A decade ago, malware Stuxnet took over the control system for uranium enrichment in Iran and caused hardware to malfunction. A virtual entity caused damage in the material world and demonstrated that futuristic cyber weapons are real. This was not, however, the first case when critical infrastructure (CI) was physically destroyed in a cyber attack. More importantly, the attack did not result in human casualties, so the damage was not enough to politically trigger cyber arms control. Even today, after 10 years of accelerating development and innovation, cyber arms exist — while cyber disarmament does not.
In the cyber domain, finding the balance between security and non-proliferation of armaments has been problematic so far. The general debate seems limited to the definition of a cyber weapon, which diverts attention from real threat assessment. There is a belief that “cyber” always stays virtual. Stuxnet showed that this assumption is incorrect. States rely on heavily computerised control systems to operate transportation, communications, power grids, chemical and nuclear plants, medical aid, and water delivery. In 2000, an attack against the Australian company Hunter Watertech caused liters of raw sewage to spill into parks and water bodies [1]. In 2003, safety monitoring systems on a power plant in Ohio were disabled for five hours by a computer worm [2]. In Texas, right before a major storm, warning systems were switched off when an attack caused dozens of false alarms [3]. AURORA, an experiment by the United States Energy Department, successfully simulated a cyber attack that physically damaged elements of the electrical grid [4].
However unprecedented, neither Stuxnet nor the attacks before it harmed any humans, but this was not a guarantee. Spilt sewage puts local communities at health risk, and a destroyed dam can cause a devastating flood. A power shortage can kill patients in hospitals who rely on sophisticated equipment, while airplanes and trains can collide if navigated incorrectly. People can die if unprepared for a tornado, and the Chernobyl catastrophe demonstrated the disaster of a switched-off security systems at a nuclear power plant. In the long run, persistent lack of access to essential supplies and services can result in social unrest, suicide, the spread of diseases, and crime.
Confusion regarding the scope of cyber warfare prevents constructive assessment of the threat. The International Telecommunications Union (ITU) Secretary General Hamadoun Toure called for a cyberspace peace treaty in 2009, which was backed by Russia and China [5]. However, the treaty concerned acts of using information and ideology to undermine other states [6]. The weapon of cyber warfare is technology — not information. The treaty was predictably blocked by liberal democracies, as it entails control over the Internet and the use of censorship, which is unacceptable in some states. Also, such an approach should not make actual cyber weapons seem benign. Between 2016 and 2018 water systems in Yemen were damaged through conflict and caused a cholera outbreak, killing 2,200 people [7].
A non-proliferation treaty would create a dialogue to clarify categories and definitions. All previous attempts, however, faced the same obstacles. Disarmament is linked to overcoming a security dilemma. Considering the lack of clarity and consensus, incentives to enter the treaty look weak at best. The former director of the United Nations Institute for Disarmament Research in Geneva, Theresa Hitchens, claimed that states with more intelligence about cyber vulnerabilities are less likely to share this information with others [8]. So, how can one build trust in cyberspace? In fact, every obstacle is also an opportunity. Critical infrastructure is complex and extremely difficult to protect, therefore static defensive deterrence is not acceptable for a majority of states. The illicit market for cyber weapons is bigger and more difficult to control than for any other weaponry. Finally, the same technology can be used for non-lethal crime and destructive attacks.
Several commitments could be mutually beneficial and simultaneously tighten control over state-on-state offensives. States can agree not to store and create backdoors in manufactured goods and to share knowledge about vulnerabilities. Additionally, they can pledge not to allow their territories to be launch pads for cyber attacks [9]. With efficient information sharing in place, protection against domestic criminals may come from abroad. Lastly, as most of CI is owned by the private sector [10], this is an opportunity for them to step in where states are hesitant. CI operators could collaborate to lobby a treaty aimed to control cyber weapons and ensure business continuity.
In any case, reaching consensus over the treaty is realistic and long overdue. Cyber weapons are meant for targeted destruction, but they will be indiscriminate when it comes to human loss. It is practically impossible to control who drinks from certain water sources, who will be affected by radiation or drowned, or who will be on a specific train or plane. And while indirect civilian casualties are difficult to identify and count, they do not matter less.
Finally, even if development and deployment of cyber weapons takes a long time, destructive retaliatory attacks may happen simply as a proof of capability. This way, the most indiscriminate form of warfare will start, where the military are calling the shots and civilians suffer in masses.
SOURCES
[1] Collins, S. & McCombie, S. 2012, "Stuxnet: the emergence of a new cyber weapon and its implications", Journal of Policing, Intelligence and Counter Terrorism, vol. 7, no. 1, pp. 80-91.
[2] Ibid.
[3] Rosenberg, E. and Salam, M., 2017. Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say. [online] Nytimes.com. Available at: https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html [Accessed 25 April 2020].
[4] Carr, J. 2013, "The misunderstood acronym: Why cyber weapons aren't WMD", Bulletin of the Atomic Scientists, vol. 69, no. 5, pp. 32-37.
[5] Gjelten, T. 2010, "SHADOW WARS: Debating Cyber 'Disarmament'", World Affairs, vol. 173, no. 4, pp. 33-42.
[6] Ibid.
[7] Gleick, P.H. 2019, "Water as a Weapon and Casualty of Conflict: Freshwater and International Humanitarian Law", Water Resources Management, vol. 33, no. 5, pp. 1737-1751.
[8] Weber, R. 2018, "Former UN disarmament official offers plan for mediating cyber tensions among major powers", Inside Cybersecurity, [Online].
[9] Gjelten, 2010.
[10] Weber, 2018.