Legality of Cyber Operations
in the Israel-Hezbollah War
By Mr Hussein Badreddine
Published on 23 May 2024
In the aftermath of the 7 October 2023 attack conducted by Hamas and other Palestinian factions, Israel claimed the right of self-defence and began a widespread operation in the Gaza strip. On 8 October 2023, Hezbollah launched rockets into three posts in Shebaa farms, ostensibly in solidarity with the Palestinian people. The Shebaa farms were occupied by Israel in the six-day war in 1967. However, the status of these farms remains unresolved, and no border demarcation between Syria and Lebanon has taken place to this day. Officially, Lebanon made a claim to this land on 4 May 2000.
Hezbollah’s attacks on 8 October triggered a military conflict with Israel. Amidst this conflict, civilian infrastructure appeared to have been targeted on both sides. Furthermore, the Israel Defence Forces (‘IDF’) acknowledged disrupting some Global Positioning System (‘GPS’) signals for various operational needs. That resulted for example in locations showing up completely wrong for individuals using Google Maps. The jamming seems also to have confused apps relying on GPS. More importantly, according to researchers at the University of Texas, the spoofing that is taking place was considered to be unprecedented: ‘we have never seen commercial aircraft captured by GPS spoofing’. In some instances, spoofing incidents have caused complete failure in aircraft navigational systems. A Lufthansa spokesperson considered GPS attacks to pose a serious threat to the safety of aviation. For example, on Monday the 26th of March, passengers experienced ‘moments of terror’ aboard a plane destined for Beirut from Istanbul.
In a statement, the Lebanese Ministry of Foreign Affairs (‘MOFA’) held Israel responsible for any accident or disaster caused by Israel’s policy of jamming air and ground navigation systems and deliberately disrupting signal-receiving and transmitting devices. Furthermore, the Lebanese MOFA declared that it will commence international legal action against Israel for violation of the Lebanese sovereignty by disrupting its navigation systems. In response to that statement, an Israeli spokesperson for the Ministry of Foreign Affairs considered that Lebanon allows Hezbollah to attack Israeli civilians from its territory and that Lebanon is the last country to discuss sovereignty.
As far as the law of armed conflict is concerned, it is worth considering whether such spoofing and jamming operations are conducted in a lawful manner.
Legality of Cyber Interference under the Law of Armed Conflict
Spoofing and jamming are means commonly used in warfare, and addressing their legality in the context of the Israel-Hezbollah conflict would require answering several questions. For the sake of this article, only the following will be addressed: first, whether the threshold for an armed conflict between Hezbollah and Israel has been met; second, whether spoofing and jamming constitute attacks under the law of armed conflicts; and third, whether these attacks comply with the rules of distinction and proportionality.
To invoke the law of armed conflict, the initial step is to identify whether the legal threshold for an armed conflict has been met. The practice of the International Criminal Tribunal of Yugoslavia revealed that a threshold is met once the situation can be defined as a ‘protracted armed violence’. However, this threshold is rather assessed against two elements: First, the intensity of the violence; and second, the level of organisation of the parties. The threshold of violence in a Non-International Armed Conflict (‘NIAC’) is generally considered to be higher than in an International Armed Conflict. Intensity is examined while taking into consideration multiple elements, among them, the duration, the frequency of acts of violence, the nature of employed weapons, displacement of civilians, and the number of victims. It has been noted that until 21 March 2024, there had been more than 4,400 attacks by Israel and Hezbollah combined, as well as 150,000 displaced civilians on both sides. The Lebanese Ministry of Agriculture stated that more than 40,000 olive trees were burned by IDF shelling. More than 700 destroyed units in Lebanon as well as 10,000 damaged by IDF shelling whereas more than 427 were severely damaged by Hezbollah rockets in north Israel. More than 368 people were killed in Lebanon, including 73 civilians, whereas a dozen soldiers in Israel were killed, and half as many civilians. It is hence beyond doubt that the current conflict has met the intensity requirement. Furthermore, it is always presumed that government forces meet the ‘organisation of the parties’ requirement. For non-State actors to meet that requirement, they must have an organizational chart including a command structure, the ability to recruit and train, and to launch coordinated attacks. All of these elements are present within Hezbollah. Hezbollah has a command structure, arguably 100,000 fighters, thousands of precision-guided missiles, and the ability to launch coordinated attacks. It is thus evident that Israel and Hezbollah fulfil the second requirement, that is, the organisation of parties. In any view, then, an armed conflict is underway.
To satisfy the requirements of distinction and proportionality, an operation must first qualify as an attack under the law of armed conflict (‘LOAC’). Rule 92 of the influential Tallinn Manual – an academic contribution rather than a traditional military manual – considers ‘cyber attacks’ only to be ‘attacks’ in the legal sense if they can reasonably be expected to cause injury or death to persons, or damage or destruction to objects. Nonviolent cyber operations such as psychological operations by cyber means or cyber espionage do not qualify as attacks under the Tallinn Manual. Furthermore, according to experts, operations that merely cause ‘inconvenience’ or irritation to the civilian population do not constitute attacks; and what constitutes ‘inconvenience’ has not been settled in literature. Jamming for example is used to disrupt satellite communications through interfering in radio signals, or communication between a satellite and its receiver/user on the ground. It is accomplished by sending signals (‘emitting noise’) that drown out the real signal. Traditionally, experts have not considered the jamming of radio communication systems or TV broadcasts as an attack under International Humanitarian Law. Disruption of dating apps, for example, although may cause some inconvenience or be irritating for some, does not cause actual damage. Alternatively, some scholars have considered whether interference with the functionality of an object constitutes damage for the purpose of cyber-attacks. GPS spoofing on the other hand consists of generating fake GPS signals to trick GPS receivers into thinking they are in a different location. For example, showing the plane in the wrong location on a pilot’s monitor. Spoofing is thus considered more sophisticated than jamming as it tricks the receiver into calculating a false position.
Initially, determining whether any cyber operation, including spoofing or jamming, constitutes an attack does follow from the nature of the operation, that is, if it involves kinetic force or not. The consensus among experts suggests that classifying an operation as an attack lies in its consequences rather than its nature. Even more, the term ‘cause’ in Rule 92 of the Tallinn Manual (A cyber-attack is a cyber operation that is reasonably expected to cause injury or death to persons or damage or destruction to objects) has been interpreted as encompassing any reasonably foreseeable consequential damage, injury, or death. Similarly, I argue that spoofing GPS signals, is more likely to result in aerial accidents, causing catastrophic damage to civilian property and life. Despite not having reached this severity in the current conflict, spoofing (at least in the short term) could have reasonably been expected to lead to such accidents. Jamming on the other hand is hardly expected to cause accidents.
Second, after establishing that spoofing and jamming GPS signals could be considered as ‘attacks’ under the law of armed conflict, one would have to assess the lawfulness of these attacks. The principle of distinction makes clear that civilians should not be targeted intentionally. Attacks must solely focus on military objectives. Rule 99 of the Tallinn Manual states that civilian objects shall not be made objects of cyber attacks. Cyber-infrastructure may only be made the object of an attack if it qualifies as a military objective. Military objectives generally defined are ‘those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralisation … offers a definite military advantage.’ There seem to be two questions here. First, whether the GPS is a civilian or military objective. Under the traditional view, it becomes a military objective if by its ‘use,’ it is making an effective military contribution and its destruction would offer a military advantage. The conclusion is that since the GPS is a dual-use system under the Tallinn Manual, used for both civilian and military purposes, it, thus, can be considered a lawful target. Second, whether interference is limited to the geographical area where the conflict is taking place. This question is significant in legal terms as it relates to the principle of distinction. Spoofing recurring outside areas of hostilities raises questions of distinctions. From what has been reported so far, jamming and spoofing seem to cover the entirety of the Lebanese land territory, 60 to 70 km beyond the coast, and the airspace above them. This is resulting, among other things, in confusing all flights, maritime navigation, photographers using drones for filming purposes, and delivery services relying on GPS. It has also been reported that interference has reached Cypriot territories. Hence, even if the GPS is considered a system of dual-use, spoofing appears to fail the test of distinction by covering a much broader region beyond where fighting is taking place.
However, even if these attacks comply with the principle of distinction, they must still adhere to the principle of proportionality. Initiating a cyber-attack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited. The current Israeli cyber-attacks raise two main questions: first, while intense fighting is taking place in the border region, with Hezbollah rockets being launched from locations no closer than 70 km from the capital Beirut, then why is all of Lebanon, including 60 to 70 km into the sea targeted by cyber-attacks? Military attacks covering the entire territory of Lebanon would raise questions of proportionality, especially when civilian infrastructure is affected as mentioned above.
The incidental harm to civilians who were not the direct target of an attack is referred to as collateral damage. Collateral damage as a result of a cyber-attack does not necessarily render the attack illegal; rather, the unlawfulness of an attack is determined by weighing the balance between incidental harm and military advantage. Thus, if civilian damage exceeds the anticipated military advantage, the attack is disproportionate and the operation would be illegal. The anticipated military advantage should be ‘concrete and direct’. Furthermore, the military advantage should be ‘substantial and relatively close’, and hardly perceptible and long-term advantages are not included in ‘concrete and direct’. Even slight civilian damage may be unlawful if the military advantage expected is negligible. When assessing the military advantage of spoofing across Lebanese territory, we note that the IDF pointed to various operational needs without further elaborating. Analysts assume two reasons: the confusion about precision missiles; and the confusion and taking control of military drones (also check here). The first issue with these attacks is that GPS signals have been disrupted in non-active combat zones, hence breaking the principle of proportionality by risking human life, and disrupting the lives of citizens. The second issue is, for that to be justified, a concrete and direct military advantage should be established. Spoofing non-active combat zones did not seem to effectively prevent the launching of drones or guided missiles from active combat zones. A concrete and direct military advantage does not seem to be the case.
Conclusion
This article examined cyber means of interference in times of war. A prerequisite for establishing the lawfulness of an operation and the applicability of the law of armed conflict is to identify whether the threshold for an armed conflict has been met. We demonstrated that the two elements constituting the threshold, the intensity of violence and the organisation of parties, have been met. Furthermore, to examine the lawfulness of an operation, first, it must be established that it is an attack, second, that there must be a distinction between civil and military targets, and third, that any civilian damage was proportionate. In terms of cyber operations, these can be qualified as attacks if they reasonably foresee consequential damage, injury, or death. As established previously, spoofing, when interfering with aerial navigation, could reasonably expect, at least in the short term, consequential damage. Jamming is however less likely to cause damage. Furthermore, the GPS system may be a lawful target as dual-use infrastructure, however, these attacks fail to distinguish between civilians and military objectives by targeting the whole Lebanese territory. Turning to proportionality, it would have been proportional to disrupt GPS signals in active combat zones. Disruption is, however, occurring in areas beyond those where fighting is taking place. Additionally, these cyber attacks do not appear to be stopping Hezbollah from launching rockets and drones from active combat zones. Balancing the risks of these attacks and the military advantages, there seems to be a violation of the proportionality principle.