On January 3, a Saudi hacker group claimed that it had stolen half a million Israeli credit cards. The Bank of Israel claims their exposure is information on only 15,000 credit cards, all of which were immediately blocked. The hacker group’s stated purpose was to see Israeli cards fall into disrepute, “like the Nigerian cards.” The cracker, “0xOmar” is identified as the individual performing the hack, and says he plans to publish information on an additional 200 cards per day.
In response to the Saudi hack release of user credit information, an Israeli hacker going by the name of “OxOmer” (“O” instead of zero, “e” instead of “a”), aka Omer Cohen, has published the information on hundreds of Saudi credit cards. Cohen, a soldier in the Israeli Defense Force (IDF), says he published the information as a “deterrent.” The card info was apparently used to purchase goods on Saudi websites, thereby ratcheting things up a little by not just releasing information, but stealing funds.
Cohen believes his government has not responded quickly nor strongly enough. This “deterrent” language, of course, mirrors the military language of providing overwhelming negative consequences to keep an opponent from acting in the future. The news of the world does indeed talk up electronic hacking and cracking though the use of military terms, but there are those who argue that cyberwar doesn’t really exist – at least not yet.
I would expect that none of the credit card information released belonged to either of the hackers, but rather to “innocent bystanders.” Cohen apologized if any innocent people were hurt by his actions.
In this sense, at least, this small conflict mirrors (however weakly) the world’s real wars with their “collateral damage.” A columnist in the conservative Jerusalem Post says that the credit cards really belong to users living in the United States, but that in any case, this kind of cyber-fighting is better than fighting by using objects of the material world, such as bullets or missiles.
And really, who’s to say he doesn’t make a very good point?
…
Regarding the debate noted above - does cyberwar really exist? - an article in Slate online magazine asserts that We don’t really know how to define an act of cyberwar. That’s “We,” the international community, We the U.S. Senate, We the Department of Defense.
Currently, NATO’s Cooperative Cyber Defence Centre, one of NATO’s fifteen Centers of Excellence says that cyber aggression rises to the level of an act of cyberwar only if it is done in conjunction with a physical attack AND can be attributed to a specific government AND if it can be shown that the attack caused injury. Otherwise, there is no legal basis on which to use force against an aggressor – that is, counterattack. This opinion dates from 2008, in the absence of other international treaties on the subject. Furthermore, in a 2010 Wired interview the US cyberczar, Howard Schmidt, famously said, “There is no Cyberwar.” Only online crime and espionage.
By both of these perspectives, the 2009/10 Stuxnet worm that damaged Iran’s nuclear centrifuges and set back that country’s uranium enrichment efforts was an act of sabotage, not cyberwar. The 2008 Russian military attack on Georgia that coincided with a seemingly Russian-coordinated cyber attack (for while there may not be an agreed-upon definition of cyberwar, there clearly are cyberattacks) wasn’t an act of cyberwar because it couldn’t be proved that Russia carried out the cyber portion of the attack, nor could it be shown that the cyber part cause injury.
The news has been full of stories about the many attacks and acts of espionage against targets in the USA originating from IP addresses in China. But apparently no one can adequately prove that the Chinese government was the entity that carried out these attacks.
So, what does what does describe an actionable act of War By Computer? If millions of dollars, hundreds of companies and governments can’t place the cyberfinger on a given government with the resources at their cybercommands, what will it take?
Could it be a good thing that no act of war is legally actionable against a cyberattack? Or does a lack of definition or agreement make damaging attacks by state actors more likely? What do you think, dear reader?
IEET Blog