Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals?
Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality. More than ever before, it’s become clear that the threat of hacking goes beyond nuisance vandalism, criminal profiteering, and even espionage to include the sort of physical-world disruption that was once possible to accomplish only with military attacks and terroristic sabotage.
So far, there’s no clearly documented case of a cyberwar attack directly causing loss of life. But a single cyberwar attack has already caused as much as $10 billion dollars in economic damage. Cyberwar has been used to terrorize individual companies and temporarily render entire governments comatose. It’s denied civilians of basic services like power and heat—if only briefly, so far—as well as longer-term deprivations of transportation and access to currency. Most disturbingly, cyberwar seems to be evolving in the hands of countries like Iran, North Korea, and Russia as they advance new disruptive and destructive cyberattack techniques. (The US and the rest of the English-speaking Five Eyes nations likely possess the most advanced cyberwar capabilities in the world, but have by all appearances shown more restraint than those other cyberwar actors in recent years.)
All of which means the threat of cyberwar looms heavily over the future: a new dimension of conflict capable of leapfrogging borders and teleporting the chaos of war to civilians thousands of miles beyond its front.
The History (and Meaning) of Cyberwar
To understand the unique threat cyberwar poses to civilization, it’s worth first understanding exactly how the word has come to be defined. The term cyberwar has, after all, gone through decades of evolution—well chronicled in Thomas Rid’s history of all things cyber, Rise of the Machines—which has muddied its meaning: It first appeared in a 1987 Omni magazine article that described future wars fought with giant robots, autonomous flying vehicles, and autonomous weapons systems. But that Terminator-style idea of robotic cyberwar gave way in the 1990s to one that focused more on computers and the internet, which were increasingly transforming human life: A 1993 article by two analysts at the think tank RAND titled “Cyberwar Is Coming!” described how military hackers would soon be used not only for reconnaissance and spying on enemy systems but also attacking and disrupting the computers an enemy used for command-and-control.
A couple of years later, however, RAND analysts would start to realize that military hackers wouldn’t necessarily limit their disruptive attacks to military computers. They might just as easily attack the computerized and automated elements of an enemy’s critical infrastructure, with potentially disastrous consequences for civilians: In a world increasingly reliant on computers, that could mean debilitating sabotage against railways, stock exchanges, airlines, and even the electric grid that underpins so many of those vital systems.
Hacking didn’t need to be confined to some tactic on the periphery of war: Cyberattacks could themselves be a weapon of war. It was perhaps that definition of cyberwar that President Bill Clinton had in mind in 2001 when he warned in a speech that “today, our critical systems, from power structures to air traffic control, are connected and run by computers” and that someone can sit at the same computer, hack into a computer system, and potentially paralyze a company, a city, or a government.”
Since then, that definition for cyberwar has been honed into one that was perhaps most clearly laid out in the 2010 book Cyber War, cowritten by Richard Clarke, a national security advisor to Presidents Bush, Clinton, and Bush, and Robert Knake, who would later serve as a cybersecurity advisor to President Obama. Clarke and Knake defined cyberwar as “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.” Put more simply, that definition roughly encompasses the same things we’ve always identified as “acts of war,” only now carried out by digital means. But as the world was learning by the time Clarke and Knake wrote that definition, digital attacks have the potential to reach out beyond mere computers to have real, physical consequences.
The first major historical event that could credibly fit Clarke and Knake’s definition—what some have dubbed “Web War I”—had arrived just a few years earlier. It hit one of the world’s most wired countries: Estonia.
In the the spring of 2007, an unprecedented series of so-called distributed denial of service, or DDoS, attacks slammed more than a hundred Estonian websites, taking down the country’s online banking, digital news media, government sites, and practically anything else that had a web presence. The attacks were a response to the Estonian government’s decision to move a Soviet-era statue out of a central location in the capital city of Tallinn, angering the country’s Russian-speaking minority and triggering protests on the city’s streets and the web.
As the sustained cyberattacks wore on for weeks, however, it became clear that they were no mere cyberriots: The attacks were coming from botnets—collections of PCs around the world hijacked with malware—that belonged to organized Russian cybercriminal groups. Some of the attacks’ sources even overlapped with earlier DDoS attacks that had a clear political focus, including attacks that hit the website of Gary Kasparov, the Russian chess champion and opposition political leader. Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders.
By the next year, that Russian government link to politically motivated cyberattacks was becoming more apparent. Another, very similar series of DDoS attacks struck dozens of websites in another Russian neighbor, Georgia. This time they accompanied an actual physical invasion—a Russian intervention to “protect” Russia-friendly separatists within Georgia’s borders—complete with tanks rolling toward the Georgian capital and a Russian fleet blockading the country’s coastline on the Black Sea. In some cases, digital attacks would hit web targets associated with specific towns just ahead of military forces’ arrival, another suggestion of coordination.