Only the state’s democratically elected representatives take the responsibility of risking the welfare of its citizens by deciding where, when and how to retaliate.
Imagine that NATO or Israel is under attack by rockets. Would it make sense for a citizen to take up his rifle, get into his car and, on his own, begin attacking newsstands or banks on the other side of the border? Or would he be better off checking in with his reserve unit and following the instructions of his superiors there and of top political figures?
As the world wakes up to the seriousness and difficulties of cyber-defense, it is becoming clearer that self-appointed cyber-vigilantes are more often than not a hindrance. In January 2012, low-level cyber-attacks on a few Israeli targets by self-proclaimed “Saudi hackers” led to the rise of an Israeli cyber-vigilante group, the “IDF Team.” Mid-month, the IDF Team crashed the institutional websites of the Saudi Arabian and Abu Dhabi stock markets, acts that were strongly criticized by Intelligence Minister Dan Meridor. The need to rein in “patriotic” hackers is not new. Back in February 2003, as the United States was preparing for war in Iraq, the FBI’s National Infrastructure Protection Center had to warn American hackers against launching cyber-attacks against Iraq.
Patriotic hackers have been around since the turn of the century, and neither their initial attacks nor their reprisals have ever proven clearly effective. In one of the oldest cyber-conflicts, such hackers from both India and Pakistan have been challenging one another since the Indian nuclear test at Pokhran in 1998. That provoked the defacement of the Bhabha Atomic Research Center website. Retaliation by Indian hackers followed in 2000 – and attacks waged by groups calling themselves the Pakistan Cyber Army and the Indian Cyber Army continue to this day. As the Pakistani newspaper Dawn concluded in 2011, “the Pak-India Cyber War is futile.”
In the Middle East, a face-off between Palestinian and Israeli hackers began as early as 1999, and only grew in intensity after Israeli teenagers jammed Hamas and Hezbollah websites in September 2000. Here too, little has been achieved from this conflict.
These patriot games follow several similar patterns: For one, they are motivated by ideology and fueled by the headlines – therefore, they fade away when a story falls off the front page. Second, “patriots” need to contextualize and publicize their actions by bragging about them. Not only that, but there seems to be an inverse proportion between the limited level of their techniques and impact, and the exaggerated nature of their bragging.
In no way can the attacks of cyber-hackers be compared to the silent and ruthless sophistication of weapons such as the Stuxnet worm, which has infected the centrifuges of the Natanz uranium-enrichment plant in Iran. Maximum impact requires utmost discretion on the attackers’ part. This applies to cyber-warfare, a serious threat today, when the industrial world is run on corruptible digital data. The current “patriotic conflict” is too noisy to be very serious.
Patriot-hacker groups can actually create problems for the nations they want to defend. First, a patriotic hacker’s response to a cyber-attack does not help to answer one of the key questions of cyber-warfare: Who is really behind the attacks? And if the aggressor is not credibly identified, it will not be possible to deter future attacks. Deterrence does not mean revenge. It is sending a message. It requires the correct recipient address. But if reprisals are waged against the wrong people – you lose credibility, and create new enmities.
Second, retaliating in kind against other civilian targets implies lowering the bar of accepted behavior to the level of the attacker.
It legitimizes actions that fly against the laws of armed conflict – namely, avoid civilian targets unless they are linked to clear military objectives. The Stuxnet worm was designed to be activated only in the presence of specific Iranian software linked to centrifugal management, and to keep civilian collateral damage to a minimum. Saudi hackers, on the other hand, have tried to attack Israeli hospital websites. One can only hope that the IDF Team does not respond in kind.
Both of the above factors create a third risk: Of becoming the victim of manipulation. Back in the early 2000s, at the time of the first flare-up between Israeli and Palestinian hackers, Brazilian hacker groups attacked both sides with the intent to show up, and inflame, each side’s participants. Deception is a central modus operandi for hackers.
Now, imagine a speculative scenario in which hackers from Iran, posing as Saudis, begin hitting Israel, and elicit Israeli counterattacks on Saudi Arabia and the Gulf states. The Iranians may find it useful to stir up as much as possible the anger of Gulf states’ populations against Israel, as Israel contemplates all options against Iran’s nuclear program.
The goodwill and talents of patriotic hackers can be very helpful. They can identify a nation’s security flaws, gather clues about attackers and then coordinate their responses with defense institutions. Indeed, 10 years ago, a hacker group calling itself the Israeli Internet Underground succeeded partly in doing that.
However, the ability to strike abroad must remain the prerogative of the state. Only the state, with access to both open and covert intelligence, can make the correct assessment of the situation and avoid manipulation. Only its democratically elected representatives take the responsibility of risking the welfare of its citizens by deciding where, when and how to retaliate.