Written by: Cormac O’Harrow
In all likelihood, you’ve probably heard of Stuxnet: a joint CIA/Mossad cyberattack that crippled Iran’s nuclear centrifuges in 2010. You may have even heard of Natanz, another Iranian centrifuge site that was targeted earlier this year and was attacked using a Stuxnet-style virus. This too was a Mossad, the Israeli Intelligence Agency, initiative. However, in the more than eleven years between these attacks, hundreds more have occurred. Aimed at government agencies, banks, and even entire internet networks, both Israel and Iran have felt the heat. The two have been embroiled in a years-long cyber conflict that threatens, now more than ever, the overall safety of both nations. A war that was once unknown to the public is bubbling up to the surface — and civilian populations have become fair game.
This back and forth game between the two states is gaining traction. Just earlier this month, more than 4,000 gas stations in Iran were disabled by suspected Israeli hacker groups in a move that crippled the regime’s tight control over its citizens by trying to sow instability. From an Israeli perspective, the attack seems to have worked. Iranians were seen hacking digital billboards to ask Khamenei, Iran’s current Ayatollah, “where’s the fuel?”
More than just creating instability, the gas attack was likely a response to yet another Iranian initiative last year. In a move that can only be described as brazen, the regime breached more than nine Israeli hospitals, pursuing a multitude of objectives, including the disablement of treatment systems. Though many of these objectives were not successful, Iranian forces managed to disable IT systems to such an extent that many hospitals were forced to revert to keeping pen and paper records, as well as having to delay procedures deemed non-essential for weeks.
The question at hand is not whether one side will eventually be crippled, likely creating a humanitarian crisis, but rather when that will happen. And the attempts are piling up. There seems to be no shortage of cyber ‘violence.’
International cooperation is key in trying to curb the attacks, whose potential could be devastating. From the chemical contamination of a country’s water sources to the remote ability to quite literally melt nuclear reactors, not much is truly safe in cyberspace. Yes, security can be heightened, but there is no real safety, especially between nations whose conflict existed long before moving online. With a soft beginning in 1979, Israeli-Iranian relations have only devolved in the decades since. Many attribute this change in relations to the Iranian revolution of 1978, after which the new regime classified Israel as the ‘Little Satan.’
The United States is not innocent in these conflicts. We too have contributed to carrying out these attacks, much to the advantage of Israel. That being said, there must be a facilitator that can help dictate the rules of engagement, at the very least. Civilian populations must be considered off-limits for potential attacks.
Even to the most amateur hacker, most everyone within the sphere of cybersecurity knows that the most defenseless targets are those who are unrelated to business or government, i.e. civilians and regular people. To take advantage of this fact, as Israel and Iran have, is simply unacceptable.
This concept of a global cyber-facilitator has been attempted but does not go far enough to deter international actors from committing acts of cyberwar. The Budapest Convention, a 2001 treaty signed by 65 countries, was intended to increase international cooperation in catching cybercriminals. The treaty, however, does not include crimes committed by states, but rather smaller-time cybercriminals, in denial of service (DDoS) attacks and the like.
Just as there exists the Geneva Convention, a set of rules dictating humanitarian treatment in war, there must be a cyber-conflict equivalent. From the perspective of constructivism, such a set of rules would put in place a shared normative framework from which countries and actors would be able to judge their own actions. This framework may not stop every violation, but would certainly make actors second guess their actions. Similar to how the violation of UN agreements and edicts result in sanctions and other international action, so must the violation in international cyber frameworks.