Clicks and keystrokes can now crash economies and burn governments faster than fighter jets and firearms.
So-called ‘cyber-munitions’ are technological products and protocols with both offensive and defensive capabilities, little-known to the public, and hotly debated by digital security experts. The U.S. government is currently in the process of deciding how to categorize and regulate cyber-munitions.
Traditional munitions are weapons and technologies like firearms, fighter jets, and bombs that are intended to cause physical, real-world damage. Cyber-munitions are code-based tools that can both cause real-world damage and wreck havoc in the digital realm.
Cyber-munition development has become a lucrative industry. Aliya Sternstein, writing for government security website Defense One, reported that in October the United States Cyber Command issued a request for proposals from private contractors to fill a $460 million contract that would help the government agency hire over 6 thousand new ‘cyber-warriors’. These government-paid hackers will be deployed across 133 defense agencies. While specific assignments will likely be classified, it is widely believed CYBERCOM coders will be charged with fending off attacks from Chinese and Russian-backed groups, and developing and deploying next-generation digital weapons.
The Stuxnet worm might be the most well-known offensive digital weapon. Discovered in 2010, Stuxnet was a rootkit worm allegedly developed as a part of Operation Olympic Games by the United States or a close ally that targeted industrial computer systems produced by Siemens and used to control the speed of centrifuges used to enrich uranium at Iran’s Natanz nuclear facility.
Stuxnet worked by manipulating the speed of centrifuges at Natanz in ways that were undetectable to Iranian engineers. The malware was well-cloaked and although the worm spread as many do, on the Windows operating system, the virus targeted systems with specific hardware and software profiles suspected by the Western intelligence community to be used on Iranian machines. On the vast majority of infected devices, Stuxnet lay dormant. But on machines that fit the Iranian profile, the code performed a specific and nuanced set of instructions. After the malware carried out its attack, it hid itself and became nearly invisible.
While Stuxnet is one of the most well-known tactical deployments of weaponized software, the malware is only part of the ‘cyber-munitions’ equation and may be an outlier that portends the future of cyberwar rather than a barometer of the current state of the industry.