JUST before midnight on Sept 5, 2007, Israeli aircraft entered Syrian airspace, bombed an under-construction nuclear reactor, and left four hours later without a shot fired at them. All the while, Syrian systems showed that there was nothing afoot, controllers saw a clear sky on their radars and no reason to scramble their air defence. The Israelis had cloaked their kinetic attack with a cyber one, having hacked Syrian radars with images of an empty sky. The Syrians woke up the next day and found out what happened. This may have been the first time cyber operations were used to enable an attack.
Soon after, code would be used as not only a ruse for a physical attack, but as the attack itself. In the Stuxnet attack in 2009, the US and Israel used a digital weapon against an Iranian uranium enrichment facility. In what could be the plot for a Hollywood thriller, the code was planted into the system by a Dutch mole, pretending to be a mechanic, through a USB. Soon after, Iranian scientists realised that while computers in the operating room were reporting that all centrifuges were functioning normally, some were spinning out of control and others were spinning too slowly, unbalancing them to the point that they exploded. Over 1,000 centrifuges were destroyed in the attack, a fifth of those at the site, setting Iran’s nuclear programme back two years.
This marked the start of an era of cyber combat in which war would be fought with bytes instead of bombs. Except it didn’t —- not really. Every year, war lawyers warn of the start of digital Armageddon, but their predictions have vastly overestimated the impact of cyber operations in warfare. Even the Russia-Ukraine conflict, which was billed as the world’s first cyber war, remains largely conventional. While cyberattacks have their uses, they are not great at killing enemy soldiers, destroying their weapons, or retaining control of territory.
What they are good for though is low-level harassment tactics — spying, stealing resources and spreading chaos. This is helped by the boundlessness of the internet, which makes it easy to mask a perpetrator’s involvement. Unlike with terrestrial, aerial, or nautical battlefields, it is unclear where borders are in cyberspace. This leads to a cat-and-mouse chase with no idea where the mouse is, given it is nearly impossible to know who is behind the machine or even where the machine is located. The internet is one big masquerade ball.
In the information age, data is the new oil.
And it is one we are increasingly immersed in. As the Internet of Things grows, it controls much of public life, making it easy to exploit. Our distribution networks for food, water, energy, healthcare, transportation, and businesses are increasingly digitised, and this always comes with the risk of breach. Pakistan is acutely vulnerable to this: while Nadra boasts of being the world’s largest singular citizen database, it has been prone to data hacks. Same with our banking sector: many Pakistani banks have been hacked and funds and data have been stolen.
In the information age, data is the new oil. The Pentagon has admitted that other states steal billions per year in technology from the US this way. In fact, for many states, especially Iran and North Korea, technology could be a great leveller, allowing them to exploit the resources of richer countries while evading responsibility. After Stuxnet, Iran heavily invested in building an army of techies that could be on par with the West. Same with North Korea. Sometimes these hackers act out of revenge. After the film The Interview was released, in which Seth Rogan and James Franco try to kill Kim Jong-un, North Korean groups hacked Sony and published its data online, including personal employee emails (in which a producer referred to Angelina Jolie as “a minimally talented spoilt brat”).
While these examples (barring Stuxnet) don’t count as cyberwarfare, the laws of war are woefully inadequate in dealing with cyber ops which don’t cause physical damage. Under these laws, currently, essential healthcare documents are protected so long as you can hold them in your hand, but not if the same data exists in cyberspace. This hardly makes sense in a world where so many essential services are computerised. So the thing that war lawyers have been warning against, which hasn’t yet happened, is also the thing we are least prepared for.
Last year, an American in his pajamas managed to turn off North Korea’s internet from his living room. It was done punitively, as he claimed to have been hacked by North Korea a year earlier and was frustrated by the lack of US response. While cyber Armageddon may not have happened, cyber pandemonium is more likely — cyber ops can inflict significant damage without boots, bullets, and bombs. A lone hacker in his pajamas could upend the state, and all without fighting.
The writer is an international lawyer at the Conflict Law Centre.
Published in Dawn, July 8th, 2023