Israel and Iran: The Cyber War
In April 2020, Iran allegedly executed cyber attacks against Israeli water systems. According to one report, six facilities were targeted resulting in a pump at one site to operate continuously; the destruction of data at another; the manipulation of data at a third, and the takeover of an operating system at a fourth. In one incident, it appeared that the attackers attempted to modify chlorine levels in the water supplied to Israeli homes. The attacks prompted Israel’s Water Authority to mandate all installations change their passwords as a precaution. The seriousness of that particular attack rose to the level of the Israeli government where unnamed officials were quoted as referring to it as going “against all codes of war.”
Not one to shy away from leveling retribution when attacked, in response, Israel allegedly conducted a May cyber attack against Iran’s Shahid Rajaee port, one of two major shipping terminals. The impact was immediately felt. Shipping traffic halted when computers that regulated the flow of vessels, trucks, and goods crashed simultaneously. The disruption caused massive backups on the waterways leading to the port that’s strategically situated at the Strait of Hormuz.
Not to be outdone, Iran retaliated in June with two more cyber attacks. The first targeted agricultural pumps in Galilee while the second struck water pumps in Mateh Yehuda, according to Israeli press. However, unlike the April attacks, these two facilities were smaller and supported agricultural efforts, and not people’s drinking water. The attacks did not cause any significant harm.
Then in July, an Iranian nuclear facility suffered a fire that Tehran hinted might have been the result of a Stuxnet-like cyber attack. Of note, the fire was the latest in a series of destructive incidents that have impacted oil refineries, power plants, and major factories across Iran. Despite intimations that a cyber attack caused the fire, no evidence was presented to back the claim. While at this time, the fire was likely the result of a physical attack, taken contextually with the preceding events, the timing of the incident reveals how cyber tit-for-tats can easily escalate in targeting and magnitude.
Incidents such as these incorrectly support alarmists claims of “cyber warfare,” a sensationalist term that summons images of catastrophic damages, blown-out power grids, plummeting aircraft, and any other major worst-case-scenario affecting critical infrastructure. However, a more discerning perspective reveals a less dire reality. This is not to suggest that cyber attacks cannot be used as a precision instrument to inflict severe damage. Any cyber attack that breaches, probes, or seeks to manipulate, disrupt, or destroy information systems or the information resident on them can potentially cause serious consequences. But looking at a swath of broader cyber attacks allegedly conducted by nation states is more indicative of a domain well suited to leverage disruptive cyber acts as a signaling agent or to register discontent, particularly in unresolved economic, political, or territorial disputes.
In most instances, governments do not admit their involvement as the orchestrators of the attacks, though typically the geopolitical environment certainly helps in identifying “who benefits” from the act. In addition to the difficulties of attribution, use of cut-outs and/or patriotic hackers further shroud states in a veil of plausible deniability. And while governments can claim they didn’t direct the attacks, their silence translates into tacit approval of them. Examples of such attacks include Operation Ababil distributed denial-of-service attacks targeting the U.S. financial sector, the 2007 cyber attacks against Estonia, and those suffered by Georgia in 2008. Furthermore, low level cyber attacks have occurred between hacker communities supporting their countries against adversaries on the international stage as evidenced by the activities of the Syrian Electronic Army and the hacker wars between China-U.S. in 2001 after a series of international incidents between the two countries.
Similarly, regional antagonists continually leverage the digital domain to support their respective countries and governments. As observed in ongoing online engagements between India-Pakistan hackers, historical regional animosity is a catalyst for cyber attacks. Iran-Israel have a long hostile relationship rooted in Iran’s refusal to accept Israel’s right to exist as a state in the region. This sentiment has carried over into the political, diplomatic, and economic arenas. Unsurprisingly, the acrimony has played out in cyberspace where Iran and Israel have traded attacks for nearly a decade starting with the deployment of Stuxnet against an Iranian nuclear facility in 2010 and up to the latest alleged attack against Iran’s Natanz facility.
More important than what prompts such attacks is how governments select targets and execute strikes against them. The recent cyber back-and-forth is informative in ascertaining how states use attacks, what they consider fair targets, and how they deliberate the appropriate severity of the proportionality of them.
While targeting civilian critical infrastructures may have once been considered a taboo (if not an outright unofficial redline), there are several examples where infrastructures have been purposefully disrupted. Suspected state-conducted cyber attacks against civilian critical infrastructures include the 2013 breach of a U.S. dam, the 2017 disruption of the Ukraine power grid, and a May 2020 ransomware attack against a Taiwan energy company. According to a January 2020 report by a company focusing on industrial cybersecurity protection, a growing number of threat groups are targeting electric utilities in North America. Such findings quickly belie any assumption that civilian critical infrastructures are off limits.
The Iran-Israel exchange may have done no serious damage, but the fact that both willingly attacked civilian targets and did not suffer any stinging repercussion for doing so may open the door for others to do likewise in future engagements. The more governments resort to this, the greater are the chances of problems occurring, thereby risking potential escalation. Misinterpretation of an attack, victim perception of disproportionality of targeting or resulting damage, and/or attacker inability to curb the impact of a strike can compel victims to retaliate in kind, quickly and severely. While states remain at an impasse in trying to determine how to operate in cyberspace, protecting civilian infrastructure should be an area upon which most would agree. A lone treaty safeguarding this important segment of society would be a watershed moment, a confidence building measure on which future agreements could be based. Otherwise, we can expect more of these incidents that continue to push and test not only the boundaries of what can be attacked, but also the public’s willingness to accept such attacks.