine where the attack emanated from.

Again, this restraint is not required per se by the law of armed conflict, which limits how aggressive US cyber warfare operatives can be and sends a message to adversaries of US restraint.

To the extent that experts are trying to decide how to apply the law of armed conflict to cyber warfare, attempts which have been hotly debated, the more careful “wait and see” approach of the new US rules seems to show a desire to find ways to employ the rule of proportionality.

The slower and less rushed the response is to an attack, the more likely it can be proportional.

Why does this more conservative approach matter to Israel? First, in most areas where Israel has received tolerant and patient legal reactions to more controversial warfare tactics, it has been where these tactics overlapped with newly aggressive American tactics.

In other words, few are ready to try to sanction or boycott the US and, when the US is fighting asymmetrical warfare in Afghanistan and Iraq using aggressive methods and interpretations of the laws of armed conflict, the pressure on Israel is also somewhat reduced.

Similarly, Israel might or might not have engaged in aggressive and offensive cyber warfare tactics against Iran without US cover, but US cover again certainly blunts criticism of such preemptive covert methods as violating international law.

But all of this can work against Israel if the US acts more conservatively.

Despite the success of the cyber warfare attacks on Iran, the US appears to be signaling a strategic retreat in offensive cyber warfare to a more defensive posture.

Now, if Israel goes it alone in a cyber warfare attack, it may have significantly less cover from legal criticism.

This is a problem because, while there is no accepted set of rules for cyber warfare law aside from the attempt to apply general rules of armed conflict like necessity and proportionality, any time that a state takes any preemptive action, whether using its air force, drones or cyber warfare, there is significant legal controversy.

This does not mean that Israel will not go it alone, but the likelihood of such offensive uses of cyber warfare – whether against Iran or others – is reduced, as there is always a diplomatic price and, with the International Criminal Court up and running, possibly a concrete legal price as well.

There are signs that Israel is following the US’s lead, with several recent statements by Israeli officials emphasizing its defensive cyber warfare capabilities instead of the offensive capabilities it was emphasizing not long ago.

In mid-February, The Jerusalem Post reported that the IDF has introduced its cyber defense control center into service. Staffed by 20 soldiers and operating 24/7, the center was put forth as a nerve center for defense, command and coordination abilities against cyber warfare attacks.

Then, last week, the Defense Ministry announced that it was setting up a new cyber body to support Israeli defense industries in coping with cyber threats, focusing on vulnerabilities from data storage, laptops and from use of Windows’s operating system, since many components are made abroad and can be tampered with.

What is the purpose of announcements of defensive cyber warfare capabilities, as opposed to the IDF and former defense minister Ehud Barak emphasizing offensive capabilities in June 2012 and after US-Israeli cyber success against Iran? It seems that the US, and possibly Israel as well, is trying to signal to China, Iran, North Korea and other possible attackers that they are willing to take their hand off the offensive cyber trigger and that their increased defensive capabilities may render attacks on the US and Israel less likely to succeed and not worth the cost and time investment.

International relations experts emphasize the importance of conveying a message convincingly to deter an adversary from attacking, such as the US’s public threats against the Soviet Union during the Cuban Missile Crisis.

Here, the US’s leaked announcement of its new restrictive cyber warfare rules of engagement, which appear in some areas to be even stricter than what the laws of armed conflict would require, may suggest a different tactic: alleviating adversaries’ insecurity about being attacked while changing the cost/benefit analysis of adversaries’ attacking.

Why have the US, and possibly Israel, decided to go more defensive? Put simply, the US and Israel, with their hyper hotwired economies and societies, have far more vulnerabilities and far more to lose than their adversaries do.

On Wednesday, the world took note of what appeared to be a North Korean cyber attack on hotwired South Korea.

In mid-February China was accused of hitting the US with cyber attacks, and both Israel and the US claim to have been victims recently – in Israel there are also allegations that many banks, telecoms and others have been hit but kept it quiet – with a noticeable increase after the attacks on Iran.

So one explanation may be that, with weak international law norms, a low probability of a multi-lateral treaty on reducing cyber attacks in sight and an increase in attacks on the US, the US is trying to unilaterally create new standards in the hope that its adversaries will reciprocate.

The timing of the announcement would support this theory, as, allegedly, the “top secret” rules of engagement have been discussed secretly for two years only to recently be partially leaked after a wave of attacks.

It may or may not be in Israel’s interest to do the same, but Israel has been emphasizing its defensive capabilities more and US military approaches have a way of impacting Israeli military behavior, sometimes whether it is desired or not.