The number of people who doubt whether cyber warfare exists is steadily decreasing.
On 1 December 2015, the NATO Cooperative Cyber Defence Centre of Excellence in Estonia published a book on the “cyber dimension” of the current conflict between Russia and Ukraine. Every aspect of the crisis has been affected by the use and abuse of information technology. On the battlefield, telecommunication lines were physically cut, and network data used to target soldiers. In politics, an election was hacked. In diplomacy, US officials had private conversations uploaded to YouTube and advertised on Twitter. In espionage, the Ouroboros or “Snake” malware was found hiding in Ukrainian government networks. In business, smart TVs and billboards were defaced with Russian propaganda. In social media, fraudulent accounts discredited the Maidan revolution. In academia, pro-annexation hackers made wholesale changes to the Crimea pages of Wikipedia. And so on.1
Despite all of these incidents, many authors still opined that the cyber war in Ukraine was notable for the absence of any truly novel attacks. However, as with everything cyber, that critique did not last long. In early January 2016, the security firm iSIGHT Partners blogged that on 23December a “coordinated” and “intentional” “first major cyber attack” against a public power grid had plunged 80,000 residents2 of western Ukraine into darkness for six hours.3 To boot, the hackers had been kind enough to disable the power company’s customer-service system during the blackout. iSIGHT attributed the incident to a hacker group it calls “Sandworm”, which it thinks is based in Russia.4
Experts must carefully evaluate the evidence, as the Internet is nothing if not an ideal environment for geopolitical chicanery. But if the attack is confirmed—and there is burgeoning belief that it did5—it will be yet another “first” in the history of cyber war, and place Ivano-Frankivsk (the Ukrainian city where it took place) alongside Natanz, Iran (home of the nuclear plant targeted by Stuxnet).
Cyber-war sceptics are falling away. For example, Professor Thomas Rid’s 2013 book was entitled Cyber War Will Not Take Place; his 2016 book is called Rise of the Machines.6 In fact, scientists have warned of potential dangers ever since electricity was harnessed for military purposes. In 1948, John von Neumann predicted the advent of computer viruses.7 In 1976, Boeing researcher Thomas Rona wrote in “Weapon Systems and Information War” that the power of computer networks would be both an asset and a liability for any nation, as they are vulnerable to a wide range of attacks and will be among the first targets in war.8
A computer hack, of itself, is not a concern to anyone. It’s the real-world ramifications that unnerve us, when the electrons jump from the Internet to cyberspace, from machine code to human code. For example, Chechnya showed us the power of Internet propaganda; Kosovo saw non-state hackers take on NATO; fighting in Gaza ritually knocks Israeli businesses offline;9 social media infused both promise and peril into the Arab Spring; Operation Olympic Games suggested that a cyber-attack can replace a traditional military strike;10 the Syrian Electronic Army compromised hundreds of millions of online communications on behalf of Bashar al-Assad;11 and so on and so forth.
Yes, the “attribution problem”—or the challenge of finding the true source of cyber-attacks—is real. However, quality technical and non-technical analysis can help. While cyber-attacks (including those perpetrated by squirrels)12 happen every day, when networks go down in the middle of a national security crisis (as they have done, from Estonia to Hainan), world leaders have no choice but to take them seriously. How would you like to fight a war without the Internet? Just ask the Ukrainian government.13 Geopolitical context is not proof, but it narrows the circle of suspects and sharpens investigative focus. With good background knowledge and fresh analysis in hand, a few phone calls between national security advisers may yield a reasonable level of attribution.
At some point, cyber-war sceptics risk falling into the same category as global-warming sceptics and those who believe that farmers in eastern Ukraine turned their tractors into main battle tanks. Today’s networks are a volatile mix of connectivity and vulnerability that allows criminals, soldiers, terrorists and spies to thrive. The situation is such that when international tension crosses a certain threshold, Country A may be able to manipulate the power grid of Country B for political coercion or to facilitate a traditional military attack. Squirrels and hackers can both cause power outages, but each is a separate problem that needs a separate answer.
It is worth remembering that there may be relatively few “cyber only” operations of consequential effect. Stuxnet is the closest thing we have seen to a “cyber missile,”14 but it still came in the context of international trade sanctions and the threat of aerial bombardment against Iran. Most cyber-war incidents will fall within some kind of “combined arms” effort, or as a supporting element in a “hybrid” war of the kind we read about in the Donbass, where the goal is to modify the battlespace rather than overwhelm it. Cyber operations are closer to covert action than an infantry assault.
Ultimately, success will depend on how well cyber operations are blended with traditional political and military might. There is little point in launching a cyber-strike without the wherewithal to back it up. If the attack in Ukraine was perpetrated by Russian state hackers—possibly in retaliation for a power outage in Crimea on 22 November caused by Ukrainian saboteurs15—then only time will tell if the strategy pays off, but Russia is one country that unquestionably possesses the requisite strategic depth to deal with the ramifications.
Beyond the 80,000 people who had to sing Christmas carols in the dark, the most significant aspect of the Ukrainian power grid attack is the precedent it may set for the future. Calling Stuxnet the first cyber-attack to cause serious physical destruction, former CIA Director Michael Hayden announced that the attacker had “crossed the Rubicon”.16 The clock is ticking. On 26 January 2016, Israeli energy minister Yuval Steinitz claimed that a “severe cyber attack” had paralysed “many” computers at Israel’s Electricity Authority for two days,17 although sceptics are still cross-checking the facts.18
Given our collective vulnerabilities, world leaders must consider what the peacetime and wartime limits to hacking should be. It is never reassuring to look at post-war pictures of London, Dresden and Tokyo. As cyber-attacks migrate from science fiction to reality, international norms must be extended into cyberspace, via international forums such as the Tallinn Manual process.19 International law currently provides nation-state hackers with something of a backstop, as aggressive cyber operations can begin as mere espionage, which is a necessary precursor to attack. Cyber war is merely the continuation of politics by other means, and politicians are prone to make mistakes.
1 Kenneth Geers (ed.). Cyber War in Perspective: Russian Aggression against Ukraine, NATO CCD COE Publications, Tallinn 2015.
2 Riley Walters. “Russian hackers shut down Ukraine’s power grid,” Newsweek, 14 January 2016.
3 John Hultquist. “Sandworm Team and the Ukrainian Power Authority Attacks,” iSIGHT Partners, 7 January 2016.
4 Stephen Ward. “iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign,” iSIGHT Partners, 14 October 2014.
5 Kim Zetter. “Everything we know about Ukraine’s power plant hack,” WIRED, 20 January 2016.
6 Thomas Rid. Rise of the Machines: A Cybernetic History, W. W. Norton & Company, Forthcoming June 2016.
7 Éric Filiol. Computer viruses: from theory to applications, Paris: Springer, 2006.
8 T.P. Rona. “Weapon Systems and Information War,” Everett, WA: The Boeing Corporation, 1976.
9 Kenneth Geers. “Cyberspace and the changing nature of warfare.” SC Magazine, 27 August 2008.
10 Kim Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Crown, 2014.
11 Kenneth Geers & Ayed Alqartah. “Syrian Electronic Army Hacks Major Communications Websites,” FireEye, 30 July 2013.
12 Christopher Ingraham. “A terrifying and hilarious map of squirrel attacks on the U.S. power grid,” The Washington Post, 12 January 2016.
13 David Talbot. “Watching for a Crimean Cyberwar Crisis,” MIT Technology Review, 4 March 2014.
14 “The Stuxnet worm: A cyber-missile aimed at Iran?”, The Economist, 24 September 2010.
15 Ivan Nechepurenko. “Crimea to Face Power Shortages for Months, Officials Say,” The New York Times, 8 January 2016.
16 David E. Sanger. “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, 1 June 2012.
17 Danna Harman. “Israel’s Electrical Grid Targeted by ‘Severe Cyber-attack’”, Haaretz, 26 January 2016.
18 Darlene Storm. “No, Israel’s power grid wasn’t hacked, but ransomware hit Israel’s Electric Authority,” Computerworld, 27 January 2016.
19 Michael N. Schmitt. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013.