has not happened yet, but as more aspects of human life involve being plugged into
networks, that could change in 2021.
To harm or kill someone who is not already dependent on life-support machinery,
malicious code must harness the kinetic or chemical energy of something it controls.
The obvious candidates are industrial-control systems, such as those that supervise
power-plants and factories. In 2007 America’s Department of Energy publicly showed
that 21 lines of code could rapidly open and close a diesel generator’s circuit breakers,
causing the machine to smoke, shake and shatter. “It was akin to the stress placed on a
car’s transmission when a driver shifts into reverse while the car is speeding forward,”
noted Ben Buchanan of Georgetown University in his book, “The Hacker and the State”.
Shortly afterwards America and Israel launched Stuxnet, a computer worm that pulled a
similar trick on Iranian gas centrifuges, which spin uranium, causing more than a
thousand to break. In 2016 Russian malware, inspired partly by Stuxnet, disrupted
Ukraine’s electricity grid and cut power to a fifth of Kiev in the middle of a bitter winter.
It targeted the protective relays which monitor current and voltage, shutting down
electrical systems in abnormal conditions. Persuading machinery or circuitry to commit
suicide is not the only way to harm people. In April 2020 an Israeli water and sewage
plant was struck by a suspected Iranian cyber-attack apparently intended to fool pumps
into adding excess chlorine to residential water supplies. Ukraine reported a similar
intrusion at a chlorine plant in 2018.
Nobody died as a result of those attacks. But they might have done. The thwarted
sewage-plant attack could have caused “very big damage to the civilian population”,
noted Yigal Unna, head of Israel’s National Cyber Directorate. In Ukraine in 2016, the
attackers appear to have pulled their punches, notes Mr Buchanan, targeting only a
single electrical substation in Kiev. Such restraint may not last. In recent years, America
and Russia have been probing one another’s power grids and leaving behind malware,
like arms caches stashed behind enemy lines. In a serious crisis, leaders might choose to
use these instead of a riskier military option, potentially cutting off power to vital
services.
Such services could also be more directly targeted by code-borne assaults. In 2017
North Korean hackers deployed WannaCry, a piece of “ransomware” that encrypted
data and demanded a ransom to unlock it. It inadvertently struck Britain’s National
Health Service, affecting dozens of hospitals and nearly 600 doctors’ surgeries. Unlike in
Düsseldorf, the impact was limited—there was a drop in admissions but no increase in
mortality. But malware specifically designed to disrupt health systems could certainly
put lives at risk.
There may be simpler means of cyber-homicide. Vehicles—unlike centrifuges or
transformers—tend to have highly breakable humans sitting inside them while moving
at high speeds, increasingly with a connection to the internet. Such links tend to have
weak security standards. Hackers have repeatedly demonstrated the ability to seize
control of cars in motion; one such demonstration caused Fiat Chrysler to recall 1.4m
vehicles in 2015. ABI, a market-intelligence firm, reckons that 91% of new light vehicles
and trucks sold in America in 2020 have internet connectivity. At highway speeds, it
would not take a Stuxnet to do some damage. As attackers become more sophisticated