Retaliatory Cyber Attacks - A legal precedent? – Not this time Concerning Israel Defense Forces Airstrike against HamasCyberHQ.exe from 05/05/2019

I. The Airstrike on HamasCyberHQ and Its Media Echo

During the recent military conflict between Israel and Palestinian groups in Gaza the Israel Defense Forces conducted also air strikes on the weekend against a building, wherein Israel claimed the Hamas Cyber Operational unit was seated (https://twitter.com/IDF/status/1125066395010699264).

Some accounts took this information up and claimed a precedent there. It shall have been the first time a nation reacted to an ongoing cyber operation with a physical strike.

While this might be true or not from a factual perspective (which cannot be proven as other relevant physical counter strikes to cyber operations have not been proclaimed but can have been conducted clandestine) this constitutes no legally relevant precedent from an international law perspective.

Therefore the whole commotion about it may be premature, as I will show in the following.

II. The Relevant International Law

An airstrike on a building from one nation on another territory or a territory which is not considered a State (without any judgment with view to the legal status of the Gaza strip) is a military operation and physical attack in its original meaning – no doubts about that. Hence international law becomes applicable as it governs the relationship between States and/or other internationally accepted or acting entities. 

In international law such an airstrike becomes relevant with view to two legal orders: the ius ad bellum – meaning the question of the legality of the use of force [Part I] – and the ius in bello – the law of armed conflict and the law governing the conduct of hostilities.

Under ius ad bellum one of the universally accepted rules (customary international law) is the prohibition of the use of force (see Art. 2 (4) UN Charta). Thereby no transboundary force may be used. An obvious use of force is the use of military force – like artillery shelling or an air strike, which hits a building and/or partially destroys it.

One of the rare general accepted exceptions (also customary international law) to the prohibition of a use of force is the right to self defense (see Art. 51 UN Charta).

If a state is under an armed attack, it is entitled to use force against its attacker. This rule applies also to non-state actors, deduced from the legal precedents accompanying the 9/11 set by the UN Security Council Resolution (1368/2001) and the ISIS Paris attacks (however this still remains disputed).

It is furthermore accepted that an act of self-defense may also be conducted preventive, before the attack has been begun, meaning “instant, overwhelming, and leaving no choice of means, and no moment for deliberation” (so called caroline formula). 

III. International Law Transferred to Cyber Operations

With view to cyber it is by now generally accepted opinion that a cyber operation can amount to an prohibited use of force under certain circumstances – merely if their physical effect reaches the level of a conventional use of force (compare Rule 68 and 69 in the Tallinn Manual 2.0). This is possible as several cyber operations of the past like inter alia StuxNet, attacks on SaudiAramco and an attack on a German steel mill 2015 have shown.

Same holds true for the right to self defense as argued in the Tallinn Manuals (Rule 71 - Tallinn 2.0). This decisive legal step had been accepted by the NATO countries in the Warsaw Summit 2016. In conclusion a cyber operation has to be compared with a conventional operation inter alia with view to the act itself, the conduct, the intensity and especially its effects. By these criteria the legal framework and its legal consequences can be determined or at least found easier. Consequently, a cyber operation reaching the level of a conventional armed attack entitles a State to react with a use of force.

If in this case, a cyber operation of such an extent and with such grave effects had been ongoing or was in its beginning (preventive right of self defense) the Israeli air strike indeed would have set a legal precedent, by confirming the opinions and statements on the transferability of the rule of self defense with an act of state practice.    

IV. Transfer to the Airstrike of the IDF

However, this is not the case here. The Israeli Defense Forces (IDF) stated in their Twitter Post from the 05/05/19, 08:55 a.m. that “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed.“

Thus, the airstrike was linked and referred to a (or several) cyber operation(s) by Hamas. The statement could be read as a justification with view to the right of self defense – as had been by some of the media and online articles on the incident. This however, would prerequisite that there had been no use of force and/or armed attack at or previous to the moment of the cyber operation and/or air strike. The cyber operation must have been the first act, which amounted to an armed attack to trigger the right to self defense of Israel. Also, this would require, that the individual (or several pinpoint) cyber operation(s) amount to an armed attack especially with view to its potential effects like a conventional armed attack.

Yet, this is not the case.

First, both cannot be proven with the available information. Especially, the IDF have not yet (please state or post if otherwise) released detailed information about the potential or ongoing cyber operation by the HamasCyberHQ.

Second, the airstrike happened on the weekend of 4th and 5th of May. However, the recent conflict started this Friday, the 3rd of May on the border of the Gaza Strip and Israel. A Palestinian sniper shot two Israeli soldiers during protests on the border. Therefore the violence escalated with multiple if not hundreds of rockets fired at Israel and multiple airstrikes by Israel on the Gaza Strip killing people here and there.

Thus, an armed attack was prevailing already, when Israel conducted the relevant airstrike against the cyber operatives of HamasHQ. Consequently, the airstrike cannot be a violation of the prohibition to a use of force as the use of force was already prevalent between Hamas and Israel in this moment. Therefore Israel did not need to rely on the right of self defense in this case with view to the cyber operation – as it also did not if you read the Twitter Post again carefully.        

V. Conclusion

Both, the cyber operation and the subsequent airstrike merely represent the contemporary means and methods of warfare of the 21st century.

The airstrike also raises questions under the law of armed conflict. These questions are addressed in a separate analysis, published on the v?lkerrechtsblog.

In conclusion no legal precedent has been set by the airstrike of the IDF. This single incident just affirms, that cyber operations found their way in the common toolbox of States and non-state actors and will be treated accordingly.  

Sadly, this does not help in any way as innocent civilians died and have been injured on both sides.

Dr. Tassilo Singer