When Estonia became the first nation on the receiving end of an overwhelming cyber attack 10 years ago last week, government and other critical websites and systems such as banking collapsed in one of the most internet-connected countries of the time. Widely blamed on Russia, the assault prompted Western nations – including the United States – to plow billions into improving their own cyber defenses.
If something similar happened today, it could be even more disruptive and dangerous – and also more complex. Western states, militaries and companies have made strides in building the technical ability to guard against cyber attacks. But as often with new technologies, developing the doctrine and expertise to know how to use them inevitably lags behind.
That points to a broader problem. A decade after the Estonia attack, the West’s potential enemies still have a better sense of what they want to achieve in cyberspace than the United States or its allies.
For the West, “cyber” remains a tightly defined concept, a matter of protecting nationally vital systems, keeping secrets or finding them out from potential enemies. For countries like Russia and China, however, it has become something much broader.
In the 2016 U.S. presidential election, Russia is believed to have used a combination of hacking and the dissemination of real and false news to striking effect; the same has been true in political campaigns across Europe. Many Western experts believe stealing defense and other U.S. commercial secrets has been at the heart of China’s military and economic modernization.
When it comes to technical capability, specialists at the National Security Agency and Britain’s GCHQ are as good as anyone in the world, at least as sophisticated as any hackers Moscow, Beijing, Pyongyang or Tehran might field. The same is increasingly true of military personnel in the growing number of units such as the U.S. military’s Cyber Command and designated units within the U.S. Army, Air Force and Marines.
Smaller nations are also forging ahead, particularly those in Eastern and Northern Europe that must contend with Russia. Estonia in particular has toughened its defenses, and is now seen as one of the world’s hardest countries to attack.
Both Russia and China doubtless also have talented government and military hackers. But Moscow in particular is seen as going much further, sometimes delegating attacks to criminals and others outside government. That strategy, Western experts say, allows such individuals and groups to operate with immunity providing they do not attack targets within their own nations – for example, through credit card theft – and are willing to help the state out with deniable attacks on foreign enemies when asked.
Potential targets often struggle to formulate a response to cyber attacks because identifying the source of the attacks is so difficult. U.S. authorities are engaged in a global crackdown on Russian hackers in particular, but that alone may not be enough to deter others. Preventing attacks in cyberspace is now considered almost as important as deterring physical attacks – and it’s an area where the thinking is just beginning.
There have been some diplomatic victories. After the United States complained loudly and publicly about Chinese information theft, the practice appeared to fall off sharply, according to internet security firms.
These problems aren't new, although they are getting more complex. The 2007 Estonia incident was part of a wider campaign sparked by Estonia’s decision to move a Russian war memorial from the center of its capital. Moscow, which controlled Estonia when it was part of the USSR before independence in 1991, reacted angrily – and Estonian officials also accused it of provoking riots amongst ethnic Russians within Estonia at the same time.
Moscow denied government involvement in both the riots and cyber attacks, suggesting the latter were carried out by “patriotic” Russian hackers.
Russia’s 2014 annexation of Crimea and the war in eastern Ukraine that followed have also involved cyber attacks and other electronic warfare, rendering U.S.-manufactured drones supplied to the Ukrainian military almost useless. Russia has integrated cyber capabilities into its broader hybrid and conventional warfare playbook in ways the West has yet to match, although U.S. and other militaries are working hard to do so.
Western states have taken their own steps. The United States and Israel are believed to have used the Stuxnet computer worm to reprogram Iran’s nuclear centrifuges so that they tore themselves apart.
That action, however, opened the door to new, potentially lethal forms of warfare. Computer security experts report a rising number of attacks against industrial control systems, the sophisticated computer programs that operate power stations, water and fuel supplies and other similar infrastructure.
Attacks causing physical damage of any kind have been rare, but at least one has been reported – a 2014 incident at a German industrial smelter. At the end of 2015, suspected Russian hackers shut down part of Ukraine’s power grid, although the government swiftly restored electricity. A similar attack at the end of last year was suspected to have been behind widespread power outages in Kiev.
In theory, such techniques could be used to blow up fuel stations, crash airliners and a host of other lethal actions.
Clarifying the internationally understood rules around such attacks has long been a priority for the United States and other major states. Since at least 2011, the United States has maintained that it would retaliate for any cyber attack that caused physical damage or death in the same way it would a physical assault, potentially considering it an act of war.
Partly as a result, the West’s foes have turned to softer targets. Iran is believed to have responded to U.S. sanctions and interference in its nuclear programs by attacking the U.S. banking system, at one point causing considerable if temporary disruption to a number of major institutions. Tehran was also blamed for an attack on the Saudi oil firm Aramco that reportedly led to hundreds of computers having to be thrown away.
U.S. officials believe North Korea’s response to an unflattering portrayal in a 2014 American comedy film was to hack media giant Sony, causing considerable embarrassment to its senior management. Pyongyang denied the charges, and some computer security experts suggest other explanations for the release of information, including internal rivalries at Sony.
Because his presidential campaign benefited from alleged Russian hacking of the Democratic National Committee, Donald Trump and his administration are in an awkward place when it comes to formulating new approaches to such uncertain situations. But they don’t have much choice. As it approaches its teenage years, cyber warfare will only get more troublesome.