National position of Israel (2020)

Introduction
This is the position of Israel on international law applicable to cyber operations. The position has been presented on 8 December 2020 by Israeli Deputy Attorney General for International Law Dr. Roy Schöndorf, during the event hosted by the US Naval War College Stockton Center for International Law on "Disruptive Technology and International Law".

Applicability of international law
"Israel considers that international law is applicable to cyberspace, and this is a view that has become almost axiomatic for a vast majority of States. However, when seeking to apply particular legal rules to this domain, we are mindful of its unique features.

These unique features shape policy and affect the legal framework applicable to the cyber domain. I wish to shortly address some of them. First, cyber operations are conducted through a global network, passing through infrastructure located in multiple jurisdictions, and lack, in and of themselves, any meaningful physical manifestation. Second, much of the cyber infrastructure is held and controlled by the private sector and civilian components are a major part of the picture. Thus, regulation of the cyber domain may have various social and economic implications as well. Third, the cyber domain is highly dynamic, given the fast pace of technological developments and innovation. The development of international legal rules, on the other hand, is a more gradual process. This is understandable since these rules are designed to stand the test of time and are not easily amended.

All these factors taken together suggest that an extra layer of caution must be exercised in determining how exactly international legal rules apply to cyber operations, and in evaluating whether and how additional rules should be developed. We, as government and military legal advisers, are tasked with the role of identifying the relevant rules, including those set by the law of armed conflict, and determining how they apply to a particular set of facts. In some cases, it will be possible to apply a certain rule as it is; while in other cases, the situation may be conceptually different, such that it might not be possible, feasible, or even desirable to draw from existing legal rules. This process obviously has to consider the behavior of States in the cyber domain, as international law is State-made."

Self-defence, armed attack and use of force
 "First — and this has already been acknowledged by many others— the customary prohibition set out in Article 2(4) of the Charter of the United Nations, on “the threat or use of force” in international relations, is clearly applicable in the cyber domain.

We share the support among States for the view that a cyber operation can amount to use of force if it is expected to cause physical damage, injury, or death, which would establish the use of force if caused by kinetic means. For example, hacking into the computers of the railroad network of another State and programming the controls in a manner that is expected to cause a collision between trains can amount to use of force. As with any legal assessment relating to the cyber domain, as practice in this field continues to evolve, there may be room to further examine whether operations not causing physical damage could also amount to use of force.

Second, when the use of force in the cyber domain, by either a State or non-State actor, can be considered as an actual or imminent armed attack, the State under attack may act in accordance with its inherent right to self-defense, as enshrined in Article 51 of the U.N. Charter. Of course, the exercise of this right is subject to the customary principles of necessity and proportionality.

Finally, the use of force in accordance with the right of self-defense, against an armed attack conducted through cyber means, may be carried out by either cyber or kinetic means; just as use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means." 

Sovereignty
 "To begin with, there are diverging views regarding whether sovereignty is merely a principle, from which legal rules are derived, or a binding rule of international law in itself, the violation of which could be considered an internationally wrongful act. This issue has many facets, and while I will not offer any definitive position for the time being, I would like to stress a number of important points.

A second, and related, point is that States undoubtedly have sovereign interests in protecting cyber infrastructure and data located in their territory. However, States may also have legitimate sovereign interests with respect to data outside their territory. For example, as governments store more and more of their data by using cloud services provided by third parties, whose servers are located abroad, how do we describe the interest that they have in relation to that data? Would the interest in protecting the data not be a sovereign interest in this case as well? Or, alternatively, when a State conducts a criminal investigation and needs to access data located abroad from its own territory, under what circumstances does it need to request the consent of the territorial State? Of course, there are no easy answers to these questions, and some of them are currently being discussed, such as in the context of the protocol to the Budapest Cybercrime Convention currently being negotiated to address this very topic.

These questions reflect an inherent tension between States’ legitimate interest and the concept of territorial sovereignty, as we understand it in the physical world. In practice, States occasionally do conduct cyber activities that transit through, and target, networks and computers located in other States, for example for national defense, cybersecurity, or law enforcement purposes. Under existing international law, it is not clear whether these types of actions are violations of the rule of territorial sovereignty, or perhaps that our understanding of territorial sovereignty in cyberspace is substantively different from its meaning in the physical world." 

Prohibition of intervention
 "Another matter closely related to the issue of sovereignty is that of non-intervention. Traditionally, this concept has been understood as having a high threshold. It has been taken to mean that State A cannot take actions to “coerce” State B in pursuing a course of action, or refraining from a course of action, in matters pertaining to State B’s core internal affairs, such as its economic or foreign policy choices. Its traditional application has focused on military intervention and support to armed groups seeking the overthrow of the regime in another State. This could presumably also relate to support given to armed groups in the cyber domain, such as providing information regarding cyber vulnerabilities of the State.

A more recent issue that has come to the fore relates to interference in national elections. We concur with the various positions expressed in this regard, such as that which was presented by former U.S. State Department Legal Adviser Brian J. Egan, and more recently reiterated by U.S. Department of Defense General Counsel Paul C. Ney Jr., that a “cyber operation by a State that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention.” 

Due diligence
 "The concept of due diligence means that States should take reasonable measures to avoid or minimize harm to other States, and seems to be useful in fields such as international environmental law. In the 2015 UN GGE Report, the concept was addressed as the basis for a voluntary, non-binding norm of responsible State behavior, providing that States should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible State behavior, as it does not, at this point in time, translate into a binding rule of international law in the cyber context. This was the position expressed by other States as well."

"[..] we have to be careful in applying to the cyber domain rules that emerged in a different, distinct context. For instance, in the field of environmental law, where much of the focus and application of due diligence obligations has been in recent years, the acting State typically has control, or at least oversight, over the harmful activity (for example, regulating a polluting power plant). However, cyberspace is mostly private and decentralized.

The inherently different features of cyberspace—its decentralization and private characteristics—incentivize cooperation between States on a voluntary basis, such as with the case of national Computer Emergency Response Teams (CERTs). CERTs are already doing what could arguably fall into that category: exchanging information with one another, as well as cooperating with each other in mitigating incidents. However, we have not seen widespread State practice beyond this type of voluntary cooperation, and certainly not practice grounded in some overarching opinio juris, which would be indispensable for a customary rule of due diligence, or something similar to that, to form." 

Attribution
 "The issue of attribution is also widely debated with respect to cyber operations. Some have suggested that there needs to be more legal certainty with respect to attribution, in order to avoid mistaken attribution, which can lead to conflict escalation. This is increasingly becoming more of a theoretical issue. Over time, the attribution capabilities of States have improved, and even States with lesser capabilities have been able to rely on solid information provided by other States and by the private sector. In any event, this is a technical matter—a factual one—and I would advise against over-regulating the issue.

That being said, there is also the question of public perceptions—because sometimes, when an offensive cyber operation is public, and the attribution is public, the government needs to communicate with its citizens, and with the international community at large, in order for its positions and actions to be understood. But there will be cases when a State will prefer not to disclose the attack, the attribution, or any ensuing actions taken—for diverse reasons such as national security and foreign relations. Either way, as a matter of international law, the choice whether or not to disclose the attribution information remains at the exclusive discretion of the State." 

Countermeasures
 "With respect to the issue of countermeasures, I would like to echo the positions taken by the United Kingdom, the United States, and other States, to the effect that there is no absolute duty under international law to notify the responsible State in advance of a cyber-countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade, allowing the responsible State to reconsider its actions without frustrating the ability of the injured State to take the intended countermeasures. However, in the cyber domain, where the pace of events can be extremely fast and the other side may thwart the action if it anticipates it, announcing a cyber-countermeasure in advance would often negate its utility and effectiveness, and in some instances undermine the interests of the injured State, as well as render the countermeasure obsolete." 

International humanitarian law (jus in bello)
 "I’ll start by stating the obvious: the law of armed conflict and its fundamental principles generally apply to cyber operations conducted in the context of an armed conflict. Indeed, “the right of belligerents to adopt means of injuring the enemy is not unlimited” even in the cyber domain.

Israel is a party to the four Geneva Conventions and other treaties governing particular aspects of conduct in armed conflict and is also bound by applicable customary law. Israel—like the United States and others—is not a party to the First and Second Additional Protocols to the four Geneva Conventions and is not bound by them as a matter of treaty law. However, we see the following as consistent with the relevant customary law and the Additional Protocols." 

Conduct of hostilities
 "One of the key issues, in the conduct of hostilities in particular, is how to define “attacks,” and in which circumstances cyber operations amount to attacks under LOAC. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the “targeting rules” relating to distinction, precautions, and proportionality.

The definition of attack in LOAC requires several elements, but I will focus on those aspects carrying special relevance in the cyber context. Specifically, I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects, beyond de minimis.

One aspect of this element concerns the reasonably expected consequences of the act in question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence, and entail adequate causal proximity to the act. A second aspect of this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art “attack” into the LOAC discourse. For this reason, practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property, and detention have never been considered to be attacks as such, and, accordingly, were not considered as subject to LOAC targeting rules.

Only when a cyber operation is expected to cause physical damage, will it satisfy this element of an attack under LOAC. In the same vein, the mere loss or impairment of functionality to infrastructure would be insufficient in this regard, and no other specific rule to the contrary has evolved in the cyber domain.

However, if an impediment to functionality is caused by physical damage, or when an act causing the loss of functionality is a link in a chain of the expected physical damage, that act may amount to an attack. For example, if a cyber operation is intended to shut down electricity in a military airfield, and as a result is expected to cause the crash of a military aircraft that operation may constitute an attack (subject, of course, to the additional elements for attacks under LOAC).

The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss or impairment of functionality.

Finally, the fact that a cyber operation is not an attack does not mean that no legal limitations apply thereto. Indeed, there are general obligations in LOAC that apply to all military operations regardless of being attacks or not. Central among those is the requirement to consider the danger posed to the civilian population in the conduct of military operations. It is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects to the civilian population in their military operations. But there are also more specific protections that may apply to actions other than attacks. For example, cyber operations affecting medical units are regulated and limited, inter alia, by the LOAC obligation to respect and protect medical units, which applies regardless of whether the act constitutes an attack or not." 

Data as a military objective
<section begin=IL data as a military objective /> "[..]another question which is especially relevant to the cyber domain is whether the term “object,” as it is understood in LOAC, encompasses computer data. This bears implications with regard to the implementation of the LOAC rules relating to distinction, precautions, and proportionality.

Objects for the purposes of LOAC have always been understood to be tangible things and this understanding is not domain-specific. It is therefore our position that, under the law of armed conflict, as it currently stands, only tangible things can constitute objects.

Here, again, this does not mean that cyber operations adversely affecting computer data are unregulated. In particular, when an operation involving the deletion or alteration of computer data is still reasonably expected to cause physical damage to objects or persons and fulfills the other elements required to constitute an attack, the operation would be subject to LOAC targeting rules. Likewise, one must have regard to rules, which are not dependent on the concept of objects, such as the obligation to respect and protect medical units." <section end=IL data as a military objective />

Bibliography and further reading

 * Tal Mimran, Yuval Shany, "Israel, Cyberattacks and International Law", Lawfare, 30 December 2020
 * Michael N. Schmitt, "Israel’s Cautious Perspective on International Law in Cyberspace: Part I (Methodology and General International Law)", EJIL:Talk!, 17 December 2020
 * Michael N. Schmitt, "Israel’s Cautious Perspective on International Law in Cyberspace: Part II (jus ad bellum and jus in bello)", EJIL:Talk!, 17 December 2020