The scariest thing about cyberwarfare
A new report by Bloomberg News about Russia being suspected of hacking a dozen US power plants, including a nuclear one, is far more serious than any possible attempt to influence an election. It could be a sign of something even scarier: two military superpowers stepping up a cyberwar in the shadows and without rules of engagement that protect civilians from other kinds of warfare.
Attacks on power grids have a potential for mass destruction. A temporary power outage doesn’t appear to be all that threatening compared with the use of chemical, biological or nuclear weapons, but blackouts kill people even when they don’t last long. A lasting power grid breakdown could be an apocalyptic scenario, with hospitals and other critical services running out of fuel for reserve generators and unable to obtain it easily; traffic, food and water supplies disrupted; urban life plunged into chaos. And that’s before we even think of nuclear power plants getting out of control.
There is a pervading myth that nuclear facilities are “air gapped”—or completely isolated from the public internet—and that this protects them from cyber attack. Yet not only can air gaps be breached with nothing more than a flash drive (as in the case of Stuxnet), but the commercial benefits of internet connectivity mean that nuclear facilities may now have virtual private networks and other connections installed.
Stuxnet was the malware the US used in its most successful hacking operation to date, the crippling 2010 attack on the Iranian nuclear programme. It’s openly celebrated now as an example of what the US can do to an adversary’s infrastructure if it sets its mind to it. Paranoid security professionals in Russia and elsewhere have long worried about factory-installed backdoors in American-made software and equipment. National Security Agency leaker Edward Snowden revealed a range of such physical and software-based implants.
If Russia is behind the power plant hacks, they could very well be responding to US threats to deploy “implants” in important Russian networks. According to a recent Washington Post report, then president Barack Obama ordered the use of implants on Russian networks that would cause “pain and discomfort if they were disrupted”.
Russia appears to be eager to demonstrate—without admitting it—that it has a similar capability. There’s circumstantial evidence that it has messed with the Ukrainian power grid, causing two brief blackouts. The current attacks on US power plants can only loosely be attributed to any state agents, let alone to Russia, but they reportedly match the profile of earlier attacks by a hacker group which has targeted energy companies in Russia’s adversary nations.
I’ve long written that I consider the story of Russian meddling in last year’s US presidential election overblown. If the actual voting and tabulation weren’t affected—which no one appears to doubt—Americans made up their own minds how to vote; propaganda and the release of stolen emails, Russian or not, are par for the course in election campaigns. Only strong evidence of collusion between Donald Trump’s campaign and the Russian intelligence services could make this a national security problem.
Attacks on civilian services, and especially on nuclear plants, are a different matter. They are unambiguous acts of war. It is known that the US is capable of them, and it would stand to reason that Russia wouldn’t let itself be outdone. Nor would China and smaller players such as Israel or North Korea. And yet there are no rules of engagement for countries that have the capability to shut off each other’s power grids or, say, traffic light systems. There’s no cyberwar equivalent of the Geneva and Hague conventions, which set rules for the treatment of civilians and ban certain kinds of cruel weapons.
In the so-called Tallinn Manual, originally published in 2013, a group of experts working for the North Atlantic Treaty Organization (Nato) attempted to lay down some rules, warning against attacks on critical infrastructure. It specifically named hospitals and nuclear power plants as facilities that should be out of bounds. But the manual is not even an official Nato document.
In February, the United Nations Security Council unanimously adopted Resolution 2341 calling on states to arm themselves against terrorist attacks on critical infrastructure. But what about such attacks initiated by other governments, not terror groups? It’s time there were some internationally recognized principles that applied to them, defining, for example, what constitutes an attack, what response is permissible, and what can and cannot be done to civilian networks. It would be helpful to establish some international attribution mechanism; a nation’s intelligence services cannot be trusted to make an assessment that would be used to justify international sanctions.
Conventions have often been broken in wartime. Some countries still make and use chemical and biological weapons, even if they won’t openly admit it. Some militaries mistreat prisoners and kill civilians. But rules of engagement are still useful: most belligerent parties aim to act honourably and avoid being branded as war criminals. Official cyberwar rules wouldn’t stop attacks, but they would define unacceptable behaviour for all concerned. These rules are necessary before the US, Russia and China go after each other with all they’ve got, which is more than we know. Bloomberg View
Leonid Bershidsky is a Bloomberg View columnist.
Comments are welcome at firstname.lastname@example.org