The Next War Will Happen in the Cybersphere, and Here's What It Will Look Like

The U.S., China and Russia are honing their cyber warfare skills in anticipation of how the next conflict will be fought

Illustration: A man typing on a computer keyboard in front of the displayed cyber code.
\ Kacper Pempel/ REUTERS

A recent New York Times report that the United States has been escalating its cyberattacks on Russia’s electrical grid infuriated President Donald Trump. He denied the allegation and lost no time in denouncing the journalists as “enemies of the people” who had committed “a virtual act of treason.” Soon enough, Trump was furious again, this time at Iran for downing an American military drone that the Islamic Republic claimed had penetrated its airspace.

Trump immediately ordered an attack on military targets in Iran, but called it off at the last moment, saying it would cause a disproportionate number of casualties. Instead he opted for a cyberattack on Iran’s missile system and the Iranian intelligence unit that Washington says helped plan the attacks on Norwegian and Japanese oil tankers in the Strait of Hormuz last month. Trump didn’t issue any denials of this cyberattack.

After the attack, the U.S. Department of Homeland Security sent a warning to the country’s energy industry about possible Iranian cyberattacks, saying Tehran had targeted factories, government oil and gas agencies, and similar targets.

>> Read more: Aborted U.S. attack exposes fatal flaw in Netanyahu’s Iran strategy: Trump’s problematic personality | Analysis ■ Top Israeli cyberattack firm, revealed ■ The war between the U.S. and Iran has begun, in case you didn’t notice | Opinion

“It’s very interesting to see a country responding with a cyberattack,” says Nir Giller, a co-founder and technology chief at CyberX, a startup specializing in cyberattacks that harm physical infrastructure.

Workers are seen in what is described by Iranian state television as an enrichment control room at a facility in Natanz, in this still image taken from video released February 15, 2012.
Reuters

“A cyberattack doesn’t follow the standard rules of war, and it can have a very widespread impact,” he says. “Unlike an aerial bombardment, which is seen as a declaration of war, a cyberattack can cause substantial damage without being the immediate pretext for the outbreak of an actual physical war.”

Washington’s recent moves against Iran were preceded by years of a cyber arms race and Cold War among the world powers. The first major cyberoffensive was carried out via the Stuxnet computer worm in 2009. Stuxnet, which was reportedly developed by the U.S. National Security Agency and the Israeli army’s Unit 8200, knocked out hundreds of centrifuges in the uranium enrichment plant in Natanz, Iran, and set back the Iranian nuclear program.

“This has the whiff of August 1945,” when atom bombs were dropped on Hiroshima and Nagasaki, says former NSA director and CIA chief Michael Hayden in the documentary “Zero Days.” He called Stuxnet a Pandora’s Box.

Since that cyberattack, the major powers, especially the United States and Russia, have been constantly improving their offensive cyberwar capabilities and could now paralyze an entire country.

“Cyberattacks are no longer rare,” Giller says. “Today there are many attacks on physical infrastructure, either in response to provocations or initiated by various actors. It’s a tool that can be used by countries as well as other groups of potential attackers. Attacks on physical infrastructure via digital weaponry are part of the world we’re living in now.”

Nir Giller
Ofer Vaknin

‘They are not afraid of us’

Cyberattacks via computer viruses have been around for years, but a turning point occurred when Russia hacked the Pentagon’s communications system in 2008, leading to the establishment of the U.S. Cyber Command. Since then, cyberattacks have continued on vital American infrastructure, with the FBI and Department of Homeland Security warning that the Russians have introduced malicious software at power stations and oil, natural gas and water companies, ready to be activated when they choose. The Obama administration opted for a passive policy – only to monitor Russian cyberactivity while refraining from any cyberattacks that could reveal America’s capabilities.

But Trump hasn’t hesitated to escalate this type of warfare. “They are not afraid of us,” Paul Nakasone, the NSA director and head of the U.S. Cyber Command since 2016, said in a Senate hearing last year, referring to the Russians. He advocated a “forward defense” approach, deep in the networks of rival powers, to make clear that the United States will respond aggressively to any attack.

Cyberattacks on Iran were also considered when Barack Obama was in office. His administration prepared the plan Nitro Zeus in the event that the nuclear talks with Iran failed. The plan called for cyberattacks on installations including Iran’s air defenses, communications systems and power grid. Meanwhile, the U.S. intelligence agencies drew up a plan to neutralize the Iranians’ Fordow nuclear plant.

Last summer, Trump signed a presidential order authorizing Nakasone to conduct offensive cyberoperations without the need for presidential approval. Meanwhile, Congress passed a law authorizing the military to undertake secret cyberactivity to protect the United States against cyberattacks. Such operations also may be approved by the secretary of defense without requiring the president’s okay.

Sources in the U.S. intelligence community say the American attacks against Russia’s electrical grid have become more aggressive in the past year. The Washington Post reported in February that during the U.S. midterm elections in November, the U.S. Cyber Command attacked the Russian company Internet Research Agency, which the Americans said was spreading disinformation in the United States, including during the 2016 election campaign.

National Security Adviser John Bolton said last month that Washington was expanding its definitions of potential digital targets in order to send a message to Russia and anyone else engaging in cyberwarfare against the United States.

Clear and present danger

The United States has many reasons to fear cyberpowers like Russia and China. It’s hard to say which country is the current leader in cyberwarfare, but the United States, Russia and Israel are all known to possess advanced offensive and defensive capabilities.

In 2014 and 2015, there were two major blackouts in Ukraine. In December 2015, more than 200,000 people lost power for between one and six hours. The blackouts were determined to have been cyberattacks; security companies that investigated blamed a group of hackers they dubbed Sandworm. The name derived from references the investigators found to the 1965 novel “Dune” — later made into a film — in the code that caused the blackouts.

A sign outside the National Security Agency campus in Fort Meade, Md., U.S., on   June 6, 2013.
Patrick Semansky,AP

The security companies believe the hacker group worked with the Russian government, but this has not been confirmed. This is one of the advantages of cyberattacks: It’s impossible to be sure who the attacker is.

“You always try to figure out the source of the attack, but that’s only possible up to a certain level,” Giller says. “It’s a game in which it’s always possible to cover your tracks. There’s a whole dynamic of attacker and defender, and within that there’s a whole world of motives, messages and deterrence.”

Cyberexperts theorize that Ukraine is Russia’s testing ground for cyberwar. In recent years, all kinds of Ukrainian entities have come under attack including the media, political organizations, the military and the financial, transportation and energy industries.

“You can’t really find a space in Ukraine where there hasn’t been an attack,” said NATO ambassador Kenneth Geers following the assault on the power grid. American intelligence officials and cyberexperts believe that the hacker group that infiltrated the grid could do the same in the United States.

Trump took pride in saying he had prevented the deaths of 150 Iranian soldiers by calling off a military strike. But cyberattacks can also cost lives; if the power outage in Ukraine had continued, water pipes in parts of the country would have frozen because pumps stopped working during the blackout. Hundreds of thousands of people could have found themselves without drinking water.

In 2014, hackers attacked a steel plant in Germany, melting the metal and massively damaging the factory. No one was hurt, but the potential was there. A petrochemical plant in Saudi Arabia was the target of a cyberattack in the summer of 2017. The assailants tried to seize control of the technology that keeps equipment operating safely and thus damage pipes and pumps. The plant’s emergency system was activated and probably prevented an explosion.

Another danger is that terror groups could get their hands on cyberwarfare tools. “As soon as a malicious tool of this kind is out in the world it may be exploited by everyone, including the sort of people it was never meant for,” Giller says. “Private hacker groups could damage any type of physical infrastructure – on a countrywide or company-wide scale, to affect energy, water and oil companies, and others.”

Two years ago, tools for cyberwarfare leaked from the NSA to the internet. This May, the city of Baltimore battled a cyberattack from an unknown source that shut down thousands of computers, prevented email from being sent and disrupted real estate deals, payment of water bills, health warnings and many other services. It was determined that the attack was being carried out with the NSA’s EternalBlue software program.

“Israel is a regular target of such attacks, but in Israel there is a lot of awareness and a lot of work going on in the field,” Giller says. “There are several cybersecurity companies, including ours, that offer solutions to protect any industrial environment.”

Still, Israeli defense officials have said Russia is responsible for the recent GPS disruptions at Ben-Gurion Airport, as part of Moscow’s attempts to protect its planes in northwest Syria. Airline pilots have complained that their planes’ navigation systems sense disruptions when they’re trying to land, and the international pilots’ association even issued a travel warning for Israel, telling pilots they must be aware of the possible risk.

The standards for the defense of vital infrastructure in Israel are very high and are set by the Shin Bet security service and government ministries. Israel also has offensive capabilities: In April 2018, a Syrian military official said his country’s air defenses had been activated by an Israeli-American cyberattack.

The industrial cyberthreat is also affecting purely commercial and nonmilitary companies. “Nowadays, companies understand the danger of industrial cybersabotage. For example, a one-day shutdown of a plant that makes soft drinks could cost a lot of money, and that becomes a significant risk factor for the company,” Giller says.

“The big fear is that with the world all so interconnected, even networks that are ostensibly disconnected from the internet are basically connected. They can be reached in different ways, such as by exploiting the human factor, where mistakes are made like plugging in cellphones and doing software updates. Some companies try to stay disconnected from the internet to reduce the hackers’ room for attack, but no company is truly disconnected.”