The news of a cyber-attack (cyber espionage operation in September 2019) on India’s Kudankulam nuclear power plant caused major concern for security analysts, scholars and India’s neighbours. It reminded one of the popular phrase ‘Cyber War is coming’, from the 1993 RAND Corporation report authored by John Aquila and David Ronfeldt. Whether the threat of a cyber Pearl Harbor is real or exaggerated, it is clear that the world is certainly unprepared to deal with the consequences of a cyber war. Large installations of computer networks and internet have directly become part of the national security system of almost all countries. The smooth functioning of many services are dependent on them. Cyber revolution, in the last two decades, has shaped the threat perception of states as threat from cyber domain has become a reality.
Like conventional and nuclear arms, users of cyber weapons have various options. But unlike the conventional and nuclear attacks (war), cyber-attacks are happening every day. Currently, most common cyber activities include hacking, crime, exploitation, disinformation, and espionage. Analysts argue that cyber weapons differ from conventional and strategic/nuclear weapons because of their availability, reach, usage, and users.
Cyber weapons evidently have different implications and responses when used by a state or a non-state entity. After the much publicized cyber incident against Iran’s nuclear facility, ‘Stuxnet’, developed countries have started to take cyber threats seriously by building defenses against such attacks. Apart from many areas related to cyber warfare which need extensive study, one important question that worries security analysts is whether these weapons have the power to inflict damage to human lives apart from huge financial loss currently happening.
Attribution of cyber-attacks is still an unsolved problem which could be exploited by both state and non-state actors while conducting cyber operations. It is likely that states will increase cyber-attacks against each other, in numbers and sophistication, because it gives countries the chance to lessen the risk to the human lives and expensive/sophisticated equipment. The tendency to call a computer code a ‘cyber weapon’ with respect to security necessitated the need to define the term ‘cyber weapon’. According to the 2013 Tallinin Manual on International Law Applicable to Cyber Warfare, cyber weapons “are cyber means of warfare that are by design, use, or intended use capable of causing either (i) injury to, or death of, persons; or (ii) damage to, or destruction of objects, that is, causing the consequences required for qualification of a cyber-operation as an attack.” As discussed earlier, attribution as well as intention of cyber operations may still be unknowable or at least extremely difficult to determine.
A retired Program Director for Cybersecurity Studies at American Military University, Dr. Clay Wilson, stated four common characteristics of cyber-attacks to define cyber weapons for better and clearer understating, as follows: (i) a combined multiple malicious programs campaign for espionage, data theft, or sabotage; (ii) a secretive ability to keep an undetected operation within system over an extended time period; (iii) an attacker (code) with detailed know-how for the mechanisms of the targeted system; and (iv) a computer code to bypass protective cybersecurity technology.
The increasing number of cyber-attacks against critical national infrastructure has raised the probability of human loss with financial damages. A few cyber incidents, particularly against national infrastructure, have been reported over the last ten years. A cyber-attack against Iran’s nuclear facility Natanz, conducted jointly by the U.S. and Israel, came to light in 2010 which damaged nearly 1,000 centrifuges at the facility and partially impaired Iran’s nuclear program. The response to Stuxnet came as a coordinated campaign of cyber-attacks by Iranian hackers against approximately 46 U.S. financial institutions over the period of a few months. In another instance, in 2015, in cyber attacks aimed at the Ukrainian power grid and which are considered to be one of the most effective cyber operations, hackers successfully managed to disrupt electricity supply to 230,000 people for about six hours. Apart from the above mentioned examples, there are many significant cyber incidents such as the 2018 ransomware cyber attack on the American city of Altanta, which held the city’s administrative department systems hostage for days; the U.S. injecting cyber malware to Russian power grids; and the 2014 cyber-attack on a German steel mill, causing heavy equipment to go out of control. In a fresh row between Iran and the U.S., the United States launched cyber-attacks against Iran’s missile systems in response to Iran’s attacks on U.S. drones.
Fortunately, none of above-mentioned attacks resulted in human loss, but these incidents caused huge losses to costly equipment (in terms of financial damage). Andrew Futter, a senior lecturer at the University of Leicester, wrote in his recently published book ‘Hacking the Bomb’, “Cyber weapons can be better thought of as weapons of mass disruption…” because of their ability to inflict huge financial cost to the adversary. According to an estimate, millions of cyber-attacks resulted in the loss of $45 billion globally only in the year 2018. So, does this mean that cyber-attacks lack the potential to cause human loss? No, it does not. There is an example from December 2017, when a cyber-attack hit the safety system of the world’s largest petrochemical company, Saudi Aramco. Interestingly, the cyber code was not built to destroy specific data in the targeted system or shut down the system, but the attack was directed to cause an explosion. Luckily, the attack was not successful and did not result in intended human loss because of an incorrect computer code sent by the attackers. But what if the code is correct in a second or third attempt? Hypothetically, a cyber-attack on one of the largest dams in some heavily populated area which reverses the process of running turbines, could result in breaking of the flood gates, the discharge of massive amounts of water and consequent human loss. There could be a cyber-attack by non-state actors on the civil aviation system targeting busy airports which can disrupt communication and result in human injury/loss.
As cyber weapons are being heavily used against industrial targets, the day is not far when states or non-state actors will frequently be able to use cyber weapons against the adversary’s military facilities and its sophisticated equipment. With the innovative and more advanced abilities of cyber attacks, the world is likely to begin to see human suffering and loss. Cybersecurity is a still a less explored area as compared to other means of national security. Technologically advanced countries are, therefore, not interested in limiting progress in this field by becoming part of an international agreement or treaty, little realizing that the same tool is being used against them.
States need to come forward to negotiate bilateral agreements and multilateral treaties to reduce the potential cost to human lives in case of a cyber-attack. The United Nations could initiate certain measures in this direction if the individual states are not forthcoming to take such a step.
This article was published in the Strategic Foresight For ASIA on November 28, 2019.