Cyberwarfare suddenly went public late last month.
Multiple media outlets reported that President Trump had authorized U.S. Cyber Command to conduct a cyberstrike on Iran. Obviously, this isn’t the first such attack by a nation, or even by the United States, on another — the Russians, Chinese and North Koreans have their digital fingerprints on all manner of attacks here, and the U.S. government recently reportedly conducted retaliatory attacks on Russia’s Internet Research Agency for misinformation campaigns during the 2016 presidential election.
And, Iran, unarguably, makes for a deserving target: Iranian hackers were behind the 2016 incursion on the Bowman Avenue dam in New York and the massive ransomware attack that in March 2018 crippled all of Atlanta’s city government systems, and they are likely behind ransomware attacks on city government systems in Greenville, N.C., and Baltimore.
But this attack heralds a new age of Internet warfare — a likely outcome of the elevated role of U.S. Cyber Command under National Security Adviser John Bolton, who has been hinting at such a cyber offensive for a while — and is a harbinger of much more to come.
Though many previous attacks — such as the now well-known 2010 Stuxnet malware purportedly developed by U.S. and Israeli intelligence and used to damage systems controlling Iran’s fledgling nuclear program — have been widely reported on as acts of espionage, they were only accidentally discovered by security companies, never confirmed by either nation.
In contrast, this time multiple administration officials, albeit unofficially, confirmed the strike, after key White House officials such as Bolton have openly espoused the need for offensive cyberattacks, setting the stage for such actions.
So if the United States did launch this attack — and all indicators, including Iran’s telecom minister claiming that the attacks occurred but were unsuccessful, suggest that is the case — then this is a paradigm shift in the use of the Internet as an instrument of war, with likely significant consequences.
For one thing, the United States has more targets than most nations — targets that could be subject to retaliation for an attack that the government admits to carrying out. Compared to many other nations, especially adversaries such as Iran, the U.S. has more computers, more mobile and connected devices, more websites and more infrastructure that is reliant on the Internet. We also have more users going online for all manner of actives ranging from everyday communications to commercial transactions, health care management, and government operations. Much of this is exposed and vulnerable. For instance, reports from the Government Accountability Office point to thousands of vulnerabilities that remain in federal government systems, and there are many more unaccounted-for weaknesses in various state, local and corporate systems throughout the nation, which we often only learn about after a major breach.
Social-engineering attacks — phishing via email, social media, mobile and messaging —that target users directly continue to grow in intensity and sophistication. Not only is U.S. exposure to such attacks significantly greater, because we have many more users, but we also not found an effective defense against them.
Another problem is that the attack tools developed by our intelligence agencies tend to become sought-after targets for other nations that don’t have the technical depth to develop their own. This has been the case with past tools, such as Eternal Blue, developed by the National Security Agency, which was stolen and leaked by a hacker group and subsequently used by North Korean hackers to create WannaCry — the massive ransomware attack that crippled millions of computers in more than 150 nations in a matter of hours. That desire to match U.S. capabilities will only be worse after an officially confirmed attack.
After an incident like this one is made public, nations often become increasingly paranoid and engage in riskier actions to protect against attacks. For instance, shortly after the SEALs killed Bin Laden in Pakistan, their military began hiding their nuclear arsenal in unguarded delivery vans in congested civilian areas, all in an attempt to avoid being detected by our intelligence agencies. If Iran fears another cyberattack, it could simply stop using computing technology in critical areas such as protecting covert nuclear equipment, which could significantly jeopardize their safety and our ability to effectively monitor them.
Even without open cyberattacks, the United States already tends to be a convenient scapegoat for adversarial regimes wanting to distract attention away from their shortcomings. For instance, recently Venezuela’s embattled president Nicolás Maduro blamed a five-day nationwide power blackout caused by a woefully underfunded electric grid on American cyberwarfare.
Open cyberwarfare will also have a chilling effect on the continued development and use of the Internet. Already, some nations are refusing to deploy technologies developed by certain nations, while some others are attempting to develop their own software, operating systems and networks. This attack could also draw investment away from developing consumer technologies to designing cyber weapons, which will lead to a virtual arms race, with nations creating proprietary computing systems, forming closed communication networks and alliances — in essence, forming a Digital Iron Curtain.
Before things get that carried away, the world should agree that the Internet should not be used as a battlefield.
This may sound pacifistic, even far-fetched. But email, social media, search engines, even messaging platforms work better when more people use and contribute to them. As the Internet’s use worldwide has increased, so have the fortunes of the American public — who have helmed many of the virtual businesses and products that have shaped the 21st century.
The Internet is far too important to pull into warfare — not just for billions of people all over the world, but especially for Americans. The potential dangers of allowing open cyberwarfare are already clear enough. Nations shouldn’t wait until future attacks make them even clearer before they act.
*A version of this post appeared as an op-ed in the Washington Post and other publications.