The ever-increasing role of technology in every aspect of our society has turned cybersecurity into a major sovereignty issue for all states. Due to their asymmetrical nature, offensive cyber-capabilities have been embraced by many countries that wouldn't otherwise have the resources to compete on a military or economic level with the most powerful nations of the world. Most modern inter-state conflicts and tensions today also take place in so-called cyberspace and we strongly believe that this trend will persist.
Such conflicts can take a vast number of forms, based on the objectives an attacker might pursue to undermine a competitor. In the context of this article, we will only focus on two of them: (1) Cyber-warfare for intelligencepurposes, and (2) sabotage and interference with strategic systems in order to hinder a state's ability to govern or project power.
Attempts to collect intelligence through technical means have been documented for years. The earliest example dates all the way back to 1996's infamous Moonlight Maze campaign, where attackers stole so many documents a printout would have stood "thrice as high as the Washington monument". Twenty-five years later, Kaspersky tracks over a hundred groups who perform similar operations. Here are a few reasons why they are so widespread:
Cyberespionage attempts have been observed from all types of nations (emerging and robust cyber powers, countries that find themselves at the center of international tensions, and even countries which are traditionally considered allies) against all sorts of actors (government and non-government organizations, multinational companies, small businesses and individuals) to try to collect intelligence of any nature (technological, military, strategic). While the newer actors are filling the skills gap quickly, the most advanced parties are scaling to obtain global surveillance capabilities through technological supremacy. This involves developing the standards for tomorrow's communications infrastructures and ensuring that they are adopted on a worldwide scale.
A particular example stands at the intersection of these two axes: the dispute pitting the US against China on the 5G standard. The US Defense Innovation Board points out the crucial impact of network topology on industry development and notes that the Department of Defense (DoD) itself will use the new standard; as a result, it feels it should have at least some degree of control over it. The US government has also publicly accused foreign technology companies of facilitating espionage operations on various occasions.
Just because cyberspace conflicts take place in a virtual world doesn't mean they cannot affect the physical realm. An overwhelming proportion of today's human activity relies on information technology which implies that the former can be disrupted through the latter. A list of verticals that should be protected from foreign investments was introduced in French law: energy, water distribution, transportation, health, telecommunications. It's easy enough to see that each of them is regulated by computer systems that constitute high-value targets for a hostile party.
The Ukrainian conflict, which seems to be used as a large-scale hybrid war experiment by some actors, gives an idea of the many ways cyberwarfare could be used to destabilize a country:
In other countries, the Stuxnet worm comes to mind. This piece of malware contained four 0day exploits and was design to infect SCADA systems in the Natanz nuclear plant in Iran. Infected systems would send erroneous commands to the underlying programmable logic controller (PLC) while still displaying expected results to the plant operators. This damaged the centrifuges and confused researchers, effectively slowing down Iran's research in the nuclear physics field. But the general, modular design of Stuxnet indicates that variants could have been created to go after other types of SCADA system. This detail could be indicative of a larger (and unpublished) sabotage doctrine followed by the creators of Stuxnet.
It is unclear whether it followed Stuxnet's precedent, but a couple of years later, a wave of destructive attacks was launched against the oil industry in the Middle East. Shamoon was far from the sophistication level of our previous example, but it did major damage nonetheless. It involved a wiper malware whose purpose was to erase files from the victim's computers and render them unusable. When it was first used in 2012, it disabled over 30,000 computers.
Then, in 2017, a Saudi refinery was targeted by an attack against its safety systems in a deliberate attempt to cause physical harm. The malware, dubbed Triton, was designed to tamper with an industrial safety system's emergency shutdown function. Thankfully, the attack only resulted in interruption to a chemical process and did not cause the uncontrolled energy buildup the attackers were likely trying to achieve.
In recent years, many incidents have involved wipers: Dark Seoul and the Sony hack as well as operation Blockbuster attributed to the Lazarus Group, and others involving the StoneDrill malware we discovered while investigating Shamoon. So far, we are not aware of any casualties caused by destructive cyberattacks, but there's little doubt that they are used as coercive force and can be construed as a form of violence. An interesting question is whether they could be interpreted as "acts of war".
In August 2019, NATO released a cyber-resilience supplement in which the organization stated: "a serious cyberattack could trigger Article 5, where an attack against one ally is treated as an attack against all". While the notion of "serious cyberattack" is not clearly defined, it does send a strong political signal that actions taking place in cyberspace can be interpreted as an attack and may in fact cause a collective response from the alliance. In the military sense, this declaration establishes cyberspace as a battleground. Other countries appear to share this view: in 2019, Israel bombed a building it claimed was used by Hamas to conduct cyberattacks against its interests. While this was not the first time a state went after hackers in the physical world, it was an unprecedented example of immediate cyber-to-kinetic escalation. Those few nations (i.e., the US and France) who published cyber-engagement policies usually reserve the right to respond to attacks in cyberspace through any appropriate means, which implicitly includes lethal force.
Since sabotage operations disrupt a government's ability to rule or have the power to shut down a country's economy, they represent a major threat to sovereignty. In the most extreme case, attacks in cyberspace can lay the ground for (or support) traditional military operations, for instance by disabling security systems or communication devices that would usually help organize the defensive response.
In the coming years, we can expect that:
In the interest of promoting cyber-stability and reducing the impact of sabotage, we would like to propose the following:
It may seem naïve to imagine that the international community could at this moment reach a broad consensus regarding the rules for cyberwarfare or how the existing IHL applies to cyberspace. Yet over the past century, the world managed to define a number of acceptable rules for military conflicts: the Geneva Convention defines rights afforded to non-combatants. But while in traditional warfare it is easy to evaluate the cost (usually in human lives) of being subjected to certain practices, the nature of cybersecurity makes this quite difficult: intelligence collection and data theft are invisible, information campaigns can't always be identified as such and sabotage may be indistinguishable from accidents. In other words, decision-makers have data that shows the benefit of unregulated cyberwarfare, thanks to their own operations, but are oblivious to what it costs them. This partial vision, shared by all actors, does not encourage moderation.
And so, this article closes on a pessimistic note. Do any of the parties involved have an interest in regulating cyberwarfare? If they did, would they even be aware it? Historically, means of destruction could only be downsized thanks to civil protest and public pressure. In the end, no matter how far away or even unrealistic the dream of world peace seems to be, it is still one worth fighting for. As for the information technology field, it has been described as "young" and "growing" for the past 30 years. Maybe now is the time it became "adult".