I hope that most people have heard of the stuxnet (Wikipedia, but the best description I have found)worm that supposedly infected and crippled Iran’s illicit nuclear program last year. It is supposedly the new wave of warfare, with faceless hackers in another country sending hordes of worms and viruses to cripple the enemy nation’s electronic infrastructure. The Pentagon has just completed a policy that supposedly says that an act of computer sabotage can be considered an Act of War under certain conditions. I wonder if the threat of cyberwarfare is as dire as it is made out to be?
There are several attacks in recent years to draw lessons from. There is the stuxnet worm attack, attacks on Georgian government and banking websites during their war with Russia in August 2008 and attacks on Baltic states government and banking sites in 2007 and 2008.
The most notable of course is the stuxnet attack last year against Iran that reportedly was designed to attack industrial control systems built by Siemens AG from Germany. Stuxnet was supposedly responsible for disabling an Indian Satellite and also disabled some of Iran’s nuclear centrifuges. All that aside, the actual extent of the physical damage caused by stuxnet is still up in the air. It caused no amount of hair-pulling and plenty of ink and digits were spilled reporting on it. A simple Google search for stuxnet returns almost 4 million results.
The attacks on Lithuanian and Estonian sites were mostly distributed denial of service (DDoS) attacks in which the chosen sites were bombarded with so much traffic that they shut down and also attacks in which the sites themselves were hacked and had content replaced. However, they did not do much damage beyond the economic damage caused from business losing their online presence.
The Russo-Georgian War of 2008 saw essentially the same kinds of attacks as Lithuania and Estonia had seen, massive DDoS attacks with some website hacks. ZDnet did a fairly in-depth analysis of the nature of the attacks, there is also an excellent study of the Georgian attacks done by Project Grey Goose here.
What I have not found out about cyber-attacks other than stuxnet is that generally it means that websites are forced to shut down or to move to different servers. There is economic damage and dislocation. For example, some Lithuanian banks had to close online banking access for a period of hours during the attacks there, the same happened in Georgia. The question is how much damage actually occurred. What I see is mostly that cyber-attacks let the hackers get their message out, this can be important given the connected nature of modern society. However, DDoS attacks cannot be decisive in themselves, they play to a larger scheme of controlling information, which while import, is not decisive in warfare. Stuxnet, and similar attacks have the capability to be more destructive. They are definitely cause for alarm and efforts sould be made to shield electronic control systems from hackers, probably the best way is to maintain them on secure networks and continually monitor them for unauthorized changes. Vulnerabilities will remain however as the us government discovered when their secure network was compromised a few years ago resulting in the banning of the use of all removable media on the secure network.
The bottom line is that cyber-attacks have been used and as stuxnet shows, the threat is evolving and while probably not as bad as some prophets of doom would have us believe, attention to cyber security is warranted and should be taken seriously. Terrorists would probably love to get their hands on the electronic controls to a nuclear plant. Vigilance is necessary and cyberwar highlights the ever evolving nature of warfare.