Scitech  Firewalls and firearms

Online attacks can have devastating offline effects - and we aren't prepared

In June 2010, the discovery of a computer worm called Stuxnet inside Iranian nuclear enrichment facilities brought increased attention to cyber-attacks – and more importantly, how inadequate current defenses are. As many countries race to develop their arsenal of defensive and offensive online technology, commentators have declared “cyber-arms race”.

Cyber attacks are hardly new: in 1989 a worm referred to as the “WANK worm”, infected NASA computer systems. The moniker “WANK” stands for Worms Against Nuclear Killers; the worm was created in protest of nuclear weapons and displayed often humorous anti-nuclear and anarchist messages on NASA computers.

However, subsequent attacks have become less focused on protesting general policies and increasingly take sides in conflicts between states. And, although non-state groups still carry out the bulk of online attacks, this trend is shifting. The 1999 war in Kosovo was one of the first examples, when the Serbian Black Hand – a secret Serbian military society – attacked NATO computers. In 2007, Israel attacked Syrian defense systems – disabling them and allowing Syria to be bombed.

But amongst cyber attacks, Stuxnet stands out for its uniquely complex structure. The worm dispersed itself widely throughout the internet before replicating itself onto USB drives used in Iran’s nuclear enrichment system, allowing it to transfer computer systems that Iran uses to control the centrifuges that enrich uranium. The worm caused the centrifuges to spin too quickly, causing permanent damage and setting the Iranian nuclear program back by months. Meanwhile, Stuxnet fed incorrect data to the control systems, making engineers think that all was well.

There is no consensus on who developed Stuxnet, but its complexity has led experts to conclude that it must have been made by a state-sponsored team, with many suggesting it was backed by the United States, Israel, or both. What is clear is that this attack shares a key feature with Israel’s 2007 attack on Syria: both had direct material consequences offline. While there is no disputing that attacks targeting online infrastructure (such as disabling communication networks) are serious, attacks causing physical damage to offline infrastructure can be even more devastating.

This expanding threat has led a number of countries to ramp up their development of cyber-security as well as cyber-warfare tools. After alleged Hezbollah cyber-attacks, Israel rapidly transformed itself into one of the major players in cyber warfare. In the U.S., the Pentagon has explicitly stated it is willing to launch “offensive” cyber-attacks. Recent attacks on South Korea – which disabled hundreds of computers – have been interpreted as tests by North Korea on their southern neighbour’s  computer security systems, and could be a warning of future large-scale attacks. China has been widely accused of state-sponsored hacking and attacks, even allegedly hacking into the World Anti-Doping Agency computers to find out which Chinese athletes would be tested next. Russia is becoming notorious for allegedly backing hackers who shut down opposition websites and interfere with its internal political process. It has also been accused of involvement in numerous external attacks, such as one that brought down swathes of Estonian websites down in 2007 during a row over moving Soviet war graves.

Many governments and non-state groups are finding it more effective to buy online weapons rather than develop their own. There have always been “hackers for hire”, such as the Russian computer scientists who were allegedly used for attacks on Israel. But the business is moving increasingly towards “off-the-shelf” cyber-attacks. Following the business model of Endgame, a secretive American cyber-security company, hacker groups without government affiliations work to find so-called “zero-day exploits” – vulnerabilities in software that have not been detected before – and sell them to the highest bidder, ready to be used. Unlike physical arms, which are subject to stringent regulation, these exploits can easily be sold to any state or non-state group that has the cash to buy them. Experts worry that their easy availability could be particularly destabilizing in already volatile regions, where the lines between state governments and non-state groups are blurred. Any one of many disparate groups associated with a state government could launch an online attack, triggering potential offline economic or military retaliation – even if the government had not directly authorized the cyber-attack.

Much of the fear about cyber-attacks is due to weak cyber-defenses around the world. Derek Ruths, a computer science professor at McGill, explains that “nobody is doing close to enough” to defend themselves against cyber-attacks. He cites China as an example of the country that has been the most proactive: “It has developed its own operating system, made efforts to obtain the source code for popular commercial products such as Microsoft Windows, and implemented a kill switch.”  A kill switch allows  the system to  disconnect essential services such as water and electric facilities from the Internet should they come under attack. “They are taking serious steps,” says Ruths. “Outside China, besides clandestine initiatives, nations have taken very few steps to mitigate the threats of cyber-attacks.” However, China’s repressive Internet policies are hardly a model for other countries – websites like Youtube, Facebook, Twitter, and Tumblr are all blocked.

Cyber-defense is made even more difficult by the huge uncertainty of the rapidly evolving nature of cyber-attacks. There is still no consensus on even the most basic parameters of cyber-warfare: what constitutes an attack? How does one retaliate?

Further complicating matters is the anonymity of the internet. Attacks can easily be made virtually untraceable—rendering retaliation impossible. Unlike conventional warfare, highly technical questions surround all aspects of cyber-warfare, making it particularly difficult for policy-makers to adequately understand and deal with the threat. A conference on cyber-security in London last November, which brought together civil servants and politicians from various countries, illustrated this problem with its participants’ inability to move beyond vague platitudes, such as US Vice-President Joe Biden’s call to eschew a “repressive global code” for the internet.

Not everyone agrees that cyber-warfare is a serious threat. King’s College London academic Thomas Rid argues that viewing cyber-attacks as “war” is an inaccurate characterization of the threat – he asserts that the attacks are better seen as online analogues to the offline actions that frequently occur during war: sabotage, espionage, and subversion. Since these actions accompany war rather than cause it, he argues they are not a new form of war with wide-reaching consequences but simply a new way to conduct these age-old activities, one that will have little effect on warfare itself.

Just as with any new technological development, it will take time for the practical effects of increasingly advanced cyber-attacks to become apparent. It may be decades before the military applications of the Internet have been fully explored.