Still,the stakes are getting higher. Therise of artificial intelligence (AI),satellite technology and the internet of things (where more devices,from lights to door locks,are connected) means targets are opening up faster than we can patch vulnerabilities. China’s state hacking teams steal corporate secrets,as well as government data to blunt the West’s military advantage. Russia hijacks social media not just to spread propaganda but tomanipulate democracies. And nations can turn these cyber weapons on their own citizens,too,to stamp out dissent.
“It’s not warfare but it’s definitely not peace either,” Uren says. “Some countries will push right up to the edge of that red line using covert,deniable methods … NotPetya is probably the closest we’ve come to real war.”
NotPetya hit during an actual physical invasion too – Russian troops (andbikie gangs) had already been sent into Ukraine without military insignia to seize Crimea and sow violence. Likewise in the former Soviet republic of Georgia in 2008,cyber attacks seemed to hit towns just ahead of Russian soldiers arriving to back pro-Russian separatists.
The year before,when Estonia,one of the most wired nations in the world,was unplugged,it went to NATO for help. There was even (brief) talk of invoking Article 5,which demands all other nations in the alliance defend one another from enemy assaults. But the world did not see a direct military retaliation to a cyber attack untilIsrael bombed a building linked to Hamas hackers in Gaza in 2019.
Ukraine has become Russia’s testing ground for cyber weapons,as Taiwan is now for China,says Professor Greg Austin,a former government adviser and analyst who heads a program of cyberwar study at UNSW. But,for all the Kremlin has unleashed on the Baltic nation,it’s still holding back. “It’s not looking to crush the Ukrainian government entirely,” Austin says. “In a major war then everything Russia is doing in Ukraine,it would do 100 times over to many more targets … And other countries have huge capabilities too.”
New York Timesjournalist David Sanger has watched cyber conflict heat up since he first helped unravel the mystery of Stuxnet in 2012. As luck would have it,he even found himself in Kyiv years later just as NotPetya was hitting (“I didn’t have any Ukrainian money,and all the ATMs were down”). But he agrees the world has not seen full-scale cyberwar yet. Digital weapons are still mostly deployed as “short of war” tools,he says,cheap,effective and often difficult to trace back to the state actor,making retaliation complicated.
Indeed,unlike regular weapons,cyber has become a tempting way for smaller nations to show their teeth without invoking devastating counterstrikes. Just nine countries have nuclear weapons but most have state-sponsored hackers. That means attacks can come from almost anywhere and,as many experts warn,could steer dangerously out of control.
Austin explains:“That means if China or Russia are persistently trying to penetrate our systems we’re going to stop them even if it means going into theirs.”
Coyle,who was the first woman to command all of the Australian Defence Force’s operations in the Middle East,can’t offer much detail due to “the classification level” of the cyber operations she now oversees. But she says everything the ADF does complies with the law,and commanders take pains to make sure no one steps outside those boundaries.
Who are the big cyber powers at play?
The online world looks a lot like the offline one – the US,China and Russia remain at the centre of power struggles. America is still considered to have the most advanced cyber capabilities in the world. But China,Russia,Israel,Britain,even Iran and North Korea,also have formidable cyber armies – think of the legions of hackers installed in St Petersburg or behind China’s great firewall.
Still,some countries are noisier than they are effective,Uren says. “Often a really great,well-executed operation you don’t know about.”
Russia,North Korea and Iran are conspicuous in cyberspace for the same reasons they are on the world stage:shows of force. Here they use digital weapons not just for espionage and war but political point-scoring,even harassment. Remember North Korea’s attack on US movie studio Sony Pictures in 2014 ahead of the release of a comedy critical of its leader Kim Jong Un? Or the hacks that paralysed broadcasts of the 2018 Winter Olympics after Russia’s doping scandal (these were evencodenamed Sour Grapes by intelligence agencies linking them back to Russia).
Austin has been analysing the cyber arsenals of foreign governments and says that the smaller nations making headlines,such as Iran and North Korea,don’t have the same depth of capability as the big players. “They can still cause damage but they’re not able to launch something as sustained and wide-ranging. The big ones could shut us down,close off traffic lights,stop the trains running,and make it last longer.”
Loading
Still,these smaller nations consider they have one big advantage – they are not as wired as their Western adversaries,making their own exposure smaller.
In Australia,most attacks considered sophisticated enough to be attributed to another state are thought to have come from China,although the country has denied it,as it does all hacks. China is less brazen than Russia in its cyber attacks on the West,mostly sticking to espionage so far. Still,its restraint does not extend to Taiwan,where cyber attacks come almost daily. And,as diplomatic and trade disputes escalate with Western countries,notably Australia,some fear China is growing bolder. In March 2020,an attackcrashed the website of a global coalition of MPs speaking out on China’s aggression.
“China has learnt from Russian interventions in elections in the US and Europe,” Austin says. “They can do more things in cyber than they previously imagined.”
Stephens adds that the growing superpower is also investing heavily in new technology that will shape the future cyber battlefield such as AI,satellites and 5G networks. “China’s trying to jump that industrial step the West took of building big fleets of ships and airplanes and go straight to the next generation of weapons:cyber and AI.”
Back home,experts agree Australia is,at last,taking cyber more seriously,recruiting more hackers and rolling out new cyber security standards to shore up privately owned critical infrastructure. But,while we are not trailing the pack on cyber security internationally,we are still not doing enough.
“Look at what our adversaries are doing,” Austin says. “You see our big government departments starting to uplift their security and still only put in a moderate performance. And they’re only transparent[about attacks] when it suits them.”
America’s Cyber Command is thousands-strong,created in 2009,after a particularly embarrassing breach of Pentagon internal networks by the Russians. Australia didn’t have its own military cyber force until 2017,but it’s now about 400-strong,a mix of soldiers,contractors and public servants who work within defence and sometimes with Australia’s spy agency.
“We’ve come a long way very fast but we’re still learning,” Coyle says. “Of course,we’ll never be as big as US Cyber Command...But that’s the beauty of alliances and partnerships,you all bring different strengths. ”
Overall,Austin says,the West (specifically the US) is winning the cyber battle. “The broad narrative that China is winning is really a gross exaggeration;their cyber defences are weak,” he says. “And we never hear of all the times the West successfully hits them or Russia.”
How likely is a cyberwar and how bad could it get?
To get a full-scale cyberwar,where nations are actively unplugging their enemies,experts say the world would have to be either already on the brink - or an attack would have to spiral rapidly out of control,into something interpreted as a clear act of war. Uren imagines it would take a big attack “something with the impact of[almost a] 9/11 where you had mass casualties,not just mass destruction of IT systems.”
We haven’t seen that yet. And while geopolitical tensions have only escalated during the COVID-19 pandemic,the superpowers remain reluctant to go to war. “Even calling an attack warfare means you have to respond,” Uren says.
Coyle adds:“I think we’d need some pretty incredible evidence to suggest something was an act of war,that it wasn’t an unnecessary escalation or a mistake. And I’d be surprised if somebody was stupid enough to want to do that,knowing that,collectively,countries would go against[them].”
But,while she is less concerned about one strike taking many lives – the doomsday “cyber Pearl Harbour” scenario – she says even a hack causing mass disruption,such as knocking out power,could hit with a force akin to a natural disaster. People could still die. “And economies can fail. We’ve seen it with COVID. Things can change quite rapidly. If we were to be attacked … Australia-wide,the impact would be far-reaching.”
Stephens says the greatest threat may come from attacks above,withcyberspace increasingly connected to satellites. GPS doesn’t just help you find where you’re driving and video chat to people on the other side of the world,it’s integral to military operations too.
Loading
“We can restore our systems down here but if I take down the satellites that help them run,that’s going to have a much bigger impact,” Stephens says. “We’ve just woken up to this vulnerability.”
Coyle agrees an attack on space infrastructure would be very concerning but stresses,“We don’t have one point of failure … We still use paper,for example,we can use compasses if space fails.”
And there are limits to cyber damage too. When it comes to hacking,Uren says many people think “it’s kind of like magic”. “A really good hacker could do whatever they want,but that’s not true.”
As Stephens puts it,“cyber ends at a certain point”. He doesn’t imagine it will ever pack the kind of knock-out blow of a nuclear weapon.
“There’s always a patch,there’s always a defence. I think the US has huge capabilities to unleash a devastating cyber retaliation. But the world will survive it. Of course,AI might change that. If I’m on an aircraft carrier on the South China Sea and I’m suddenly swarmed by a bunch of self-driving underwater drones,I’m not standing a chance.”
Austin agrees the marriage of AI with weaponry could ratchet up the stakes in the coming years. And Uren says that,while a “cyber Pearl Harbour” is unlikely,“with cyber it’s difficult to rule anything out”.
“It’s hard for me to imagine we’d get a first-strike capability that could disable another country’s military but … if you could switch off the air defence radars[of another nation],for example,you could just fly in your bombing planes.”
Could we have cyber peace? What about mutually assured destruction?
In his2018 bookThe Perfect Weapon,Sanger warns that the current cyber arms race is running without the same level of public debate or oversight of the Cold War nuclear age,where mutually assured destruction kept weapons locked away.
“Everything that worked in the nuclear age won’t work for cyber,” he says now. “Deterrence won’t hold.”
The problem is that,in regular warfare,to deter an attack you must either be prepared to retaliate with a worse blow or make your attacker believe their assault was pointless,as your defences are too strong.
Neither is happening in cyberspace. Not only is cyber security weak across the board but nations are reluctant to strike back for fear of tipping cyber conflict closer to real war. They are also,despite the urging of experts,often unwilling to name and shame nations behind attacks.
“Imagine if we got it wrong and[blamed] the wrong country,” says Coyle.
In the shadows of cyberspace,states do not attack with national flags raised. To cover their tracks,they might even outsource hacks to criminals or cowboy civilians. Or an attack could be staged to look like ransomware (where criminals encrypt a computer’s data then demand money to unlock it),when really destruction,not cash,is the goal.
Loading
Still,Austin insists governments everywhere are getting “very good” at attributing attacks,especially those sophisticated enough to be considered state-sponsored. “It’s mostly politics[and] fear of exposing sensitive intelligence sources or methods of our own that stops nations[pointing fingers].”
After all,countries under siege are usually themselves launching attacks. “If Australia,the US,the UK go too far down the path of calling out every attack,China and Russia might start doing the same,” Austin says. “So far they only call out what they regard as attacks beyond the pale such as Sony and Ukraine[NotPetya].”
In 2020,when it was revealed that popular software,including Microsoft and SolarWinds,had been used to infiltrate US government departments and companies around the world,the Trump administration at first cast doubt on findings from investigators tracing the hack back to Russia. But,soon after taking office,President Joe Biden expelled Russian diplomats and sanctioned individuals and companies linked to the hack,known as the SolarWinds breach,echoing former President Barack Obama’s sanctioning of North Korea over the Sony hack.
The world may not quite be in another Cold War but everyone agrees cyberspace will figure more prominently in conflict to come. Australia’s first ambassador for cyber affairs,Dr Toby Feakin,told an international forum hosted by the ANU in February that cyber had become central to foreign affairs in a “way we never could have imagined”. Cyber capabilities and technology such as AI will “fundamentally shape and shift the power dynamics of the 21st century,” he said.
Sanger and others argue that the world now needs a digital Geneva Convention to rein in this Wild West– keeping civilian targets such as hospitals and power grids off limits in a kind of “cyber no fly zone”.
Loading
Austin says existing international law covers cyberspace in a sense but he agrees there are still critical questions to answer about how it can be applied.
“So you can’t bomb a hospital but you could disable its computer systems so people will die. For most people,that should break[rules of war] too.”
But,with the big powers reluctant to muzzle their own capabilities,others fear a treaty will just be another piece of paper.
“We’ve had pretty successful prohibition of nuclear weapons because everyone is terrified of the consequences of using them,for good reason,” Uren says. “The problem is people are not deadly terrified of the consequences of cyber. We either have to get better at defending ourselves or make the consequences worse for attackers.”
Coyle agrees that getting the worst offenders to come to the treaty table would be almost impossible,given they already refuse to admit to hacks. “But if we could do it,it would be a wonderful thing.”
So is the threat of cyberwar looming larger today than when Stuxnet was unleashed?
Loading
Austin says the attacks are certainly getting more vicious,and the hackers more resourced,as computing power advances. But he thinks countries of all stripes will remain wary of putting the tens of trillions of dollars in the world’s online banking system at risk with all-out cyberwar. “Of course,it doesn’t mean they can’t navigate around it.”
What worries Coyle most is what she can’t see coming. “What’s out there that we’re not tracking? Has something been laid already? That’s why we always have a presence in cyberspace,we’re always wargaming,so we’re ready … But I’m an optimist,no one really wants to go to war.”
Uren,too,is hopeful cyber attacks will stay below the red line,even as he warns of increasing vulnerability in an increasingly connected world.
“On the whole,technology has made our lives better. There hasn’t been some existential hit to our society,there hasn’t been a catastrophe. At least,not yet.”