On 29th February, Defense Secretary Ashton Carter announced that the U.S would be part of a coalition cyberwarfare operation with Iraqi and Kurd forces to recapture the city of Mosul from ISIS. Although after Snowden the U.S has been monitoring internet data to zero in on suspected ISIS activists, this was the first time that they have formally declared a cyberattack.
However, it was not the first time that the US had been involved in cyber attacks. Found in October 2010, Stuxnet was a malicious worm that is believed to be the product of a U.S-Israel coalition, designed to specifically attack Iranian power line communications. Stuxnet managed to collect information on Iran’s industrial systems and caused the fast-spinning nuclear centrifuges to turn slightly too fast, damaging about one-fifth of Iran’s centrifuges and setting back Iran’s nuclear program by two years. News about Stuxnet is so old and well-known, it has its own Wikipedia page.
Even older are the series of cyber attacks on Estonia. Beginning on 27th April 2007, a denial of service attack overwhelmed government, bank and journalist websites in the middle of the country’s disputes with Russia about the relocation of a war memorial in Tallinn. The attackers used a wide variety of methods, in an incoherent manner, and it was described as a cyber riot, rather than an attack. Nonetheless, it took down public access to government websites and some financial services, and its size and sophistication has led to suspicions that the attacks were state-sponsored.
These stories are yesterday’s news, but they are still relevant to how the UN and international law treat instances of cyber attacks and cyber terrorism. Jaded by the lack of redress from the international community for the ostensibly state-sponsored attacks against their infrastructure, Estonia proposed the concept for a cyber defence centre to NATO in 2004, immediately after joining the Alliance. The NATO Cooperative Cyber Defence Centre of Excellence was thus established, and one of the most interesting products of this organisation has been the Tallinn Manual. The three hundred pages of bedtime reading, drafted in 2009, offer recommendations on how we should treat cyber attacks within international law, much like how the Geneva Conventions establish standards for the humanitarian treatment of war. The Tallinn Manual was one of the first documents to begin the debate and in a monumental step forward on cybersecurity, the UN General Assembly adopted a Resolution “affirming and clarifying the application of international law to state behavior in cyberspace” in 2011.
The Resolution also highlighted the importance of strengthening the security of information and communication technologies in developing nations, to address the mutual risk of cyber threats from vulnerabilities in states without the capacity to develop defences themselves. That nations should do as much as they can to strengthen their cyber defence is beyond question. Yet we can already see the beginning of an arms race. How can defence stay one step ahead? The consequences can be immense – the U.S has admitted that its power line communications are susceptible to attack by software. Cyber attacks have the potential to cause some real damage to infrastructure, banking services and simple access to information. Cyberwarfare has a capability beyond traditional infantry, naval and air forces to be truly global and simultaneous, and likewise, regional networks such as APEC, NATO and the EU are already collaborating to strengthen their cyber defences together. Early last month, the NATO CIRC and the CERT-EU concluded a Technical Arrangement on cyber defence to help both organisations exchange information and share best practices between emergency response teams.
The gravity of a cyber attack is clear: such attacks are weapons of mass disruption with the potential for hugely destructive results. The Aurora Generator test in 2007, during which a power station’s generator was physically destroyed by just 21 lines of code, gives a glimpse at the real power of a cyber attack. Even more worryingly it seems that such a strike has already occurred on Ukraine’s power stations in late 2015. 80, 000 people across Ukraine were left without power as power stations were shut down and phone lines jammed. The Russian secret service was supposedly behind the attack; it is not hard to imagine how something similar on a larger scale could make a nation ripe for invasion or even, if it were sufficiently targeted, could totally bypass the need for any physical incursions.
In the meantime, this uneasiness about the safety of the internet has caused the unanticipated return of the fax machine as people seek out a quick and safe way of communicating. Michael Lyton, the chief executive of Sony, says that he now writes important messages by hand and faxes them. This is, of course, unlikely to be a lasting solution but it does indicate how seriously this new military frontier should be taken. Cyberwarfare will be integral to all future military operations, meaning that international struggles will once again threaten the homes of every citizen, just as nuclear warfare did during the Cold War. Indeed cyber attacks have the potential to be almost as damaging as a nuclear attack. International governments already recognise this fact and as such have begun to create treaties which deal with this potential conflict. The agreement between two of the world’s biggest powers in September 2015, along with other government treaties mentioned above, signal the beginning of a burgeoning field of diplomacy.