Sage Journals: Discover world-class research

Abstract

The potential effect of a digital, or cyber, weapon used against a network is directly proportional to how much a given population relies upon that network. The widespread denial of essential services caused by a network attack, the author writes, could lead indirectly to bodily harm and loss of life, through rioting or other violence. As of now, however, a cyber weapon cannot directly injure or kill human beings as efficiently as guns or bombs, and there is no evidence to support a claim that cyber weapons meet the legal and historical definitions of weapons of mass destruction.

Keywords

Aurora cyber weapon Farewell Dossier Presidential Policy Directive 20 Shamoon Stuxnet WMD

The action in the video starts slowly but turns increasingly alarming. An electrical generator shakes and then jumps once sharply, in concert with a metal-on-metal bang. A few seconds later, the generator jumps again, to a louder clang. Then black smoke and white smoke or steam spew from every crevice of the generator, surging through an exhaust vent to billow darkly into the sky.

A cyber attacker had just hacked into a computerized control system, changing the generator’s operating cycle and causing it to destroy itself. In this case, the attack was an experiment—dubbed Aurora—conducted at an Energy Department laboratory and meant to help government and industry officials understand and respond to the threat of cyber attacks on America’s electric power plants.

The potential effect of a digital weapon —also known as a cyber weapon—is in direct proportion to how much a given population relies upon the network that the weapon subverts or destroys. And certainly, the population of the United States relies significantly on the availability of electric power; any long-term disruption in power supply could wreak economic havoc.

But as details about the use of cyber weapons against critical infrastructure have become public in recent years, some national security experts are suggesting that they constitute a new class of weapons of mass destruction. Those experts sometimes cite analytical parallels between cyber and nuclear weapons, noting, for instance, that both are offensive weapons against which there is no particularly effective defense.

To date, however, no one has put forward evidence supporting a claim that the development of cyber weapons should fall under the legal and historical rubric of weapons of mass destruction. The widespread denial of essential services caused via a network attack could, theoretically, lead to indirect effects that include bodily harm and loss of life; for example, in the wake of a widespread power outage, the struggle to secure food and supplies could lead to rioting and other acts of violence.

Even so, as of now, a cyber weapon cannot directly injure or kill human beings as efficiently as guns or bombs. So can malware legitimately be called a weapon, let alone a weapon of mass destruction?

The legal view

Cyber weapons do not fall under the current definition of destructive devices in federal law (USC 18, Section 921). Granted, the code has not kept up with the speed with which technology changes. Just the same, there hasn’t been a single incident in which a piece of malware has taken a human life—and killing is one of the core requirements of a weapon of mass destruction.

According to Title 18, Section 2332a of the US Code, a weapon of mass destruction (WMD) is: “any weapon that is designed or intended to cause death or serious bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals, or their precursors; any weapon involving a biological agent, toxin, or vector; or any weapon that is designed to release radiation or radioactivity at a level dangerous to human life.”

The US Defense Department more concisely defines WMDs as “chemical, biological, radiological, and nuclear weapons capable of a high order of destruction or causing mass casualties” (Joint Chiefs of Staff, 2009).

Cyber weapons have been successfully used to destroy property on at least three occasions and are wrongly credited with the destruction of property on a fourth. But a closer look at these incidents suggests that none qualifies as a use of a weapon of mass destruction, in the legal, historical, or vernacular senses of the term.

The CIA and the trans-Siberian pipeline explosion

In the 1980s, in response to Soviet efforts to appropriate US scientific and technological research, the CIA, FBI, and US Defense Department conducted a joint operation to sabotage Soviet military equipment and gas pipelines using bad computer chips. The operation was revealed in the Farewell Dossier, a collection of KGB documents supplied to French intelligence by a Soviet defector-in-place, and in a book by former Air Force Secretary Thomas Reed, At the Abyss: An Insider’s History of the Cold War.

According to a historical article on the CIA website (Weiss, 2007), the joint operation was a true success: “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory. The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft. The Soviet Space Shuttle was a rejected NASA design … The program had great success, and it was never detected.”

The trans-Siberian pipeline explosion, however, was not the result of that program, according to a source with first-hand knowledge from the US intelligence community who spoke with this author in June 2012 for an article on the topic:

[T]hat explosion had nothing to do with CIA sabotage and everything to do with a Russian engineer who, when discovering a leak in the pipeline, simply kept increasing pressure to maintain the flow of natural gas. The gas leak kept building and building until a passing Russian train sparked the gas cloud and kaboom. It was a true disaster but it certainly didn’t qualify as a “key event in cyber history.” Cyber had nothing to do with it. Instead think Chernobyl and the Sayano-Shushenskaya hydroelectric dam explosion in August 2009. (Carr, 2012)

The Aurora experiment

Aurora was a test conducted by the US Energy Department at the Idaho National Laboratory in March 2007. The experiment aimed to see if a hacker could compromise the control system running a generator and cause damage to the equipment. The cyber attack was a success, and video (YouTube, 2007) of the experiment—complete with dramatic effects including shaking and intense plumes of smoke—found its way to CNN (Meserve, 2007). The experiment was intended to show a vulnerability in the US electrical generating system. But it was a staged attack, not a real one; no one lost power.

The Stuxnet attack in Iran

Stuxnet was the first publicly known example of the use of a cyber weapon deployed against the property of a nation-state—the centrifuges of Iran’s Natanz nuclear fuel enrichment plant. While there is evidence that Stuxnet did cause faulty instructions to be sent to the centrifuges, destroying a limited number of them, it did not have much of an effect on Iran’s fuel enrichment production, and its value as a weapon has received mixed reviews (Barzashka, 2013). The governments of the United States and Israel are widely believed to be responsible for creating Stuxnet and unleashing it against Iran. Its effects, however, did not rise to meet the bar for the right to self-defense contained in the Law of Armed Conflict.

That bar consists of two basic requirements: Armed conflict must have been initiated, and significant damage or harm must have been caused. The harm typically would include loss of life.

Shamoon and Saudi Aramco

Shamoon was malware used against computers at Saudi Aramco, the state-owned oil and gas enterprise in Saudi Arabia. It was likely reverse-engineered from the Wiper component of the Flame virus that was used against Iran’s oil ministry and that came to light in April 2012. Flame is generally attributed to the United States, Israel, or both countries. Although amateur in its crafting (Securelist, 2012), Shamoon caused major damage in the business networks of Aramco by destroying the hard drives of 2,000 servers and 30,000 workstations, replacing documents it erased with images of a burning American flag. The Shamoon attack was publicly claimed by three different hacker groups via Internet postings on Pastebin: the Arab Youth Group, the Cutting Sword of Justice, and an unnamed third group. But many believe that direction for the attack came from the Iranian government, for three reasons: Iran was the only nation with access to the original Wiper virus from which Shamoon was reverse-engineered; Iran was angry with Saudi Aramco for increasing oil production after Iran reduced its own oil production in response to US-led economic sanctions; and Iran supports Hezbollah, a group that uses hackers in its own operations and that allegedly has members employed at Aramco. Aramco spent millions of dollars on repairs and response to the incident, and the company took months to recover to its pre-attack condition. Still, the attack did not affect the firm’s oil production servers, much less kill or injure anyone.

Not WMD does not mean not dangerous

To date, the only occasions when cyber attacks are known to have resulted in the loss of human life involve two state assassination missions in which cyber attack played only a part. In one 2009 case, agents of Kyrgyzstan’s intelligence service cracked the e-mail account of a journalist, Gennady Pavlyuk, then constructed a false story to lure him out of the country and kill him (Ferganews, n.d.). In another, Israel’s Mossad intelligence service used a Trojan horse to infect Hamas leader Mahmoud Al-Mabhouh’s computer, which provided Mossad with information used in planning the 2010 assassination (Bergman, 2011). (The operation was successful, but Israeli intelligence was humiliated when a lengthy surveillance videotape of the assassination team was posted to the Internet.)

Despite the limited utility of cyber weapons until now, at least 28 countries are standing up cyber weapons programs (Carr, 2011). The US government is using cyber weapons in two principal ways: The first has been in combat in Iraq and Afghanistan when they can be employed as part of the US rules of engagement.¹ In other words, if the military is currently authorized to engage an enemy with military force, then cyber effects may be used, within established means. (An example of established means might be the disabling of the radar system of an adversary state before sending US jets across its borders.) The United States also uses cyber weapons under a presidential finding that authorizes covert action (e.g., Stuxnet).

The most detailed description of how the United States is building its offensive cyber weapons capability came in a leaked top-secret document published by the Guardian (Greenwald and MacAskill, 2013) in June. According to the newspaper, in the 18-page Presidential Policy Directive 20 President Obama authorized Offensive Cyber Effects Operations that “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

According to the Guardian, the directive warns that the consequences of cyber attack could include retaliation, risk to the security of the Internet, “the establishment of unwelcome norms of international behavior,” loss of life, damage to property, and negative foreign policy or economic impacts. And news of the presidential directive has led some security experts to express fears that large-scale use of offensive cyber capabilities could escalate into military conflict.

Under current legal regimes, however, none of the operations described in this article as having already occurred would justify, in the legal sense, an armed response by the victim nation-state. None meet the requirement of self-defense against an armed attack under Article 51 of the UN Charter, and even if they did, the response would need to be proportionate to the attack under the Law of Armed Conflict. So, to date, no cyber weapons have been used that could be called weapons of mass destruction. Indeed, it is hard to imagine a cyber weapon that could directly cause the death of a human being.

On the other hand, the technology does exist to create mass disruption of digital networks that support critical infrastructure. Should such disruption occur over a sustained period of weeks and months, then the resulting effects would almost certainly include loss of life through crime, suicide, acts of self-defense, and so on. Even if cyber weapons fail to qualify as weapons of mass destruction, their use can obviously be a dangerous proposition.

Footnotes

Funding

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

Note

Author biography

Jeffrey Carr is the founder and CEO of Taia Global Inc., a boutique security firm specializing in the protection of critical data at risk for espionage or theft. He has provided strategic counsel related to incident response, security operations center assessments, executive travel, and insider threats to top executives at Fortune 500 firms in the following industry verticals: defense, finance, media, technology, telecommunications, and transportation. Carr is the founder of the Suits and Spooks conference and is the author of Inside Cyber Warfare: Mapping the Cyber Underworld (O’Reilly Media, 2009, 2011).

References

Barzashka

(2013) Are cyber-weapons effective? Assessing Stuxnet’s impact on the Iranian enrichment programme. RUSI Journal 158(2): 48–56. Available at: www.rusi.org/publications/journal/ref:A517E5BC42E13D/.

Bergman R (2011) The Dubai job. GQ, January. Available at: www.gq.com/news-politics/big-issues/201101/the-dubai-job-mossad-assassination-hamas.

Carr

(2011) Inside Cyber Warfare, 2nd edition. Sebastopol, CA: O’Reilly Media.

Carr J (2012) The myth of the CIA and the Trans-Siberian pipeline explosion. Digital Dao. Available at: http://jeffreycarr.blogspot.com/2012/06/myth-of-cia-and-trans-siberian-pipeline.html.

Ferganews (n.d.) Kazakhstan: The alleged killers of journalist Gennady Pavlyuk—known Kyrgyz special services officer. Available in Russian at: www.fergananews.com/article.php?id=6513.

Greenwald G and MacAskill E (2013) Obama orders US to draw up overseas target list for cyber-attacks. Guardian, June 7. Available at: www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overseas.

Joint Chiefs of Staff (2009) Combating weapons of mass destruction. Joint Publication 3–40, June 10. Available at: www.dtic.mil/doctrine/new_pubs/jp3_40.pdf.

Meserve J (2007) Sources: Staged cyber attack reveals vulnerability in power grid. CNN.com, September 26. Available at: http://edition.cnn.com/2007/US/09/26/power.at.risk/.

Securelist (2012) Shamoon the Wiper: Copycats at work. Available at: www.securelist.com/en/blog?print_mode=1&weblogid=208193786.

10.

Weiss GW (2007) The Farewell Dossier: Duping the Soviets. CIA historical document. Available at: https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/96unclass/farewell.htm.

11.

YouTube (2007) Staged cyber attack reveals vulnerability in power grid. Available at: www.youtube.com/watch?v=fJyWngDco3g.