Time July 8, 2019W
hen a U.S. navy SUrveillance drone
was shot down over the Strait of Hormuz
on June 20, the U.S. blamed Iran. The com-
mander of Iran’s Islamic Revolutionary
Guard Corps (IRGC) said his country was “ready for war,”
and President Donald Trump responded by declaring that
Iran had made a “very big mistake.” Around the world,
observers worried that the two countries were headed for
battle. In a sense, however, they were already at war.
Also on June 20, the U.S. military conducted a Trump-
approved cyber strike on Iran-linked computer systems,
U.S. officials say; two days later, the Department
of Homeland Security reported it had seen a
“rise in malicious cyber activity” directed at
U.S. industry by hackers with Tehran ties. These
were the latest moves in a rapidly escalating
cyber conflict that is proving to be a test run in
the future of war. Compared with a potential
military clash over the drone’s destruction,
the little noticed computer skirmish may seem
reassuring. But if it was an off-ramp from the
highway to airstrikes and invasion, it also posed
new dangers of its own.
There are no international rules governing
digital conflict; tracing attacks is notoriously
difficult, and targets can include industry,
infra structure and ordinary citizens. “There
is not even an agreed-upon definition of what
constitutes a cyber ‘act of war,’ assuming the
term itself is still relevant,” former U.S. Director
of National Intelligence James Clapper tells
TIME. The U.S. has powerful capabilities in this
new area. Military hackers and coders at Fort
Meade, Md., maintain a long list of potential
targets. The command, created in 2009, has
played a larger role in war planning since the
Trump Administration granted commanders
new authority and Congress quietly issued
a declaration defining online operations as a
traditional military activity.
The U.S. military refused to comment on the
latest offensive, after Yahoo News first reported
that hackers with U.S. Cyber Command had
taken aim at computers belonging to a spy group
connected to the IRGC. Subsequent reports
revealed U.S. attacks on networks belonging
to a proxy militia and military missile-launch
systems. But Iranian officials said they failed, and
cyber security firms say Tehran-linked hackers
retaliated by increasing attacks on U.S. networks.
Such attacks have been going on for more
than a decade, mostly for espionage. But cyberacts hold
potential for physical destruction. It is believed that the
U.S. and Israel teamed together on a cyberattack in 2010
that briefly disabled spinning centrifuges at a uranium-
enrichment facility in the Iranian city of Natanz, and in
2016, a grand jury in the Southern District of New York
indicted an Iranian, Hamid Firoozi, for hacking into the
control system of a dam near New York City. A 2018 report
by Collin Anderson and Karim Sadjadpour of the Carnegie
Endowment for International Peace described the evolving
risks, noting “legitimate reasons to be concerned” that Iran
is readying for a world in which such actions are part of its
wartime toolbox.
The U.S. is worried that those preparations are about
to pay off. Since it walked away from the 2015 six-
nation deal to curb Iran’s nuclear-weapons program, the
Trump Administration has continued to ratchet up its
“maximum pressure” campaign against Tehran, imposing
ever tougher economic sanctions. That, experts like
Georgetown University professor Trita Parsi say,
prompted Iran’s latest series of attacks on shipping
in the Persian Gulf. As the U.S. runs out of economic
pressure to apply and Trump balks at the costs of a
new military conflict in the Middle East, cyberspace
seems like the inevitable next arena of conflict.For now, the costs of cyberwar have gone largely
unnoticed. But a series of ransomware attacks, in
which hackers lock their victims out of computer
networks until they pay up, have stung the U.S. A
recent breach cost the city of Baltimore $18 million
to regain control of its data, and attacks on
institutions such as hospitals, schools and local
police endanger public safety.
As threats increase, so do efforts to establish
rules akin to those governing armed conflict. For
years, U.N. officials have worked to establish a sort
of cyber–Geneva Convention to protect civilians
from state-sponsored cyberattacks. After all, while
digital warfare may keep troops safe from combat,
shutting down an adversary’s infrastructure or
communications could affect hospitals or aid
organizations, and not just in the target country.
But world powers haven’t yet taken concrete
steps toward a comprehensive agreement. Sergio
Caltagirone, a vice president at cybersecurity
firm Dragos, said that’s unlikely to happen until a
catastrophic event forces them to the negotiating
table. In the meantime, he says, there’s a greater risk
of “harm to civilian lives and livelihoods.”
What push there has been for rules and norms—
to define acceptable behavior and the types of
targets allowed—has so far been stymied by “more
aggressive strategies carried out by the world’s
powers,” says Peter W. Singer, a co-author of
LikeWar, a book on the weaponization of social
media. “Until that effort is taken up again, it’s
essentially a free-fire zone online.” •TheBrief Opener
‘We’re not
going to be
talking too
much about it.
You’re going
to find out.
[Iran] made
a very big
mistake.’
PRESIDENT TRUMP,
on the U.S. response
to the June 20 downing
of a Navy droneNATIONAL SECURITY
The U.S. and Iran are
already at war online
By W.J. Hennigan