Cyber is the fourth dimension of war

When digital gets physical

Like many individuals of my age-group, I grew up using IRC channels and FTP servers in order to have access to unlimited pirated resources such as games, applications, movies and music. I went as far as installing a modchip on my Playstation 1 to play with burned games, and was closely following underground warez groups. I was such a thug…

Hacking at that time was mostly about technical exploits and the romantic utopia that software and cultural content should be free for all.

The underground scene has since evolved quite a bit and the boundless admiration I had then has now turned to fear.

As our connected world is expanding each day, an evil is grunting in the darkness of cyberspace. Nation states, criminal organizations, hacktivists and cyber armies are now competing to collect undetected safety leaks in order to build cyberweapons.

The purpose of this? After ground, sea and air, cyber is now the fourth dimension of war, with unlimited range, high speed and low signature, and can inflict casualties similar to a nuclear bomb.

Welcome to World War 3.0

An increased convergence of Cyber and Physical worlds

The internet of things is expanding our connected realm at a crazy pace. Today, most modern countries’ critical infrastructures are one way or another connected and operated through computer code.

The level of chemicals within a water treatment plant is regulated by a piece of software. Same goes for most of the life-saving instruments in a hospital, for transport systems and nuclear plants.

As soon as these infrastructures are connected, they might be disrupted, disabled or destroyed. Cutting the water supply, turning medical devices into lethal weapons and razing to the ground nuclear plants can be done from behind a laptop.

The United States (Cyber Command) and Israel (Unit 8200), worried about the Iranian nuclear program, opened Pandora’s Box by developing a sophisticated attack on the country’s main nuclear enrichment facilities.

Stuxnet, the worm they co-built, was of unprecedented complexity: twenty times the size of an average code including four zero days and almost no bugs.

It was able to jump the Natanz plant air-gap, to remain hidden for a while, recording all the normal activities and ultimately altering the spinning speed of the centrifuges in order to destroy them. The magic of it was that Iranian engineers were unable to detect any malfunction since they were fed with previously-recorded normal data.

Stuxnet ended up destroying 1,000 of the 5,000 Iranian centrifuges.

An undeclared World War

For the first time in history, a computer code accomplished what until then could only be handled through bombing.

And when a coalition of countries target another country’s nuclear facility, it’s an act of war.

The United States have ignited WW3 the same way they ended the previous one: with the use of a new weapon.

However, something didn’t go as planned with Stuxnet, which incidentally spread and infected millions of machines all over the world. As a consequence, the formula for a secret weapon fell into the hands of the very countries it was meant to attack.

The problem is, the US is the country with the more advanced level of connection and interconnection of its critical infrastructures, and thus more vulnerable to cyber-attacks.

Feel the heat now?

Iran didn’t wait long to retaliate. In 2012, Iranian hackers used a DDoS attack against six major US financial institutions (two of which were Bank of America and J.P.Morgan Chase) and hacked into a small dam near New York — nothing big but a clear message: what was used against us can be turned against you.

Alex Gibney’s Zero Days reveals that Stuxnet was only a small chapter of a much larger and frightening operation: Nitro Zeus, which basically had the capacity to utterly shut down Iran…

The question is, how many dormant mass-disruption worms such as Stuxnet are out there, and what will they target next?

Unlike any other weapons, cyberweapons can be reproduced and distributed globally at no cost. A significant number of countries and stakeholders have called for an international agreement on the nonproliferation of cyber-weapons.

We might be short of a framework to reach such an agreement since most of the threats (nuclear, biological, radiological and chemical weapons) we’ve had to deal with so far were presumed to be accessible only to nation-states, while cyberweapons are widely accessible to non-state actors.

Furthermore, attribution in the cyber field is merely impossible. In this context, what would be the point in signing such an agreement?

It took the international community more than twenty years after Hiroshima to sign a non-proliferation treaty… there is still a long road ahead of us regarding cyberweapons.