A recent New York Times article addressed the ongoing Iran-Israel cyber tit-for-tat that has been going strong since at least April 2020. This comes on the heels of a recent cyber-attack that disrupted people from purchasing gas at approximately 4,300 stations in Iran. The attack incapacitated a system used by Iranians to purchase gas at a subsidized rate, taking approximately 12 days before operations were fully restored. Iran as well as at least two U.S. defense officials have pointed to Israel’s culpability in the attack.

Over the course of several months, Israel is suspected of perpetrating several of these types of attacks that have disrupted key services in Iran, ranging from traffic lights to train services to a nuclear facility. While the train services attack may not have been executed by Israel, it shows that Israel sympathizers or Iranian patriotic hackers may be following the government’s lead. Not one to play victim, Iran has been retaliating in its own way, targeting Israeli targets as well. Iranian actors are alleged to have conducted attacks against Israeli water facility plants that attempted to modify chlorine levels in the water supplied to Israeli homes.

While the two countries have engaged one another covertly in most domains (air, land, sea, and cyberspace), for the past year both have appeared to move away from traditional symbols of state power such as military sites, individuals of interest, or government facilities, to civilian infrastructure. The intent of these attacks is quite clear: to inflict pain on the civilian communities in their respective countries in a show that neither government can protect them.

Iran appears focused on civilian targeting. In the days following the offensive operation against Iranian gas distribution, alleged Iranian actors conducted cyber-attacks against an Israeli major medical facility, as well as leaking personal information from a popular online LGBTQ dating website. The attack against the medical facility, believed to be the result of ransomware, brought down its medical and administrative computer systems. Shortly after this incident, the U.S. government and the Australian Cyber Security Centre released a joint advisory warning private sector organizations of the cyber threat from Iranian actors using ransomware.

Iran’s association with disruptive and destructive cyber-attacks is nothing new. Whether it be the distributed denial-of-service attacks that targeted U.S. financial entities during Operation Ababil or the deployment of wiper malware against Saudi Aramco, Iran has used cyber-attacks in response to periods of geopolitical tension to register its discontent in response to some perceived transgression. Such digital responses are not offensive so much as they are retaliatory, to show Iran’s capability of projecting power and “touch” a target regardless of what it is or where it is located.

Israel is no slouch repeatedly going head-to-head with Iran exchanging cyber punches for the same reasons and with the same effects. According to a recent report assessing state cyber power, Israel ranked among Russia, China, and France in capability, notably one tier above Iran. However, as Iran has demonstrated, the ability to execute advanced attacks is not the same as defending against them, and like most connected countries, Israel struggles to harden its defenses, making it susceptible to the same disruptive or destructive attacks it doles out.

It would be a mistake to see this regional conflict as the norm between hostile state actors. The long-standing rift between Iran and Israel is too deeply rooted for anyone to think that coexistence is obtainable, at least for the foreseeable future. States often observe how other states act and gauge the international community’s reaction to incidents and events. The perception is that cyber aggressions that are not immediately met with condemnation are acceptable, or at least tolerable. The extensive targeting of civilian infrastructure by these state actors suggests that they are indeed suitable in times of geopolitical tension and short of armed conflict.

The fact that there has been little to no public criticism of these attacks from other nations or from international organizations like the United Nations (UN) grants tacit approval for their execution. Rule 1 Section C of International Humanitarian Law (IHL) considers the targeting of civilians or the civilian population a grave breach of protocol, suggesting that unified public condemnation from the largest international organization would be appropriate. That it has not been reacting publicly is curious, with the possibility that the IHL focuses on armed conflict and that a gray area/loophole exists in the international norms for how best to react to cyber-attacks.

Trying to categorize offensive cyber activity under conventional definitions has been an ongoing challenge with little progress made. There has been no consensus on what constitutes cyber norms of behavior as articulated through international law, and while NATO recently said it would consider a military response to a cyber-attack, there are no clear-cut criteria by which this would be measured and would have to be taken on a “case-by-case” basis. At present, NATO has not been made a statement about the recent suspected state attacks against critical infrastructures. This may be because the most recent cyber incidents have not impacted member nations. A larger reason may be that it does not want to commit to identifying the types of attacks for which it is prepared to respond. While this may impart operational advantage, this nebulousness enables the continued disruptive/destructive cyber malfeasance to continue against civilian infrastructures, allowing states to push the severity of attacks against non-threatening assets.

The problem is by not speaking up, governments and international organizations like the UN are unofficially establishing the rules of engagement when it comes to the cyber targeting of critical infrastructure without formally committing to it. Anything not immediately condemned and punished can be perceived as a viable course of action for states during times of geopolitical tension. Viewed from this prism, it can be interpreted that what is happening with Iran and Israel is a normalization of how governments may leverage cyber-attacks against civilian infrastructures during such periods of conflict.

The more ambivalent the global response, the more this should give pause. Currently, there are several regions where flashpoints could quickly escalate into the use of disruptive and/or destructive cyber-attacks against critical infrastructures short of military engagement: China-India; China-Taiwan; Iran-Israel; and Russia-Ukraine, to name a few. Notably, each of these countries has a significant offensive cyber capability that can be deployed against the other, and regional conflict has been known to spill into other areas of the world.

This is not to say that more traditional targets will not be considered during periods of tension; they undoubtedly will. But the civilian space widens the targeting aperture for offensive cyber operations, which as history has shown, is more difficult to defend. Disrupting civilian life to the extent that its impact affects how a government functions by diverting its attention and resources is paramount to creating uncertainty, sowing social discontent, and exploiting consumer trust, all of which create a weakened state ripe for exploitation by an adversary. The longer these state-driven/state-sanctioned attacks occur, the harder they will be to reign in and get under control. In 2010, the Stuxnet attack disrupted a critical infrastructure engaged in nuclear enrichment. A decade later, electric grids have been attacked, water treatment facilities compromised, and critical infrastructure supply operations interrupted – all designed to impact not governments, but the populations they serve.

Nations should be clamoring for an international treaty that explicitly prohibits the targeting of civilian critical infrastructures, especially during tense periods short of armed conflict. The fact that they are not is disconcerting given that disruptive critical infrastructure attacks are becoming more brazen and without repercussion. Even non-disruptive cyber activity against critical infrastructures is increasing, with actors seeking to exploit vulnerabilities and gain access for espionage or other purposes. This will only continue as states – and even cybercriminals – seek to compromise these targets for strategic and financial gain.

Non-binding international agreements like the Paris Call for Trust and Security in Cyberspace are more feel-good gestures than a practical way forward with measurable mandated milestones. Recently, the U.S. Department of State established the Bureau of Cyberspace and Digital Policy to engage in “cyber diplomacy” focusing on cyber security, digital policy, and digital freedom. This seems like the right move at the right time, as the United States needs to re-establish and affirm its position as the leader in cyberspace, as adversaries like China seek to implement their own plans for the Internet. The Bureau may want to begin by identifying like-minded nations that want to safeguard their populations from the types of attacks that hurt Colonial Pipeline and JBS meat supplier, impacting them with shortages and increased costs. While these incidents were short, attacks can be developed to cause more lasting, far-reaching effects short of the actual destruction of architecture, systems, or processes.

Our country is already divided politically, with recent polling showing that less than half of Americans had confidence in the government. Another more potent attack with longer-lasting effects might just bring the other half on board.

Opportunities for Advantage

All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at OODAloop.com and during our monthly OODA Network meetings and Salons.

 

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast