The new era of cyberwar became public knowledge in 2012, when US intelligence officials leaked details of the Stuxnet attack to The New York Times. Stuxnet, which took place a few years before the leak, was a brilliant piece of malicious software that American and Israeli forces developed and unleashed to sabotage Iran’s nuclear weapons development. Stuxnet caused Iranian centrifuges to speed up, slow down and eventually fail – while providing Iranian monitors with “false feedback” showing that the equipment was running flawlessly. No one can say if Stuxnet slowed Iran’s nuclear ambitions; Iran never revealed the extent of Stuxnet’s effects.
Because centrifuges aren’t online, the Stuxnet worm – a piece of precise, effective malware – infiltrated Iran’s nuclear program through thumb drives and laptops. Once inside Iranian computers, Stuxnet sought a specific line of logic in their Siemens software. Stuxnet was harmless otherwise. The virus infected some 300,000 computers, but it became active only in a fraction of them. Unlike the assassinations of Iranian scientists, which Israeli forces – probably its intelligence agency, the Mossad – performed, Stuxnet’s effect was invisible.
Israel had asked the George W. Bush administration for “bunker busting” bombs to attack Iran’s nuclear research center. President Bush saw Stuxnet as an alternative to a traditional use of force. The Iranians apparently initially thought that sporadic problems with their equipment sprang from manufacturing defects or engineering shortcomings. When Iran learned of the Stuxnet attack, it retaliated. The Izz ad-Din al-Qassam Cyber Fighters claimed credit for 200 distributed “denial-of-service” – or “DDoS” – attacks on dozens of major US banks. Another Iranian attack targeted the data of Saudi Aramco and a joint venture of Qatar Petroleum and ExxonMobil.
A New Frontier
Stuxnet marked a new chapter in the annals of international confrontation: the first known instance of a computer attack that aimed for results in the physical world, rather than stealing data or clogging online traffic. Reflecting the importance of cyberwar, the Pentagon said it would ramp up its hacking capabilities. Leon Panetta, then the US defense secretary, warned that America’s enemies might unleash a “cyber Pearl Harbor” that could include plane crashes, train derailments or chemical explosions. Foreseeing a new age of cyberwarfare, the US beefed up its Cyber Command. Stuxnet lives on: The malware is widely available on hacker websites. Iran, Israel and the US are not the only combatants in the new cyberwar. For years, Chinese operators seeking valuable business secrets have hacked tech companies, banks, law firms and other entities in the US, Japan and Europe. Chinese hackers target defense contractors and the Pentagon, prying into weapons programs like the Patriot missile system and the F-35 Joint Strike Fighter. Chinese hackers have used a computer’s microphone and camera to spy on sensitive meetings. As of 2012, the value of the stolen secrets totaled $250 billion.
Chinese hackers favor “spear-phishing attacks.” An email that appears to come from someone the recipient knows arrives in the morning, when the target might not be alert enough to notice that a familiar name accompanies an unfamiliar email address. Or it arrives just before a long weekend, when the victim is hurrying to get out of the office. When the user opens an attachment or clicks on a link, the virus takes control of the computer. As the malware spreads, it gains access to more and more files.
Paying a hacker to steal secrets can be a cheap way to gain valuable business intelligence. Consider Su Bin, a Chinese hacker living in Canada. He was indicted in 2014 for stealing US military secrets. He targeted several military planes, amassing a stockpile of hundreds of thousands of documents, including drawings, wing measurements and flight-test data for the C-17 flight transport aircraft. While US taxpayers invested $3.4 billion to develop the C-17, Su Bin’s project to steal 630,000 related documents cost a mere $450,000.
In 2012, The New York Times and Bloomberg reported details of Chinese leaders’ wealth. Edward Snowden’s 2012 data dump showed that American officials gathered metadata from millions of Americans’ phone calls, and that the US National Security Agency (NSA) snooped on US allies in Europe, Brazil and India. Snowden’s leak complicated US diplomatic relations with Russia – which gave Snowden asylum – and China. Seeking less American control over cyberspace, China and Russia called for the United Nations to oversee the Internet. China launched a DDoS attack on GitHub after the nonprofit site guided Internet users around Chinese censors’ Great Firewall.
Cyberwar remakes old assumptions about national security and military engagement. Old metrics such as troop numbers or missile inventories are outdated. Cyberwarriors aren’t as easy to track as nuclear weapons or naval warships. And unlike in the Cold War, when the US and the Soviet Union were the only powers capable of exacting serious damage, cyberwar is inexpensive. Any nation might emerge as a threat, and the identities of the true combatants are never quite clear. A 2015 cyberattack against France appeared to come from the Islamic State, but investigation revealed the true aggressor to be Russia. Its motives remain unclear. Such “false flag” attacks illustrate the challenges of determining the sides in cyberwar. Sometimes no group claims responsibility for an attack. A 2014 attack on US financial institutions might have been Russia retaliating for US-imposed sanctions. US officials weren’t certain.
Cyberwar’s costs can be difficult to measure. In April 2013, for instance, the Syrian Electronic Army hijacked the Twitter account of the Associated Press and reported an attack on President Obama. In a few minutes, US stocks lost more than $100 billion in value, though the stocks recovered their losses when it became clear the report was a hoax. Cybersecurity muddies the boundaries between the public and private sectors. The US technology industry relies on privately owned telecommunications networks, on programmers and engineers who work for private companies, and on security software that private companies develop. So nation-states fight each other on mostly private turf. The revelations about the NSA’s cyberspying created a rift between the private and public sectors; many in Silicon Valley regard US spying as a betrayal. In another twist, the economies of China and the US rely on one another. Nearly a quarter of Apple’s revenue in the first quarter of 2015 came from consumers in China.
Twitter is a propaganda tool. The 2012 Gaza conflict was “the first Twitter war” – spokesmen for Israel and Hamas each posted up to 90 times a day. Hamas posted photos of people who were killed and buildings that air strikes had destroyed. Israel used Twitter to demonstrate its Army’s restraint and worked with volunteers to respond to anti-Israel Facebook messages. For both sides, “much of the social media played to the base, appealing to supporters and doing little to convince the other side or to sway neutral or uncommitted observers.” The other important development was that Twitter grew into a necessary vehicle for journalists covering the region.
The notion of “American Internet exceptionalism” is a profound – and logical – belief. The US created the Internet, leads online innovation and profits from those innovations. Google, Facebook and Twitter are US companies, and US websites dominate web traffic from India to South Africa to Brazil. An email from Peru to Brazil passes through the US. But, as the Internet spreads across the world, cyberspace becomes a decidedly less-American place.
Hundreds of millions of people in China, Latin America and elsewhere have yet to connect to the Internet. As these untapped users log on, the balance of power in cyberspace will gradually shift away from the US. Such a shift can’t come soon enough for European critics of US tech-sector dominance. The European Commission launched an antimonopoly investigation into Google, and French skeptics use the acronym GAFA for the all-powerful foursome of Google, Apple, Facebook and Amazon. The Snowden revelations – which included US spying on Chancellor Angela Merkel – led to a push for “made-in-Germany” email systems that would allow Germans to communicate online without relying on American networks and firms. China is the only country that can rival the US in the number of users and willingness to apply technical expertise to further its political goals. China is one of the most aggressive cyberattackers. Its control of its domestic Internet stands in stark contrast to the US free-for-all. China requires citizens, who have no online anonymity, to use their national identification numbers when creating social media accounts.
North Korea is a “technological backwater,” but it grabbed headlines with its 2014 cyberattack on Sony Pictures. The strike came as Sony was about to release The Interview, a film depicting the fictional assassination of North Korea’s leader. North Korea’s cybersecurity forces publicly released Sony’s private emails and financial projections. The hackers threatened physical violence, and Sony initially canceled the release of the film. After President Barack Obama criticized the decision as a capitulation, Sony released the film to some theaters. The hack cost Sony Pictures an estimated $35 million. The US responded with a DDoS attack crippling North Korea’s modest web presence. When US officials asked China to impose sanctions against North Korea, Chinese officials said the US lacked clear evidence of North Korea’s involvement.
Russia officially launched the era of cyberwarfare in 2007 when it attacked Estonian government websites. Estonia had moved a statue of a Red Army soldier that reminded Estonians of Soviet rule. Moscow saw the move as an affront. The attackers crippled the Estonian parliament’s email and posted a forged letter of apology about the decision on a political leader’s site. Next came spam and botnet attacks; computers worldwide flooded Estonian websites with traffic. Banks and media companies could not operate under the onslaught of unexpected traffic on their websites. The attacks intensified and forced as many as 58 Estonian websites to shut down temporarily. Moscow never took credit for the attacks, but Estonian investigators traced some of the activity to the Kremlin. Russia – or whoever was responsible – halted the attack after a few weeks. Estonia’s economy suffered no lasting damage. The major fallout seemed to be psychological – Estonians knew their communication lines were vulnerable.
Later, when tensions between Russia and Ukraine intensified, Ukrainian government agencies and businesses found themselves under cyberattack. Moscow didn’t admit involvement, but circumstantial evidence pointed to Russia. Ukrainian hackers – notorious for their skills – retaliated, hitting the websites of the Kremlin, Russia’s foreign ministry and Russia’s central bank. Ukrainians hacked into the servers of the Russian Interior Ministry and used closed-circuit television feeds to spy on Russian troop movements and weapons.
Hacking the Internet of Things
Cyberwar’s victims usually reside in cyberspace: Hackers cripple a website, spread misinformation or steal secrets, but they don’t wreak physical damage. That could change. Consider cars. Software increasingly operates control systems as crucial as the brakes and the gas pedal. Since software systems are vulnerable, hackers can affect cars through several access points, like keyless entry, navigation or emergency systems. Former NSA hacker Charlie Miller posted videos of himself remotely taking control of a Ford Escape and a Jeep.
By one estimate, some 75 billion devices – everything from kitchen appliances to office equipment to manufacturing systems – will be linked to the Internet by 2020. This Internet of Things creates new levels of complexity for those enforcing cybersecurity and creates new opportunities for cyberspies. This new world order might also allow far greater surveillance of individuals by governments. A UCLA engineer notes that ever-cheaper data storage could allow public officials to record and catalog everything that happens online.
Corporate espionage is a booming business. Victims often don’t know they’ve succumbed to attack. In 2013, US authorities notified some 3,000 American firms of breaches to their systems. On average, hackers infiltrate a company’s network for 205 days without discovery. If private companies aren’t quick to catch cybercriminals, they’re in even less of a hurry to announce their security failures. Private firms remain tight-lipped because nothing compels them to reveal data breaches. Dow Chemical, General Electric and Johnson & Johnson are among blue-chip companies who have suffered hacking attacks. Google, Yahoo and antivirus firm Symantec also have reported breaches.