One of the rules of war in Sun Tzu’s ‘The Art of War’ is to win a war without fighting. Both the good and the bad news is that cyberspace can enable this. The world has come a long way from the first generation of warfare when wars were fought with swords, bows, and arrows. After transforming through four (officially and widely accepted) generations of warfare, cyber warfare can be viewed as representing the emergence of the fifth generation “as battle spaces shift from tangible (physical) domains like land, sea, and air to media, cyberspace, and national institutions.” [1] This allows, quite conveniently for many governments, the coexistence of the fourth and the other generations of warfare in hybrid warfare scenarios.
The fourth generation of warfare can be simplified as “decentralized in terms of command and logistics; physical combat is no longer the primary activity and goal of insurgent forces; the use of terrorism and propaganda are integral elements of how they wage war” [2] – merging war and politics and making it hard to distinguish between combatants and non-combatants. [1] The fifth-generation warfare is a further refinement of the fourth, it introduced the use of fully autonomous weapons alongside cyber and/or information attacks. This article focuses solely on cyber and information attacks and analyses how this can lead to physical damages to infrastructure etc. in the case of states as well as organizations.
Role of non-state actors
There have been lots of recorded cases of cyber-attacks in the past. One of the examples is the well-known Sony hack in 2014 that the FBI reported was carried out by North Korean hackers named the Guardians of Peace, although some believe it was a group of unnamed Russian hackers [3]. Another example is the JPMorgan hack where “83 million records were stolen…affecting 76 million households and seven million small businesses”. [4] In these and similar cases was no record of any physical damage. The outcomes usually fall under information theft of all kinds; emails as well as physical addresses, login credentials, trade, intellectual secrets and so on. How, then, do cyber-attacks lead to physical damage?
In the 21st century, people and governments alike can be seen pushing for the establishment of smart cities and facilities or buildings. All these are connected to the internet with critical infrastructures in place. The infrastructures, embedded in facilities of this kind, are as equally vulnerable to cyber-attacks as a computer. They are run and controlled by applications installed on computers and hackers simply need to gain access to the host system in order to successfully carry out the attacks. It is such an open field that it does not always require organized crimes or criminals – there is a case of a teenager pulling off an attack of this sort in Poland.
In 2008, four trams were derailed in Lodz, Poland and 12 people were injured. [5] The teenager behind the attack only had a homemade transmitter and a computer with which he tripped rail switches and redirected trains. This 14year old kid’s intention was to prank people, but his actions led to physical injuries to humans and damage to properties. This is a case of an individual which does not classify as a ‘non-state actor’. Nevertheless, there was a recent (2016) case in Ukraine where the attack was targeted at the power grid and it was successful. The incident was a repetition of a similar one from the previous year and it resulted in a state-wide blackout that lasted for an hour. [6] There was no known record of any physical damage from the incident, but further analysis of the malware led to the discovery that “one aspect of the malware exploits a known vulnerability in a piece of Siemens equipment known as a Siprotec digital relay”. [6] The Siprotec devices were produced for “protection, control, monitoring, and measuring applications in electrical energy systems” [7] and are used, in Ukraine’s case, to check charges of grid components and “automatically open circuit breakers if it detects dangerous power levels”. [6] An attack intended to disable the circuit breakers can lead to the grid systems overheating and, therefore, damaging the transformers, consequently causing a fire breakout and/or explosion. Both the 2016 and the similar previous 2015 attacks were traced to a group of hackers originating from Russia by the name Sandworm. However, there were no official records of arrests. [6] [8]
Role of state actors
The term cyber warfare was coined after US’ and Israel’s alleged involvement in the use of the cyberweapon, Stuxnet, in an attack that targeted an Iranian nuclear power plant and “destroyed 20% of the centrifuges Iran used to create its nuclear arsenal” [9] in 2010. That, however, was not the first time codes have been weaponized to cause damage. [4] It is in fact the Turkish (Baku–Tbilisi–Ceyhan) pipeline explosion in 2008, which was not confirmed as a cyber-attack at the time. Coming to the light of the Stuxnet attack, however, was what allowed investigators to understand and classify the Turkish pipeline explosion as a cyber-attack. Although there was no official confirmation of any state’s involvement in the attack, “the chief suspect, according to US intelligence officials, is Russia” [10] and days after the explosion, Russia dropped bombs in a launched attack on Georgia which is the neighbouring state. [10]
The Stuxnet attack was clearly conducted with the sole intent of crippling Iran’s capabilities to become nuclear-independent, as it was specifically tailored to search out and attack the Siemens Step 7 software usually installed on computers meant for automating and monitoring electro-mechanical equipment. [11] If the intent was to bring Iran to its knees, they could have written a code to target the nuclear power plant’s control system and tamper with the power source, possibly causing an explosion.
In the case of the Turkish pipeline explosion, the plan was so carefully executed that the many sensors installed on site did not trigger any signals of distress, nor did the cameras capture the combustion. The “hackers had shut down alarms, cut off communication super-pressurized the crude oil in the line” [10] and the explosion was not detected at the facility until later.
There is always a footprint which can be traced, even in the cases of cyber-attacks. It is perhaps not so surprising that many of these recorded attacks can be traced back to Russia (either the government or the citizens), although China and North Korea, as well as Iran, are typical suspects as well. However, there are hardly any arrests, in contrast to cases of physical crimes, and it is down to problems like attribution, anonymity and internet globalization as cyber-attacks transcend geographical boundaries. There is also no actual binding law regarding the cyber security of states which does not bode well especially when we take the very low cost of these attacks into consideration; only a computer is needed most of the time, but even if more tools and equipment are to be used, it never costs as much as waging a traditional war. Nevertheless, it can cause damages and costs on the same level as traditional war.
International norms loopholes
Why there is no single mention of any international initiatives to introduce international norms regarding cyber-space?
Since the turn of the last decade, cyber-attacks have grown more sophisticated and the Stuxnet cyber weapon, for all the enlightenment it brought about, is not the deadliest one that had been used, at least not anymore and it is not even the Crashoverride (the weapon that targeted Ukraine’s power grid). In 2017, the Triton cyber weapon was launched against a Saudi Arabia petrochemical plant and although it did not lead to any physical damages, which was the intended outcome, it has been said that it „surpasses both forerunners with the ability to directly interact with, remotely control, and compromise a safety system — a nearly unprecedented feat.“ [12]
As pointed out earlier, in most of the cases there have been no arrests even though most were successfully traced to the perpetrators, and this is because existing international norms did not take into consideration the ability of cyber-attacks to transcend geographical locations. Contrary to the report from RAND stating that “the lack of international norms means that many cyber-attacks fall into a grey area below the threshold of total war” [13], there are international norms and they are used in cyber incidents too, they just do not address cyber issues correctly. This is largely based on the fact that there were no previously known threats that could possibly emanate from cyber incidents, but a lot has changed since then, and it has been a struggle to correctly fit this into the current norms hence the grey area mentioned.
Cyber-attacks are not limited by location so a hacker from Hong Kong, for instance, can attack a site or system in the deepest parts of the African continent without leaving his room, publicly claim responsibility for the attack and still roam freely simply because the concept of sovereignty does not allow one state’s officials to operate or arrest another state’s citizen outside their jurisdiction without initial consent or approval. This is a huge gap that is being exploited by many state actors that can maintain plausible deniability, making it a wild goose chase for cyber security firms as all they can do when they figure out the origin of an attack is name and shame. It is understood that states cannot be ‘arrested’, only sanctioned (which is still very ineffective, even in conventional war situations) but what happens to non-state actors or individuals and the growing confidence to continually improve on these criminal tactics because of known loopholes? Naming and shaming are no longer sufficient as cyber-attacks are no longer limited to economic benefits in which case the money can be traced.
Clearly, all of these resulting physical damages from cyber-attacks are collateral damages – “defined as incidental death or injury of civilians or damage or destruction of civilian objects” [14] – and rule 51 from the Tallinn manual states that “a cyberattack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited” [14]. The manual may be addressing this issue, but that is also a problem since it is a manual and not binding law. Even the few binding laws are not signed by all states let alone ratified so state and non-state actors are currently moving freely in an unregulated world.
In the age where “most modern commercial buildings use a BMS – Building Management System – to monitor and control mechanical and electrical equipment and other systems” [15], and carrying out these attacks only requires little in terms of finances, “cyber attacks present an option that allows those who employ them to keep threat levels low while dealing disproportionate damage that may not be immediately apparent”. [1] All stakeholders in cyberspace, therefore, need to be wary of these possibilities and act quickly in terms of ensuring security, because it is the wild west out here and states as well as criminal organizations are not hesitant to explore this area to its maximum.
Sources:
[1] Hasan, A. (2019, December 9). Cyber warfare or ‘How to win a war without fighting’. Tribune. Retrieved June 4, 2022, from https://tribune.com.pk/article/91778/cyber-warfare-or-how-to-win-a-war-without-fighting?msclkid=ec410142ac7611ecb67f3ad995b4eef6
[2] Greg, S. (2010). Fourth Generation Warfare and The Clash of Civilizations. Journal of Islamic Studies, (21. 10.1093/jis/etq042.). https://www.researchgate.net/publication/240584456_Fourth_Generation_Warfare_and_The_Clash_of_Civilizations
[3] Agnew, L., & Siegel, T. (2019, November 25). Five Years Later, Who Really Hacked Sony? – The Hollywood Reporter. The Hollywood Reporter. Retrieved June 4, 2022, from https://www.hollywoodreporter.com/movies/movie-features/five-years-who-hacked-sony-1257591/
[4] Storm, D. (2014, December 22). Cyberwarfare: Digital weapons causing physical damage. Computerworld. Retrieved June 4, 2022, from https://www.computerworld.com/article/2861531/cyberwarfare-digital-weapons-causing-physical-damage.html
[5] Squatriglia, C. (2008, January 11). Polish Teen Hacks His City’s Trams, Chaos Ensues. WIRED. Retrieved June 4, 2022, from https://www.wired.com/2008/01/polish-teen-hac/
[6] Greenberg, A. (2017, June 12). Crash Override Malware Took Down Ukraine’s Power Grid Last December. WIRED. Retrieved June 4, 2022, from https://www.wired.com/story/crash-override-malware/
[7] Unterweger, M. (n.d.). SIPROTEC 5 | Protection relays for digital substation. Siemens. Retrieved June 4, 2022, from https://new.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/protection-relays-and-control/siprotec-5.html
[8] The ALS group. (2017, March 14). 6 Cyber Attacks that Caused Property Damage. Risk Management Consultants. Retrieved June 4, 2022, from https://info.thealsgroup.com/blog/cyber-attacks-property-damage
[9] Fortinet. (n.d.). History of Cyber Warfare and the Top 5 Most Notorious Attacks. Fortinet. Retrieved June 4, 2022, from https://www.fortinet.com/resources/cyberglossary/most-notorious-attacks-in-the-history-of-cyber-warfare?msclkid=ec415fc6ac7611ec8b5bbbe69386d0cb
[10] Robertson, J., & Riley, M. (2014, December 12). Before Stuxnet, Refahiye pipeline blast in Turkey opened new cyberwar era. Sydney Morning Herald. Retrieved June 4, 2022, from https://www.smh.com.au/world/before-stuxnet-refahiye-pipeline-blast-in-turkey-opened-new-cyberwar-era-20141212-125nvy.html
[11] Trellix. (n.d.). What Is Stuxnet? Trellix. Retrieved June 4, 2022, from https://www.trellix.com/en-us/security-awareness/ransomware/what-is-stuxnet.html
[12] Sobczak, B. (2019, March 7). The inside story of the world’s most dangerous malware. E&E News. Retrieved June 4, 2022, from https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/
[13] Porche III, I. R. (2019, June 24). Fighting and Winning the Undeclared Cyber War. RAND Corporation. Retrieved June 4, 2022, from https://www.rand.org/blog/2019/06/fighting-and-winning-the-undeclared-cyber-war.html?msclkid=2c35767bac6b11ecae06f34afb9db5ae
[14] Artese, E. E., & Vitkov, V. (2015, November). Cyberwarfare and Collateral Damages. GlobaLex. Retrieved June 4, 2022, from https://www.nyulawglobal.org/globalex/Cyberwarfare_Collateral_Damages.html#MainInternationalLaw5
[15] Oliver, L., & Gordon, S. (2021, May 17). When cyber threats get physical. Clyde & Co. Retrieved June 4, 2022, from https://www.clydeco.com/en/insights/2021/05/when-cyber-threats-get-physical