In a small town outside Springfield, Illinois, a controversy emerged this past month as to whether or not the U.S. had fallen victim to its first known industrial cyber attack. In a public water district, a water pump malfunctioned causing it to turn on and off until the piece of equipment eventually burned itself out. Cyber-security expert and blogger Joe Weiss notified the media that the Illinois Statewide Terrorism & Intelligence Center had identified the event as a cyber attack launched from somewhere in Russia. Subsequently, the Department of Homeland Security and FBI pursued investigations and concluded that there was no actual evidence of hacking of the controls to the facility. No malicious intrusion appears to have occurred. According to a source with DHS, the Russian IP address found in the computer log was present because the contractor, who had remote access to the computer system, was there on personal business.
As implausible as this and similar scenarios might seem, where hackers could gain control of industrial equipment anywhere in America—outside action movies—the U.S. has already been implicated in committing this exact activity. Last year, the Stuxnet worm was discovered and linked to U.S. and Israeli governments as an attempt to derail Iran’s nuclear program. The worm spread to hundreds of thousands of computers but was designed, ostensibly, so specifically as to execute a process only to destroy a network of the centrifuges in Iran’s nuclear facility. While Stuxnet originally mystified security companies and programmers, it now exists as (1) a well-studied “playbook” for those wishing to design a similar computer worm and (2) part of an acknowledgement that the U.S. is innovating beyond cyber espionage and into industrial cyber warfare. Realizing that the cyber arms race favors the innovation of hackers, which is often unpredictable for those working cyber defense, many are asking if there is any possible legal regime applicable to this type of attack.
Those trying to determine international rules of law are grappling with almost boundless uncertainty. Questions of interpretation deal with whether a cyber attack might trigger the collective self-defense provision in Article V of the NATO Charter or qualify as the use of force according to Article 2(4) of the U.N. Charter. However, a practical issue any lawmaker faces is that it may be next to impossible to know with certainty where an attack is coming from.
The U.S. has endeavored to establish a legal framework for cyber warfare within its own government regarding policies and rules of engagement, but even there deliberations are “ongoing.” This year, instead of waiting for answers from international bodies, the Pentagon clarified the U.S. view that these attacks may constitute acts of war. Just recently, the U.S. joined efforts at the NATO cyber defense research center in Estonia, whose government was temporarily crippled by a cyber attack years ago that is presumed to have come from Russia. Likewise, in the past week the U.K. announced its own Cyber Security Strategy that voiced intentions to pursue an aggressive cyber defense policy.
Still, one important consideration should emerge while we’re worrying about cyber warfare: there is still no evidence of any significant physical harm befalling anyone due to cyber warfare. These worries can be overblown. There are few, if any, successful cases of cyber industrial sabotage—even Stuxnet probably only worked to destroy a tenth of its target centrifuges. On the other hand, many people, even experts, may have vested interests in with raising cyber security fears. As engaging and serious as this discussion sounds, we should take cyber security threats with a grain of salt. Before considering retaliation, we especially need to make sure that the problem is not simply a glitch within our own equipment controls.