Cyberwar: How it Started, Where its Going, and Why We Should Care

Graphic created by Garret Urban

Cyber attacks are becoming an increasing threat to the international community and United States national security. Such attacks are no longer dominated by solo figures but have been increasingly sponsored by national governments as a new type of weapon in their arsenals. To understand why cyber weapons and cyber defenses are critical to our national security now and in the future, we must answer some key questions. Why are cyber attacks becoming increasingly attractive to governments, and what are their pitfalls? What are the potential consequences for an all-out attack, and is the United States ready for one? To answer these questions we must first examine what cyber attacks are, how cyber attacks have been used in the past, and how they have advanced.  

What is a cyber attack?

Cyber attacks can vary in their target and scope. A cyber attack is “Any kind of [cyber] malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” There are many types of cyber attacks, but I'll just outline a few here: Zero-day Exploits, denial of service, and phishing. 

A phishing attack is probably the attack people are most familiar with. A suspicious advertisement, email, or text message shows up trying to get you to click a link or download something. This link then installs malware onto your device that can be used to steal information, sabotage the system, or collect money in exchange for uninstallment (ransomware). These attacks require a person to click or download something, making them non-ideal for sophisticated covert attacks.

A denial of service attack (DoS) is a cyber attack that floods a network with so much traffic that the target cannot respond or crashes completely. This keeps anyone from accessing the network for a period of time, and can be used against government services, private companies, or any other network. There are several types of DoS attacks but the main idea is to keep legitimate users from accessing a network. A DoS attack does not require the type of human error that a phishing attack does, however, even more sophisticated methods exist. 

A zero-day, as it is known, is a vulnerability in a software that is unknown to that software’s creator, and thus no patch or fix exists yet. This is one of the most powerful forms of cyber attack since zero-days are unknown, allowing an attacker to gain access to a device or network covertly and without needing any action from the owner of the victim's device. These zero-day exploits can sell for thousands, even hundreds of thousands of dollars on the black market depending on the software in question. Prices can vary widely depending on markets and the exploit in question. For example, an Adobe exploit can get around anywhere from a few thousand to tens of thousands of dollars while an Apple IOS zero-day could go for millions. 

These are only a few of many types of cyber attacks used every day around the globe, by many different actors, and for many different purposes. However, the use of cyber attacks has been increasingly used by governments and state actors to conduct international operations. Why would this be the case, and what could it mean for the future of international relations? 

Why are cyber attacks attractive for state actors? 

Cyber attacks have many key features that make them attractive alternatives to traditional methods of warfare. 

  1. Cyber attacks are shrouded in ambiguity and can be difficult to trace back to their sources, not only because cyber forensics is not an exact science but because states may have incentives to lie about their findings. While cyber forensic teams can analyze certain footprints in attacks, look for patterns and, in many cases, come to conclusions about their origins, the problem lies with disseminating this information. 1) A state may not wish to disclose how it was able to attribute an attack to a certain group or country in the interest of keeping its own espionage and information-gathering practices secret. 2) A state may not wish to disclose the methods they used to trace an attack to its source for fear that the attackers may use this information to cover their tracks better next time. 3)  States may have the incentive to lie about the source of an attack for political reasons. All of these factors make it difficult for states to convince people and other states of the validity of their findings, keeping the world of cyber warfare in the shadows. The somewhat obscure nature of cyber warfare has massive implications for geopolitics because it can be a quicker, less “dirty” method of conducting foreign intervention. The ambiguity of these attacks allow governments to steal valuable information and destroy critical infrastructure with less fear of retaliation, largely because the victim may never be able to determine the source of the attack. The issue with plausible deniability is that governments can misattribute these attacks to an innocent state or government, leading to wrongful retaliation and an escalation of conflict that should not have happened in the first place.

  2. They are significantly cheaper than sending troops, drones or even conventional weapons. Although cyber attacks are costly, especially if complex viruses are required for an attack, they will be far cheaper in the long run.   

  3. Because a cyber attack is virtual, leaders and governments do not have to risk human lives if and when they decide to attack an adversary. This gives leaders a greater variety of options without risking their own popularity at home.

  4. Cyber attacks have no physical distance restraints unlike traditional warfare. Even planes and drones have a limited range, but a cyber attack can travel anywhere instantaneously without regard for borders, geography or distance.

  5. Cyber attacks can be used to handle delicate or covert international situations that traditional warfare cannot. 

How have cyber attacks been used in the past?

One of the first cyber attacks was conducted by a graduate student at Cornell University in 1988, who released a worm (self-replicating and propagating malware) that spread to about 6,000 of the 60,000 computers connected to the internet, causing many of them to crash. The student in question, Robert Tappan Morris, did not have malicious intentions, but was simply experimenting with worms, releasing an apology and information on how to remove the worm. From this event was born both the idea of malicious cyber attacks and the need for cyber security to prevent them. Individuals and small groups began to see the potential of such attacks, and governments were not far behind them.

Governments have been sponsoring hacking groups since the Cold War, mostly focused on monetary gain, espionage and sabotage. Recently, Bangladesh’s central bank was breached in 2016, with the attackers using the international Swift banking system as their vector of entry. The hackers attempted to steal $900 million, and ended up making off with $81 million. Cyber forensic experts believe the attack was conducted by a state actor, but could not clearly identify who. There is evidence that one of the first identified hacking groups, the “Lazarus Group”, in North Korea, may have been behind the attack, but no definitive facts have been presented to the public. This attack called into question the entire international banking system, exposing its vulnerabilities and showcasing the potential strength of state-sponsored hacking groups. 

In addition to simply stealing money, state-sponsored hacking groups have also engaged in sabotage, and espionage of other states for political purposes. The hacking groups dubbed Fancy Bear and Sandworm are early examples of how states utilize hacking teams, and both groups are still operating to this day. 

Sandworm and Fancy Bear

  Fancy Bear is a Russian cyberespionage group that emerged in 2008, and has since attacked the Democratic National Committee in the United States, various European militaries, and national governments. The group went quiet for some time but has recently emerged from the shadows to attack Ukrainian artillery and rocket targeting data alongside Russia's invasion in February 2022. Another prominent Russian hacking group, Sandworm, has also carried out sophisticated espionage and disruption operations over the years, many of which have targeted Ukraine. Like Fancy Bear, Sandworm also carried out attacks on Ukraine in 2022, attempting a blackout that proved to be unsuccessful. Ukraine has long been the testing ground for Russian hacking groups, and is home to the only two confirmed blackouts caused by cyber attacks in 2015 and 2016

These groups are being used as a new kind of tool for states to attack or get an edge on their rivals. Many governments have dismissed the attacks on Ukraine and others like them as regional problems that are not the concern of their respective states, failing to see the potential danger they represent for the rest of the global community. As we know, cyber attacks have no geographical limitations, meaning that no matter where they take place, they should be taken seriously as a potential threat to national security. 

While these Russian groups were carrying out espionage and power grid sabotage missions, a much bigger and more sinister operation was being planned and executed. A worm that was the first of its kind was being developed in secret. A worm that pushed the limits of possibility and jumped the gap between the virtual and physical worlds. 

Stuxnet: The First True Cyber Weapon 

Graphic created by Garret Urban

The virus known as Stuxnet was first discovered in 2010, and has since been found on hundreds of thousands of devices all around the globe. However, it sat dormant on these computers, and its purpose remained a mystery for some time. Through careful analysis by cyber forensic teams, Stuxnet was later discovered to be responsible for the sabotage of the Iranian nuclear program, starting under the Bush administration and accelerating in the first few months of Obama's presidency. The project was a joint operation between the National Security Agency (NSA), of the United States and the Israeli government, and was known internally as Codename: Project Olympic Games

Stuxnet was designed to infect a highly specific industrial control system that was only being used in the Iranian nuclear program, meaning it would have no effect on any other device it infected. The worm used a highly sophisticated method of destroying around 900 centrifuges deep underground in Natansk, Iran, while remaining undetected. In short, Stuxnet caused the centrifuges used to enrich uranium to spin faster than their system could handle, causing them to self-destruct.While doing so, the virus was also feeding false data to confused Iranian engineers, making it appear in their monitoring systems that all was well. Stuxnet may have also tampered with the centrifuges in other more subtle ways, such as disrupting the gas intake systems, thus slowing the enrichment process

The worm was so sophisticated and well crafted in both its abilities and its stealth that it is widely considered to be the first true cyber weapon. Stuxnet used at least four zero-day exploits to accomplish its goals, an unprecedented number as most attacks do not even use one of these valuable and scarce vulnerabilities. However, despite its highly complicated and skillful design,  Stuxnet spread rapidly out of the control of its creators, aggressively infecting computers worldwide.  This alerted cyber forensic teams to its existence, much to the dismay of its creators who, no doubt, would have preferred that the existence of the worm and how it operated stay unknown. 

The launch of Stuxnet was not perfect, and sparked disagreement between the United States and Israel about its implementation. The United States government preferred a slow but highly covert disruption of the Iran nuclear program, while the Israeli government favored a faster more aggressive approach.   

Due to the careful analysis of cyber forensic teams, we know that several versions of the virus exist, one far more subtle version that prioritized stealth, and the last version which spread rapidly and destroyed centrifuges aggressively. The aggressive version was reportedly launched by Israel without the approval of the United States and was subsequently detected and thwarted by the Iranians. It may never have been discovered if not for this escalation and the NSA, notorious for favoring secrecy, was no doubt furious. 

Stuxnet was used as a new type of tool in a delicate international situation where diplomacy had failed and military solutions were unfeasible. Governments will increasingly turn to cyber solutions for international problems as their value is tested and proven. Although Stuxnet failed to wipe out Iran's nuclear program, it is the first cyber worm to destroy physical infrastructure, setting a new and dangerous precedent in the world of cyber warfare. 

Could something like this get out of control? What are the potential consequences?

As we have seen in the case of Stuxnet, these worms can get out of control, failing to be contained even by their creators. In the case of Stuxnet, containment was not a major concern, other than compromising its stealth, as it only affected a highly specific piece of software. However, this may not always be the case, and what if a less surgical and precise worm makes its way out of its creator's hands? 

In 2017 the most devastating cyber attack since the creation of the internet took place in Ukraine and ground one-fifth of all global shipping to a screeching halt. Sandworm, (our previously mentioned Russian hacking group) released a virus named NotPetya, designed to spread indiscriminately and became the fastest propagating virus in history. The goal of this virus was not to extort but to disrupt, rendering every computer it affected permanently dead. The virus was targeted at Ukraine, but within hours of its release, its destruction spread far beyond Ukraine’s borders. NotPetya was soon discovered around the world and crippled a multinational shipping company Maersk, a pharmaceutical giant Merck, a FedEx branch, a French construction company, a global food producer and more

This virus was aimed at Ukraine, but ended up crippling trade routes and private industry around the globe costing about 10 billion in damages. If governments start turning to cyber war as their primary means of attacking an adversary, the consequences may be widespread and devastating. This is not even taking into account the possibility of a government purposefully crippling global trade routes, food production, hospitals, E-commerce, banking, the military, manufacturing or other critical infrastructure. A deliberate and indiscriminate attack on such global networks is possible, and the United States as well as others are woefully unprepared.

Are we ready for a large-scale cyber attack? Who is?

Graphic created by Garret Urban

Ukraine has long been the testing ground for Russian cyber attacks, but it would be foolish to believe there are no plans to spread them elsewhere. Ukraine expects these kinds of routine attacks and has adapted to them in some ways. They are often ready to switch to manual operation for power grids and other systems to thwart attacks and have been forced to build more robust cyber security. But what happens when these worms and attacks leave the testing arenas and turn more aggressively on the United States and the rest of the world? 

To be clear, the United States has suffered attacks from many countries including Russia, China, North Korea, Iran and more. These attacks hit the government as well as private companies. While the NSA and the military have fairly robust cyber capabilities, the private sector is still highly vulnerable, and this is a huge problem. 

Private businesses have been slow to update their cyber security for several reasons. Implementing cyber security networks is expensive and time consuming, cutting profits for companies, at least in the short term. Another reason for poor cyber defenses is that there are no universal security mandates, allowing companies to implement security ad hoc. This is extremely concerning because the private sector controls tons of intellectual property, private information on individuals, trade networks, food distribution, hospitals, manufacturing, power grids and so much more. An attack on any one of these, or lord have mercy, several at once in a coordinated attack could be a complete disaster and even cause death, depending on the nature of the attack. This is why cyber war is a massive national security issue that needs to be addressed with more urgency than it currently garners. 

The United States government needs to issue mandatory cyber security frameworks and standards for private companies in recognition of the collective effort it will take to make the United States ready for a large-scale cyber attack. The Department of Defense does not currently have an adequate system for reporting cyber attacks, and miscommunication is a weakness. A clear and mandatory communication standard for such events must be established in both the public and private sectors. Defenses cannot be properly built against a threat if the nature and scale of that threat are ambiguous. We can no longer afford to be reactionary. We cannot sit around and wait for a massive infrastructure attack, blackout, heist, or informational breach before we decide to take the cyber threat more seriously. Many government officials may be under the impression that a foreign government would not dare attack the United States for fear of retaliation, but this line of thinking is erroneous. We have to assume that at some point, international rivals, with their growing cyber capabilities, will use any means at their disposal to weaken the United States and plan accordingly. 

Further Reading

For those interested in further reading on Sandworm or Stuxnet, here are two fantastic books I would recommend. 

https://www.barnesandnoble.com/w/sandworm-andy-greenberg/1129288539 

https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196 

Edited by Andy Essa