An air force in your pocket
Information age warfare looks as different to an industrial age bombing campaign as telecommuting does to a Chevy Impala. The age of the self-bombing factory is here.
[Note: the first part of this appeared a week ago as the standalone post An Air Force in Your Pocket. This is the full article.]
In 1942, the Allies were desperate to prevent Nazi Germany from developing an atomic bomb. Thirty British Royal Engineers were given the job of sabotaging the heavy water plant in Vemork, in Norway. They were flown from Scotland across the Norwegian Sea in gliders towed behind Halifax bombers. Bad weather and equipment failures meant that both gliders and one of the bombers crashed, killing eleven crew and seven engineers. The remaining 23 engineers were captured, tortured, and shot by the occupying troops.
The second sabotage attempt in February 1943 went better. Five Norwegian saboteurs, trained in Britain, were dropped by parachute onto a remote plateau north of Vemork, where they met up with Norwegian resistance fighters. The team climbed down a steep gorge, crossed a frozen river, and scaled cliffs protecting the heavy water plant. They crawled into the plant through a cable duct, set explosives to destroy the plant, and then escaped into the mountains to begin a multi-week trek to safety in Sweden. The plant was put out of action but rebuilt within six months.
In November the US Air Force assembled a force of 140 B-17 bombers to destroy the plant. They dropped 700 bombs on the town of Vemork, destroying a fertiliser plant and killing 21 civilians, but leaving the crucial heavy water room undamaged.
A final attempt to disrupt the programme was made with the sabotage of a ferry carrying railcars full of heavy water. The D/F Hydro was sunk with its cargo, at a cost of 14 civilian lives.
Sixty years later, the United States and Israel were eager to prevent Iran from developing an atomic bomb. This time there was no air force, no bombing campaign, and nobody was killed. The weapon used to sabotage Iran’s uranium enrichment facility at Natanz was delivered on a USB stick.
In June 2009 a sophisticated software package, later named Stuxnet, was released with the aim of finding its way to Natanz. The Natanz plant housed nearly ten thousand uranium centrifuges, whose job was to separate the bulk of relatively inert uranium-238 from the small fraction of lighter, weapons-grade uranium-235. The centrifuges were precision machines that spun at supersonic speeds, managed by computerised industrial control systems.
The software was designed to hide itself on USB memory sticks so that it could infect computers that were physically separated from the Internet. It had a very specific set of rules, looking for computers that were connected to the exact model of Siemens programmable logic controller known to be running the centrifuges. When it found its target, it would replace the software on the controller with a modified version that would intermittently cause the centrifuges to fail, all the time reporting normal operation.
The machinery had turned on itself and was slowly tearing itself apart. For months, the technicians at Natanz struggled to keep the plant operational but didn’t even know they were under attack.
Around two thousand centrifuges are estimated to have been taken out of service. Doubts about the machines meant the plant never reached full production, setting the Iranian nuclear programme back by years.
The ghostly stealth of a self-replicating software worm could not be more different to the noise, smoke, and violence of an air raid and yet, six decades apart, the results were similar. What used to take an air force is now silent, invisible, and fits in your pocket.
Scalpels and Bludgeons
Comparing the attacks on the heavy water plant at Vemork with the sabotage of the centrifuges at Natanz, cyberweapons seem like a vast improvement. However, the cure for nuclear weapons may be worse than the disease.
Stuxnet was a precision operation. The software was very carefully crafted, partly to prevent detection and partly to limit collateral damage. It checked its environment and would only activate itself on machines known to match the centrifuge controllers. It had a drop-dead date so that it would never run for more than three years from its release date.
The precision that made Stuxnet so much more attractive than aerial bombing is undermined by the software’s ability to copy itself. Despite the immense care taken by Stuxnet’s authors to limit the worm’s scope, it was eventually discovered because it was crashing computers outside Natanz.
If Stuxnet was a scalpel, other cyberweapons have been bludgeons.
In June 2017, Russian intelligence agencies deployed the “NotPetya” malware against banks, government departments, and electricity companies in Ukraine. The attack was dressed up as ransomware but was actually part of Russian support for separatists in Eastern Ukraine.
This was not a precision operation like Stuxnet. The software’s goal was simply to spread and create chaos. It was even more indiscriminate than its creators intended. It disabled the radiation monitoring system at the crippled Chernobyl nuclear power plant and spread as far as the Cadbury chocolate factory in Tasmania. The biggest corporate victim was pharmaceutical firm Merck, with damages of $870 million. The Homeland Security Advisor to the U.S. President estimates the total damages due to the attack to be worth over $10 billion.
Conventional weapons certainly cause their share of collateral damage, but that damage is usually limited to the vicinity of the battle. NotPetya caused damage across Europe, the United States, and as far away as Australia. As warfare shifts from direct physical attacks with explosives to include cyberwarfare, we can expect the world to get more chaotic and the side-effects of war to get more unpredictable.
Declarations of war are a quaint hangover from more gentlemanly times. They will become even less relevant in an age of cyberwarfare. Since the adoption of the United Nations Charter in 1945, most wars have been undeclared. Cyberwarfare blurs the lines so much further that it can be hard to tell whether a state of war exists or not.
Most cyberattacks are nothing more than a minor annoyance. Petty criminals hijack computers and encrypt files for ransom. Even cyberattacks by nation states often look nothing like traditional warfare.
In 2014, North Korean hackers broke into Sony Pictures, stole information, and installed a virus to erase data. They later released a series of confidential emails. The aim of the attack was to get Sony to cancel the release of the film The Interview, about a plot to assassinate Kim Jong-Un. The hackers threatened terrorism against theatres showing the film, but the ultimate extent of the attack was hurt feelings and some loss of income for Sony.
At the other end of the scale, the NotPetya attacks were aimed at causing disruption to Ukrainian infrastructure and should be seen as part of the ongoing war there.
The Stuxnet sabotage shows how blurred the lines have become. The attack was intended to destroy Iranian infrastructure but involved no physical force. It destroyed equipment to achieve a military end but it’s not obvious that it crossed the threshold to be called an act of war.
When faced with cyberattacks that don’t involve bullets or bombs, there’s no consensus on whether a physical counterattack is appropriate. In May 2019, the Israeli Defense Forces destroyed a building in Gaza they claimed was the source of cyberattacks against Israel. Israel was under attack from rockets at the time of the strike. We don’t know whether they would do the same thing outside that context.
In the worst-case, a cyberattack could be as bad as a nuclear war. In Lights Out, Ted Koppel describes a hypothetical cyberattack on the electricity grid of the United States. With the power out over a large area, other infrastructure would start to fail after a few days. Water and sewage systems would fail. Fuel would become scarce. Transportation networks and the supply chains for food and pharmaceuticals would collapse. Social order would break down as the food ran out. Ultimately, millions could die.
Cyberwarfare covers the entire gamut, from annoyance to apocalypse, with no bright line separating war from not-war. The existing rules of war, outlined in the United Nations Charter, prohibit the use of force except in response to armed attack. These rules were written in 1945 and provide no guidance for dealing with bytes rather than bombs.
Without norms for behaviour, expect both attackers and defenders to act erratically as they hunt for the boundaries.
The “WannaCry” worm appeared in May 2017, locking up 200,000 computers in 150 countries, and demanding a ransom of a few hundred dollars per machine to unlock them. Worst affected was Britain’s National Health Service, with 70,000 machines disabled, including MRI machines and critical operating theatre equipment.
WannaCry was eventually traced back to the Reconnaissance General Bureau, home to the North Korean government’s cyber operations and the same organisation responsible for the Sony Pictures hack.
Six months passed between the release of WannaCry and the U.S. Government’s announcement that North Korea was responsible. Even then, North Korea shrugged and said it knew nothing.
Cyberwarfare is deniable in a way that a physical attack is not. Even when a culprit is finally discovered, the passage of time makes an effective response difficult. When an attacker can obscure the source of an attack and knows that a response will come late or never, an attack is more likely.
The rise of cyberwarfare will mean a future of ongoing low-grade war. When the costs of launching attacks are low and the chance of retaliation is reduced, acts of cyberwarfare will become more common. The lack of clear boundaries for what constitutes an act of war will encourage people to try their luck.
Explosives: 1495 to 1945
The shift from explosive power to computing power is as big as the shift from swords to gunpowder. The shift to gunpowder in Europe in the sixteenth century brought immense changes. We’re on the cusp of similar changes.
Gunpowder changed how power was wielded and redrew the map of Europe. Before gunpowder, the most powerful weapons available were knights on horseback and the best defences were city walls. Sieges were difficult and expensive and usually failed, so defenders had the advantage. When any city could build walls to defend itself, city states were the norm. The superiority of defensive technology meant that political entities were small.
Gunpowder artillery blasted straight through city walls, favouring attackers over defenders, destroying the balance of power. The patchwork of tiny city states was aggregated into the map of nations we recognise today. As explosive weapons became more powerful, those nations became empires. By the mid-twentieth century, explosives reached their logical conclusion in nuclear weapons and the countries of the world coalesced around two superpowers.
You wouldn’t download an atom bomb
When gunpowder first appeared, it was used to magnify the strength of existing powers. Dukes, and popes used it to prop up their own interests, but the logic of explosive firepower was irresistible. The dukes and popes were replaced by presidents and emperors.
Today’s most advanced cyberweapons are used by the powers that dominated the age of explosives: Russia, China, and the United States. Unlike the aircraft carriers, fighter jets, and nuclear missiles that made these countries powerful, cyberweapons are not expensive and the materials to make them are not hard to find.
Building Stuxnet took many months and required the resources of the United States and Israeli intelligence services. It used rare and valuable software flaws called “zero days,” flaws unknown to the original software manufacturers. It took a national intelligence agency to discover the zero days, build the software, and deliver it to its target. It’s not something that stereotypical lone hackers in their bedrooms could have come up with.
If security agencies could keep their exploits to themselves things might not be so bad, but they can’t. In 2017, a collection of powerful cyberweapons developed by America’s National Security Agency were leaked on to the Internet for anyone to copy. One of these, nicknamed “Eternal Blue,” has appeared over and over again in cyberattacks across the world. It is one of the tools that was used to build WannaCry, NotPetya, and several others since. Today, the code for both Stuxnet and Eternal Blue are at the end of a web search. It may have taken state-level resources to build these weapons, but they’re now available to everyone.
Knowing how to build an atom bomb and obtaining the materials are two very different tasks. With software, that’s not the case. Software code is its own instruction manual. Detailed instructions on how to build a software weapon are the weapon.
Cyberweapons make immense power available to a much wider range of states, and even non-state actors. As well as Russia, China, and the United States, Iran, North Korea, and Israel have well-developed cyberwarfare programmes. Many others are working on it. Cyberweapons are not limited to nation states. They can be used by criminal groups, terrorists, and “hacktivists.”
Cyberweapons will break apart the world of superpowers that nuclear weapons gave us. Cyberweapons have the potential to be as destructive as nuclear weapons. They’re much easier to reproduce and don’t require much infrastructure to deploy. These two facts, combined, mean that geopolitical power will no longer be limited to a couple of large blocs. We will live in a multi-polar world.
World War 3.0
World War III is already in progress, but it’s very difficult to see. There will never be an epic conflict like World War II or the Cold War ever again. Those conflicts were driven by the logic of explosive power. The logic of cyberwarfare won’t allow it.
Cyberwars won’t have declared start or end dates, nor will they have two cleanly defined sides. The future is one of multiple entities, state and non-state actors jostling for position, engaged in constant low-grade warfare, with no clear distinction between combatants and civilians. The effects of battle will be unpredictable and could appear anywhere in the world.
Governments, utilities, and private companies and individuals need to take cybersecurity seriously. It’s what stands between us and chaos.
 (Bascomb, 2016). Ch18
 (Zetter, 2014)
 (Koppel, 2015)
Bascomb, N. (2016). The Winter Fortress. London: Head of Zeus.
Koppel, T. (2015). Lights Out. New York: Broadway Books.
Zetter, K. (2014). Countdown to Zero Day. New York: Broadway Books.