Hacking didn’t need to be confined to some tactic on the periphery of war: Cyberattacks could themselves be a weapon of war. It was perhaps that definition of cyberwar that President Bill Clinton had in mind in 2001 when he warned in a speech that “today, our critical systems, from power structures to air traffic control, are connected and run by computers” and that someone can sit at the same computer, hack into a computer system, and potentially paralyze a company, a city, or a government.”
Since then, that definition for cyberwar has been honed into one that was perhaps most clearly laid out in the 2010 book Cyber War, cowritten by Richard Clarke, a national security advisor to Presidents Bush, Clinton, and Bush, and Robert Knake, who would later serve as a cybersecurity advisor to President Obama. Clarke and Knake defined cyberwar as “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.” Put more simply, that definition roughly encompasses the same things we’ve always identified as “acts of war,” only now carried out by digital means. But as the world was learning by the time Clarke and Knake wrote that definition, digital attacks have the potential to reach out beyond mere computers to have real, physical consequences.
The first major historical event that could credibly fit Clarke and Knake’s definition—what some have dubbed “Web War I”—had arrived just a few years earlier. It hit one of the world’s most wired countries: Estonia.
In the the spring of 2007, an unprecedented series of so-called distributed denial of service, or DDoS, attacks slammed more than a hundred Estonian websites, taking down the country’s online banking, digital news media, government sites, and practically anything else that had a web presence. The attacks were a response to the Estonian government’s decision to move a Soviet-era statue out of a central location in the capital city of Tallinn, angering the country’s Russian-speaking minority and triggering protests on the city’s streets and the web.
What cyberwar is not
Cyberwar is not simply stealing information, neither the global great game of nations spying on each other’s governments nor the more controversial sort of private-sector economic espionage that the US has long accused China of carrying out.
Cyberwar is not profit-focused hacking like bank fraud or the ransomware attacks that seek to extort millions from victims—that’s cybercrime, no matter how cruel and costly its effects may sometimes be.
Cyberwar is not—although this point may be the most debated—the “influence operations” that seek to spread disinformation and propaganda, or to hurt an adversary by leaking damaging information about them. And yes, that includes the hack-and-leak operation that Russian government hackers used against Democratic targets in 2016, which ultimately boiled down to dirty politics and kompromat, not the directly coercive, paralytic disruption of true cyberwar.
As the sustained cyberattacks wore on for weeks, however, it became clear that they were no mere cyberriots: The attacks were coming from botnets—collections of PCs around the world hijacked with malware—that belonged to organized Russian cybercriminal groups. Some of the attacks’ sources even overlapped with earlier DDoS attacks that had a clear political focus, including attacks that hit the website of Gary Kasparov, the Russian chess champion and opposition political leader. Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders.
By the next year, that Russian government link to politically motivated cyberattacks was becoming more apparent. Another, very similar series of DDoS attacks struck dozens of websites in another Russian neighbor, Georgia. This time they accompanied an actual physical invasion—a Russian intervention to “protect” Russia-friendly separatists within Georgia’s borders—complete with tanks rolling toward the Georgian capital and a Russian fleet blockading the country’s coastline on the Black Sea. In some cases, digital attacks would hit web targets associated with specific towns just ahead of military forces’ arrival, another suggestion of coordination.
The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and hacker forces were combined. But given Georgia’s low rate of internet adoption—about 7 percent of Georgians used the internet at the time—and Russia’s relatively simplistic cyberattacks, which merely tore down and defaced websites, it stands as more of a historic harbinger of cyberwar than the real thing.
The world’s conception of cyberwar changed forever in 2010. It started when VirusBlokAda, a security firm in Belarus, found a mysterious piece of malware that crashed the computers running its antivirus software. By September of that year, the security research community had come to the shocking conclusion that the specimen of malware, dubbed Stuxnet, was in fact the most sophisticated piece of code ever engineered for a cyberattack, and that it was specifically designed to destroy the centrifuges used in Iran’s nuclear enrichment facilities. (That detective work is best captured in Kim Zetter’s definitive book Countdown to Zero Day.) It would be nearly two more years before The New York Times confirmed that Stuxnet was a creation of the NSA and Israeli intelligence, intended to hamstring Iran’s attempts to build a nuclear bomb.
Over the course of 2009 and 2010, Stuxnet had destroyed more than a thousand of the six-and-a-half-foot-tall aluminum centrifuges installed in Iran’s underground nuclear enrichment facility in Natanz, throwing the facility into confusion and chaos. After spreading through the Iranians’ network, it had injected commands into the so-called programmable logic controllers, or PLCs, that governed the centrifuges, speeding them up or manipulating the pressure inside them until they tore themselves apart. Stuxnet would come to be recognized as the first cyberattack ever designed to directly damage physical equipment, and an act of cyberwar that has yet to be replicated in its virtuosic destructive effects. It would also serve as the starting pistol shot for the global cyber arms race that followed.
Iran soon entered that arms race, this time as aggressor rather than target. In August of 2012, the Saudi Arabian firm Saudi Aramco, one of the world’s largest oil producers, was hit with a piece of malware known as Shamoon that wiped 35,000 of the company’s computers—about three-quarters of them—leaving its operations essentially paralyzed. On the screens of the crippled machines, the malware left an image of a burning American flag. A group calling itself “Cutting Sword of Justice” claimed credit for the attack as an activist statement, but cybersecurity analysts quickly suspected that Iran was ultimately responsible, and had used the Saudis as a proxy target in retaliation for Stuxnet.