US President Joe Biden, in late June 2021, warned that cyber-attacks could escalate into a full-blown war as tensions between the US on one side, and Russia and China, on the other, had mounted over a series of hacking incidents targeting US government agencies, companies, and infrastructure. In 2011, the Pentagon decided that cyber-attacks constitute an act of war that may require a traditional military response. This threat, however, was not carried out so far.
Mounting Cyber-Attacks on Critical Infrastructures
Cyber-attacks pose a growing threat to critical infrastructures in states. The situation stokes fears that the widening scale and impact of such attacks would lead to a full-scale war between states.
The following are some of the most recent significant cyber-attacks:
1. Colonial Pipeline cyber-attack:
In May 2021, a cyber-attack hit Colonial Pipeline, an oil pipeline system that carries gasoline, diesel, and jet fuel from Houston, Texas, to New York and the East Coast of the United States, fell prey to a cyber-attack that forced the company to shut down the pipeline system, which serves more than 50 million consumers in the Southeastern United States.
The US was previously targeted by similar attacks. The Biden Administration blamed Russia and imposed economic sanctions on Moscow and expelled Russian diplomats. Although President Biden refrained from directly blaming the Kremlin, he said Moscow has some responsibility to deal with the cyber-attacks that originated from Russian territory.
2. Reciprocal Israeli-Iranian attacks:
On October 26, 2021, a cyber-attack hit Iran’s fuel distribution system crippling the country’s 4300 stations, which took 12 days to have service fully restored. Iran responded by a cyber-attack against a major Israeli medical facility.
Moreover, Iran was blamed for a cyber-attack against Israel’s water infrastructure in 2020. Israel responded by carrying out a major cyber-attack at Iran's Shahid Rajaee port in Bandar Abbas, crippling all computer systems at the facility and forcing dozens of loaded container ships to wait just off the coast.
Remarkably, Israel’s attacks on Iran are aimed at causing chaos, popular anger and wide protests. Fuel stations across Iran were suddenly crippled and buyers encountered a message showing a telephone hotline number to Iran’s Supreme Leader Ali Khamenei and urging them to send complaints to him. Hackers also took over the billboards in Tehran and Isfahan to display a message reading “Khamenei, where is my gasoline?”.
Tehran retaliated Israeli cyber-attacks to show its ability to pose threats to Israel’s security and to try to put an end to Israeli attacks.
Inhibitors of War
All of the recent attacks were more aggressive and targeted critical infrastructures that serve a large number of civilians. Despite that, several variables come into play to prevent the current cyberwarfare from turning into an all-out war. These can be explained as follow:
1. Deniability:
No doubt, the ability to deny involvement helps keep conflict interactions taking place in cyberspace under control as well as help states slow down and exercise restraint before carrying out retaliatory cyberattacks that can escalate offensive interactions into the level of war between involved states.
Deniability refers to the difficulty of identifying attackers or perpetrators. That is because cyberwars are of a special nature, where such attacks are carried out covertly and no one would claim responsibility. In most cases, it is hard to identify the origin of attacks.
The ability to deny or hide the identity of perpetrators of cyber-attacks is sometimes a built-in capability of malware. For example, Stuxnet, which targeted Iran’s centrifuges, was programmed to delete itself and wipe out its traces making it impossible to identify attackers even after Iran analyzed the malware.
Additionally, it became difficult for states to distinguish between attacks carried out by other states and those carried out by criminal groups. In the past, cyber gangs used ransomware to get illegal funds instead of gathering intelligence or causing damage by taking over industrial control systems through attacks often carried out by groups with ties to states.
Despite that, since 2019, ransomware attacks became wider in scale, focused less on encrypting data and more on crippling industrial control systems, especially after EKANS emerged. In Early 2020, US Cybersecurity and Infrastructure Security Agency warned that such attacks could target natural gas pipeline systems.
On the other hand, although ransomware groups carry out attacks for criminal purposes or for the sake of money, their goals eventually play into the hands of certain states and serve their interests. Cybercriminal hacking group DarkSide, which was involved in the attack on the Colonial pipeline system, claimed that they are “apolitical… do not participate in geopolitics and do not need to tie (themselves) with a defined government”, their goals are identical with those of Russia which seeks to project the US government’s failure to counter a cyber-attack that pushed gas prices to a six-year high.
But on the other side, some cyber-attacks perpetrated by states are aimed at causing chaos as well as making profits. One such group is Lazarus, which was accused by the US of working for Lab 110, a North Korean military intelligence unit.
Lazarus was behind the 2017 WannaCry ransomware attack that affected as many as 300,000 computers in 150 countries. The same group was involved in the 2016 Bangladesh Bank cyber heist and stole US$81 million.
These cases show how difficult it is to distinguish between attacks carried out by states and those carried out by organized cybercrime groups seeking to make illegal money.
2- Deterrence in cyberspace:
Evidently, implementing deterrence is a tough mission because it is hard to identify attackers, which puts states in a major predicament. That is, a state carrying out a retaliatory cyber-attack can potentially, by accident, target another state that is not involved in the first place. Besides, when a state refrains from responding to a cyber-attack, it will be perceived as weak, which encourages more cyber-attacks against it, as is the case with Russia and the US.
In other situations, and upon verifying involvement of a certain state, affected states respond by carrying out an equal or stronger counter attack to show its ability to cause cyber damage and deter its enemy from continuing escalation. This was the case with reciprocal cyber-attacks between Israel and Iran, an exchange that has failed so far to put an end to cyber-attacks.
In reciprocal cyber-attacks, it is impossible for any state to identify weaknesses in its systems, an advantage enabling attackers to use loopholes to carry out their attacks. For example, in 2007, the governments of the US and the UK uncovered a large-scale series of hacker attacks that had started in 2002. China was believed to be behind the attacks.
3- Attempts to bring offensive interactions under control:
In some situations, states seeking to stop cyber-attacks, attempting to reach bilateral understandings. During a summit meeting in Geneva in June, President Biden personally warned Russian President Vladimir Putin that the US will take any necessary action to stop cyber-attacks carried out by the Russian states or those originating from Russian soil. US sectors that Biden referred to in his warning to Putin include energy, healthcare, information technology, commercial facilities, transportation, finance and the chemical industry.
The Biden Administration blamed both Russia and China, and hackers on their soils, for some cyber-attacks. US officials warned that Washington will respond to such attacks using “a mix of tools seen and unseen”. But the cyber-attacks continue unabated, which opens the door for future understandings between states that would constitute rules of cyber engagement.
4- Avoiding cyber-attacks:
It should be noted that a majority of cyber-attacks do not count as sabotage operations nor amount to large-scale destruction that can spark armed conflict. The aim is to prevent escalation to an all-out traditional military war. It can be said that cyberwars that are highly destructive and disruptive, also referred to sometimes as strategic cyber warfare, have not been waged, yet.
Despite that, the United States Cyber Command in 2016 developed a cyber-attack strategy against Iran. The detailed plan code-named Nitro Zeus is designed to wage a large-scale cyber-attack against Iran if and when diplomacy fails to curb Iran’s nuclear program and an armed conflict breaks out. The plan for a full-scale cyber war was designed to cripple Iran’s air defense systems, disrupt and degrade communications and power grid. The plan was put on hold in July 2015 after a nuclear deal was reached between Iran and the six great powers.
Like Stuxnet, planning for Nitro Zeus took years of preparation, simulation and testing of malware. Such a large-scale strategic cyber-attack would have been viewed as a use of force in international relations that can escalate to a traditional conflict in the region.
Media reports did not clarify the nature of the operation or whether it was a stand-alone strategy that can disrupt all systems in Iran without firing a single bullet or a preemptive strike that serves as a prelude to a war. Both scenarios sound relatively plausible.
In preparation for the second scenario, carrying out such a cyber-attack would have required the US Army to prepare for a traditional war against Iran, especially had Iran targeted US military bases, critical infrastructure in retaliation to that cyber-attack.
5- Cyber warfare is still limited:
Some military strategists who are skeptical about the pivotal role of cyber warfare argue that its strategic effectiveness is limited and accordingly they cannot be used to achieve the two main goals of wars: disarming the enemy’s traditional forces or permanently degrading them, and occupying or taking over certain territory.
There is another issue with cyberwarfare. Malwares are designed to target a certain state and cannot necessarily be used against all states. Additionally, unlike traditional weapons, malicious software is used over a limited duration of time. While missiles are valid for use for up to 30 years, security loopholes in systems targeted by cyber-attacks have a short life span and therefore cannot necessarily be stored to be used later when a traditional war is waged.
Doomsday Scenarios
A doomsday scenario in cyberspace refers to a massive cyber-attack against critical infrastructure in a certain state leading to the death of a large number of people whose life depends on this infrastructure. Although we earlier noted that there are inhibitors, such massive attacks cannot be completely prevented. The US was preparing for a strategic cyber-attack against Iran, which means that states now include cyber-attacks in their approaches to addressing offensive interactions.
Despite that, the ongoing evolution of cyber capabilities of a large number of actors, including states and crime groups, and their ability to manipulate critical infrastructure, the prospect of a strategic cyber war turning into an all-out war does exist in the following situations:
1. Attacks on critical infrastructures:
An attack that causes massive losses and destruction to critical infrastructure is one of the reasons why cyber offensives can turn into a full-fledged war between two states. In such scenarios, severe cyber-attacks on power grids would cause a complete outage across targeted countries, destroy the financial systems, resulting in massive economic losses and even the collapse of the economy. They can also hit transportation systems causing collision of trains and aircraft, or dams where floodgates are opened, or even target nuclear power plants causing meltdown of nuclear cores.
Although there are no signs of such attacks, the catastrophic scenario is imminent. In December 2014, South Korean nuclear research body the Korea Hydro and Nuclear Power (KHNP), a nuclear plant operator, announced that its computer systems were hit by a cyber-attack, and said that only noncritical data about nuclear plants had been leaked. No trace of any malware was detected in the control units of the nuclear plants, which means that the attack was not advanced enough to take over reactors or impact their operations to cause a nuclear leak or explosion.
However, if cyber-attacks continue to evolve, become wider in scale, and succeed in taking over nuclear reactors, such a threat will open the door for an all-out war between involved states.
2. Synchronized traditional cyber-attacks:
Such a scenario is not unlikely. In any future wars, traditional military offensives and cyber-attacks are expected to be synchronized, which is the worst scenario that most of the states are preparing to counter.
3. Disrupting all critical infrastructures:
In such a scenario, one state or more would carry out synchronized and concerted cyber-attacks to cause the collapse of power grids and energy supplies completely crippling hospitals, train systems, aircraft and financial systems in no more than 15 minutes, without the need for a single soldier or terrorist to take any action against the targeted country.
This scenario would require advanced cyber capabilities, and sufficient resources to monitor critical systems in several sectors in the targeted enemy to enable concerted attacks that are all carried out in the same moment. This, however, is not possible, yet. Despite that, such a scenario would represent a practical interpretation of what Chinese general and military strategist Sun Tzo once said: “To win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”
In conclusion, one can note that the possession of advanced cyber capabilities by actors, whether states or organized crime groups, carrying out cyber-attacks to breach industrial control systems, will serve as a catalyst of conflicts in 2022. It will also enable them to breach and cripple critical infrastructures used by civilian sectors and armies, if states fail to reach an agreement to develop a treaty to regulate interactions in cyberspace.
