The devastating effects of a massive cyberattack are no more confined to a computer network than any other action carried out online. People use the computers and the internet all the time to make things happen in the physical world.
A cyberattack isn’t just a cyberattack. It’s an attack.
Hospitals, pharmacies, and major corporations like FedEx and the Spanish telecommunications giant Telefonica were among the 200,000 victims hobbled by a global ransomware attack on Friday, which locked people’s computers and demanded Bitcoin payment in exchange for access. In the United Kingdom, some hospitals canceled procedures and other appointments as a result. The software security firm Symantec found that people paid ransoms totaling about $54,000 in the attack, though officials strongly caution against paying such ransoms.
Among the many questions prompted by the fallout of the attack is an increasingly urgent one: At what point will a cyberattack prompt a more traditional form of retaliation? More importantly: When should it?
Scholars have been asking this question for years, but the ubiquity of networked computing and a growing threat of sophisticated cyberattack has made it all the more pressing in recent months.As the rules of war are adapted to the internet age, determining who is responsible for massive, disruptive cyberattacks has made foreign policy even more complex. And the attribution of cyberattacks is a messy, time-consuming business.
The public has lost confidence in officials’ ability to pinpoint the origins of a cyberattack, as Kaveh Waddell wrote for The Atlantic earlier this year. “Mistrust of attribution would make hacking easier, since it means retribution is harder,” Nicholas Weaver, a professor and security researcher at the University of California, Berkeley, told Waddell at the time. “You need to have attribution for retribution, both to know that you are retaliating against the right actor and to convince the public you are justified in doing so if it is a public retaliation.”
But attribution of cyberattacks is often “extremely difficult and, in many cases, impossible to achieve,” Dimitar Kostadinov wrote for the Infosec Institute in 2013. “However, the law of war requires that the initial cyber attack must be attributed before a counterattack is permitted.”
It’s still unclear who was behind last week’s attack, which hobbled systems in more than 150 countries. But private security firms and intelligence officials now believe there’s evidence to suggest that hackers with ties to North Korea were involved.
Here’s another complicating factor: Civilians and state actors can now access and use the same grade of online weaponry—in a cyberattack, that means computer code. And in some cases, civilians might inadvertently carry out an attack. A nationwide AT&T outage in the United States in March seems to have been accidental, for example. But the ransomware attack last week was clearly designed to wreak havoc.
The computer code used to carry out Friday’s attack had striking parallels to the code used in three earlier high-profile attacks, including the hacking of Sony Pictures in 2014. The similarities were first pointed out by Neel Mehta, a security researcher at Google. The link to North Korea is, for now, speculative. It may take months to say with certainty who is responsible for the attack. Hackers routinely borrow sections of code from one another, in some cases as a way to throw investigators off their trail.
This time, the attackers used cyberweapons that were stolen from the United States National Security Agency and leaked online last month. Microsoft said at the time that it had already patched the vulnerabilities exposed as a result of the theft—but the speed and scale of the WannaCry ransomware attack suggests that many networks failed to upgrade their systems.
“Any unpatched Windows computer is potentially susceptible to WannaCry,” Symantec wrote in a blog post on Monday. “Organizations are particularly at risk because... WannaCry has the ability to spread itself within corporate networks without user interaction.”
Most responses to cyberattacks are still passive: systems are patched, cybersecurity experts offer lessons of how to protect against the next attack. That’s largely due to the aforementioned attribution problem, as David E. Graham wrote in his paper “Cyber Threats and the Law of War” in 2010.
“While a victim state might ultimately succeed in tracing a cyber attack to a specific server in another state, this can be an exceptionally time consuming process, and, even then, it may be impossible to definitively identify the entity or individual directing the attack,” he wrote. “For example, the ‘attacker’ might well have hijacked innocent systems and used these as ‘zombies’ in conducting attacks.”
To complicate matters further, any sort of pre-emptive self-defense strike would be difficult to justify in the case of cyberwarfare, because it’s nearly impossible to anticipate a cyberattack.
The United States has, however, used its own cyberweapons to disrupt material weapons testing. As The New York Timesrevealed in March, the United States has, since 2014, intensified a secret campaign to sabotage North Korea’s frequent missile tests.
That campaign of sabotage demonstrates as well as anything the startlingly short distance between cyberwar and what some might call “actual” war. Disrupting North Korea’s tests, as William J. Perry, who was a secretary of defense in Bill Clinton’s administration, said at a recent presentation in Washington, would be “a pretty effective way of stopping their ICBM program,” the New York Times reported.
Computer code does all sorts of things in the world. Only a small portion of it stays within the realm of computing. Tweets don’t just flutter around on Twitter; they have the potential to shape geopolitical relations. Taxis are summoned by smartphones and materialize on city streets. A single click on Amazon will bring all manner of goods to your doorstep with in days.
It remains tempting to draw a line between online and offline, between the internet and the “real world.” But the reality is: That line is mostly an illusion. It’s foolish to assume that the wars that are fought online will remain confined to the internet.