Israel and Iran appear to be engaged in tit-for-tat cyberattacks on each other’s physical infrastructure. While attacks on information technologies — phishing, denial of service, theft — have become routine, attempts to disable physical infrastructure are a troubling escalation in cyberwarfare, and experts worry that it will soon become the new normal worldwide.
Weapons of mass disruption threaten to be the great leveler in the competition between states. And, as always, the world is woefully ill-prepared for this new reality.
In April, hackers broke into Israeli water facilities, targeting programmable logic controllers that operate valves for water distribution networks, causing pumps to malfunction as well as increase the amount of chlorine added to water that goes to homes. The disruptions occurred during a heatwave; a shutdown would have been calamitous. Excess chlorine could have sickened those who drank the water. At first the attacks were thought to have been limited, but subsequent reporting in Israel revealed that dozens of installations had been targeted. Israeli experts insist that the April incidents were only the most recent in a long series of attempts.
In response, Israel launched a cyberattack on the Iranian port of Shahid Rajaee, which handles about half of Iran’s foreign trade. Chaos resulted, with trucks backed up for kilometers on nearby roads and ships being forced to stand by, neither loading or unloading cargo. After first dismissing anything unusual had occurred, Iranian officials conceded that port computer systems had been hacked.
Iranian officials denied that their country had attacked Israel, suggesting that the accusation was a fabrication to get money from the United States, while insisting that their cyber activities are all defensive. Israel never comments on its own hacks or attacks.
Officials and experts elsewhere rejected the statement and the silence, and fear that a precedent has been set. Yigal Unna, head of Israel’s National Cyber Directorate, warned that “We will remember this last month, May 2020, as a changing point in the history of modern cyberwarfare.” He concluded ominously saying that “Cyber winter is coming and coming even faster than I suspected.”
Perhaps, but it has long been anticipated. For some, the real precedent was the deployment in 2012 of Stuxnet, malware that targeted centrifuges that Iran was secretly using to enrich uranium to make a nuclear bomb. The computer worm made the machines malfunction and destroy themselves, which temporarily halted Tehran’s nuclear program. The worm is believed to have been created by the U.S. and Israel, but neither government has confirmed its role — not just because silence is routine, but because other hackers have gotten their hands on the code and used it to hack computers around the world for more mundane purposes, like extortion.
The inability to identify hackers with certainty — the “attribution problem” — is one of the attractions of cyberwar. But it’s only one reason why cyber capabilities are considered a great leveler in the competition among nations. Cyber warriors engage in “asymmetrical” warfare that is as important as that waged by ground, air or naval forces, and for countries like Iran and North Korea, they might be even more valuable. Cyber capabilities are much less expensive to develop and easier to acquire than traditional means of war-fighting and can be just as destructive. They allow countries to reach around the globe, doing damage at far greater distance than is possible in the real world.
In “Sandworm,” a disturbing study of Russian hackers, Wired writer Andy Greenberg warns of “an invisible force capable of striking out from an unknown origin to sabotage on a massive scale the technologies that underpin civilization.” A list of those technologies would include nuclear reactors, power stations, dams, financial networks, aircraft, air traffic control systems, traffic lights, hospital equipment or water systems. Imagine what would ensue if any of them went down for an extended period of time.
That future grows nearer every day. In an October 2019 survey by Siemens and the Ponemon Institute, a majority of respondents agreed that cyber threats are now more focused on operational technologies than information technologies. A March 2020 survey of 1,000 IT practitioners worldwide by Claroty, a global cybersecurity provider, revealed that almost 90 percent of respondents said they had experienced a cyber-physical security threat to critical infrastructure within the last year, and more than half had had at least two incidents.
Plainly, companies need to be prepared. Yet another study of 370 critical infrastructure providers in the five largest Western industrial economies by Greenbone Networks concluded that just 36 percent had a high level of cyber resilience. U.S. companies performed best — but only 50 percent were rated as “highly resilient.” In Japan, the number was just 22 percent.
Governments should be pushing the private sector to do more — since many pieces of critical infrastructure are public utilities, that shouldn’t be too hard. As a first step, they can develop cybersecurity standards. The U.S. National Institute of Standards and Technology (NIST) established the Framework for Improving Critical Infrastructure, a voluntary framework for use in the finance, communications, defense and energy industries, which can be adopted by all sectors, including federal and state governments. Japan should be working with the U.S. to adopt and extend that framework to promote confidence and integration between the two allies.
Japan promulgated the “Power control system security guidelines (JESC Z0004)” to maintain reliable and secure operation of power control and information systems; all Japanese utilities must follow them. Robert Potter, CEO of Internet 2.0, an Australian cybsersecurity provider, believes that “Japan has a great deal to offer the world in terms of cyber security technologies and leadership. However, Japanese companies struggle to collaborate within mutually agreed standards. The key to success sits in deepening engagement. Australia, in particular, would welcome increased Japanese collaboration on strategy and joint development.”
A next step would be to create a civilian agency to oversee cybersecurity of critical infrastructure. The U.S. only last year set up the Cybersecurity and Infrastructure Security Agency (CISA) to do just that. Among the many important tasks of such an agency is identifying “critical infrastructure”; definitions vary from country to country. CISA has 16 categories of critical infrastructure, which include chemical plants, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, financial, food and agriculture, government facilities, health care and public health, and IT.
A final critical step is the development of international norms to regulate, limit or ideally prohibit attacks on infrastructure. Just as governments agreed on laws of war in the Geneva Conventions of the 20th century to set limits to government behavior in conflict — and which, remarkably, have largely been honored — they should be developing norms for 21st century warfare.
Mihoko Matsubara, chief cybersecurity strategist, at NTT Corp., argues that the Japanese government has been pushing this issue in international cybersecurity discussions. But more has to be done. “Since critical infrastructure is the foundation of our socioeconomic activities and national security and people’s well-being and lives are dependent on it, the international community and Japan need to collaborate to accelerate the establishment of international rules to prevent disruptive cyberattacks on critical infrastructure.”
While governments that see cyberwar as a great leveler are expected to oppose such an initiative, U.S. opposition is a head scratcher. After all, it is most dependent on such technologies and has the most to gain from declaring them off limits. But Washington is reluctant to pursue “a digital Geneva Convention” because it believes its capabilities are superior to those of its adversaries and it is unwilling to tie its own hands.
Historically, the U.S. has taken this position with new technologies and has invariably moved to arms control when the gap closed. U.S. strategists also argue that their government will honor those norms and adversaries will not. But the U.S. can inflict damage by other means — and in those respects, U.S. superiority is unchallenged. And when adversaries violate norms, the legitimacy of a response is easier to establish.
Something must be done, not only to end the tit-for-tat provocations between Israel and Iran — which are certain to be followed by exchanges between other countries — but to ensure that the cyber winter is delayed still further.
Brad Glosserman is deputy director of and visiting professor at the Center for Rule Making Strategies at Tama University as well as senior advisor (nonresident) at Pacific Forum. He is the author of “Peak Japan: The End of Great Ambitions.”