Nations can take advantage of anonymity and deniability while conducting military campaigns in cyberspace, enabling a type of “clean coercion” warfare. The number and sophistication of cyberattack campaigns by nations will continue to increase because they minimize the need to risk military personnel or costly equipment. Unlike personnel and equipment, computer code may be instantly redeployed to any area, and because code is reusable, it offers a practically bottomless magazine for future attacks.
News reports now describe cyberattacks that can result in severe physical damage to facilities and equipment, and a tendency has arisen for the media to compare malicious cyber code to weaponry. But, what is the definition of a weapon, and how can we more clearly identify when a cyberattack should be correctly labeled as a “cyber weapon”?
Each U.S. military service has its own written definition for what comprises a weapon. However, a “weapon” must also meet international legal standards. The Hague and Geneva conventions describe how a “capability” that is called a weapon cannot legitimately be used by the military until after a legal review. These conventions are intended to protect the civilian population from unnecessary suffering during a war. The “Tallinin Manual on International Law Applicable to Cyber Warfare” was developed after a series of cyberattacks were directed against Estonia in 2007, causing extensive disruption to civilian services. This manual defines a cyber weapon as a “cyber means of warfare” that is capable, by design or intent, of causing injury to persons or objects. So, if there is intentional injury, or if computer functionality is intentionally disrupted through a cyberattack, then we might be experiencing a cyber weapon.
With most cyberattacks, however, the attribution and intention may be unknowable. In addition, cyberattacks often create cascade effects that were outside the original intentions of the attacker. However, reverse-engineering and analysis of malicious code used in recent sophisticated cyberattacks have revealed four common characteristics that help provide a clearer and more useful definition for a cyber weapon:
- A campaign that may combine multiple malicious programs for espionage, data theft, or sabotage.
- A stealth capability that enables undetected operation within the targeted system over an extended time period.
- An attacker with apparent intimate knowledge of details for the workings of the targeted system.
- A special type of computer code to bypass protective cybersecurity technology.
The most frequently discussed example of a state-sponsored cyber weapon attack resulting in physical damage involved a years-long campaign of stealth, data theft and sabotage targeting the nuclear program in Iran. Malicious programs, given names such as Flame, Duqu, and Stuxnet and reportedly created by the same design team of hackers, were crafted to steal sensitive information, monitor internal messages and then disrupt and disable targeted industrial control systems for a specific type of centrifuge equipment in a special nuclear facility in Iran. The entire campaign may have been in operation secretly from 2006 through 2010 before being discovered by security personnel working outside Iran. Analysts agree that such a sophisticated and long-running cyber campaign showed that the designers of the malicious code had acquired an intimate knowledge of the targeted systems before launching the cyberattacks.
A recent cyberattack that resulted in physical damage occurred in 2014, when the German Federal Office for Information Security (BSI) reported that a steel mill suffered severe damage and forced a shut down due to a cyberattack that caused heavy equipment to go out of control. Analysts have concluded that the attack was effective primarily because the unknown hackers had an intimate knowledge of the workings of the steel mill plant, according to BBC News.
Technologies used for cybersecurity defenses are becoming less reliable in providing adequate protection as attacks become more sophisticated. A major cause of this reduced effectiveness is the zero-day exploit, which is a type of computer code specially designed to defeat protective cybersecurity controls.
A ZDE is added onto the larger malicious payload of a cyber weapon and is designed to take advantage of a vulnerability that is new and unknown within the targeted system. A ZDE is able to bypass or temporarily suspend the operation of protective technology used for cyber security controls, and thus it can open a targeted computer system so the malicious payload can enter and begin its mission. Many highly skilled hackers around the globe work diligently to discover computer system vulnerabilities that allow creation of newer ZDEs. These hackers are motivated because ZDEs can be sold for large amounts to bidders such as nation states or extremists. The ZDEs that are discovered by hackers are growing in numbers as software systems become more complex, making them an important player in current and future generation cyber weapons.
A cyber weapon campaign can also have problems of control. Although Stuxnet operated undetected, it reportedly was secretly updated several times to add new functionality. However, the code unexpectedly escaped the confines of the Iranian uranium enrichment facility, and since that time instances of Stuxnet infections have been detected in facilities operating in many countries outside of Iran. However, the equipment in other countries escaped damage because the Stuxnet payload was designed to attack only the specific equipment inside the nuclear facility in Iran. Future cyber weapons that are not as carefully designed as Stuxnet could spread unexpectedly and cause unintended collateral damage to facilities in other countries.
The Stuxnet cyber weapon campaign caused Iran’s nuclear program to suffer a setback, but one that lasted only a short time. Since the attack was discovered, Iran has taken steps to increase management of its security and has revived its capabilities for enrichment of nuclear materials. Future generation cyber weapons will undoubtedly take greater advantage of opportunities that are expanding as more intimate knowledge about designs and vulnerabilities for equipment and facilities becomes available over the internet. Future targets will likely include complex military weapon systems, along with command and control (C3/C4 Computer) systems, or even missile defense systems.
As another example of growing vulnerabilities for sophisticated military equipment, the Defense Science Board reportedly has given the Pentagon a classified list of U.S. military weapons systems where designs were stolen by cyber espionage. The list includes designs for the advanced Patriot missile system, known as PAC-3, according to the Washington Post. A separate report, also available on the Internet, shows research on vulnerability analysis of U.S. national missile defense software, including the PAC-3 Patriot Missile System.
It is clear that cyberattacks are becoming more sophisticated, and when the following characteristics are combined, it is fair to label the attack code a cyber weapon:
(a) use of ZDEs to bypass cybersecurity technology;
(b) use of a coordinated campaign of malicious programs for espionage, theft and sabotage;
(c) use of stealth to prolong malicious operations; and
(d) an attacker with apparent intimate knowledge of the workings of the targeted system – then the attack code can be labeled as a cyber weapon.
As more information describing details and possible vulnerabilities of sophisticated civilian and military equipment is acquired through cyber espionage, or is published openly, these systems may become the targets for future generation cyber weapons. The Stuxnet example has shown that future generation cyber weapons can go out of control, with unpredictable consequences.
While there has been no reported loss of life directly linked to cyberattacks, there is a growing temptation for nations to view cyber weapons as a “cleaner” form of warfare, to be favored over, or perhaps even replace, traditional negotiations that can be prolonged or frustrating. However, the next generation of cyber weapons will increasingly target and destroy physical equipment in industrial and military facilities, and the time may come when we also begin to see human casualties.