Jan Kallberg, PhD

  • Cyber Warfare: Don’t Show Your Cards

    In cyber conflict, uncertainty is leverage. Has Iran nullified its threats of electronic devastation by demonstrating how little it can do?

    US political scientist Kenneth N. Waltz wrote in 1990 that the power of nuclear weapons resides in what a nation can do, not what it does. Similar rules apply to cyber threats: uncertainty over possible capabilities is far more powerful, than absolute certainty over their limitations and shortcomings.

    For a decade, there has been a steady stream of concerns and reports about Iran’s cyber capabilities, fueled by bold statements from Tehran. They have reached new levels during the US-Israeli war on Iran, with assertions that Western infrastructure, businesses and governments could be severely damaged by cyber-attacks.    

    As the air campaign began on the February 28, there was widespread understanding that cyber retaliation against the $30 trillion US economy was on its way.

    Declaring that it was the “response to ongoing cyber assaults against the infrastructure of the Axis of Resistance,” Handala, an Iran-linked hacking group, said the world would see the wrath of the Islamic Republic and its cyber warfare units.  

    Then it happened, and the retaliation turned out to be the targeting of a medical device company headquartered in Michigan. The hackers wiped remote devices running on the Windows operating system by using a Microsoft utility that was not properly configured.

    While the attack scraped the surface of the corporate system, it did not harm the core of the company’s IT-infrastructure. There was no systematic targeting of other companies or organizations and no major lateral jumping from entity to entity.

    The group also managed to hack the personal emails of FBI director Kash Patel, a breach of security that was embarrassing but showed no evidence that they had broken into any US government systems.

    Both attacks were unsophisticated, and a long way short of what might be expected from a state actor, particularly one that had talked up its cyber capabilities as much as Iran.

    By March 18, the US government had not identified an increase in Iranian cyber activity, Nick Andersen, acting director of the Cybersecurity and Infrastructure and Security Agency, told the Record.

    The impact has been much smaller than claimed by Iran’s Revolutionary Guard and cyber units. They had some success targeting US banks and Middle Eastern companies before the war, but their performance since the bombing began suggests their capabilities were wildly exaggerated.

    While Iran’s cyber capacity should not be underestimated, as it comprises an extensive system of state and state-aligned actors with shared funding, tactics and procedures, bragging about its capabilities, then delivering microscopic impact has minimized cyber as a strategic tool for Tehran.

    The existence of cyber capabilities should force an adversary to consider what could happen, especially in an increasingly tech-dense and digital society amid the secrecy and fog of war, and can have a direct impact on their decision-making.

    But the Iranian Revolutionary Guard’s cyber operation has failed to create deterrence or to affect its adversaries’ thinking because it has highlighted the limits of its abilities and outlined what it can’t do.   

    By contrast, the Ukrainian and Russian cyber communities, with the experience of four years of war, have successfully maintained uncertainty for their opponents about their true capacity. This has forced both sides to constantly consider the possibility of the enemy using capabilities that are unknown, with effects that cannot be predicted.

    This uncertainty creates the leverage Kenneth N. Waltz noted: it is not what you do, but what you can do. Without uncertainty about what it could do, a cyber force’s impact on its enemy’s decision-making evaporates.     

    Jan Kallberg, Ph.D., LL.M., is a non-resident Senior Fellow with the Transatlantic Defense and Security program at the Center for European Policy Analysis (CEPA) and a George Washington University faculty member. Follow him at cyberdefense.com and @Cyberdefensecom. 

  • Cyber Attacks’ Main Ability to Destabilize a Society is through Secondary Effects

    Cyber Attacks’ Main Ability to Destabilize a Society is through Secondary Effects

    In the cyber discourse, there is a significant, if not totally overshadowing, focus on the information systems themselves – the concerns don’t migrate to secondary and tertiary effects. For example, the problem of vulnerable industrial control systems in the management of water reservoirs is not limited to digital conduits and systems. It is the fact that a massive release of water can create a flood that affects hundreds of thousands of citizens. It is important to examine the actual effects of a systematic or pinpoint-accurate cyberattack and to extend beyond the information system.

    For example, a cascading failure of dams in a larger watershed would have significant environmental impacts. Hydroelectric dams and reservoirs are controlled using different forms of computer networks, either cable or wireless, and the control networks are connected to the Internet. A breach in the cyber defenses for the electric utility company leads all the way down to the logic controllers that instruct the electric machinery to open the floodgates. Many hydroelectric dams and reservoirs are designed as a chain of dams in a major watershed to create an even flow of water that is utilized to generate energy. A cyberattack on several upstream dams would release water that increase pressure on downstream dams. With rapidly diminishing storage capacity, downstream dams risk being breached by the oncoming water. Eventually, it can turn to a cascading effect through the river system which could result in a catastrophic flood event.

    The traditional cyber security way to frame the problem is the loss of function and disruption in electricity generation, but that overlooks the potential environmental effect of an inland tsunami. This is especially troublesome in areas where the population and the industries are dense along a river; examples would include Pennsylvania, West Virginia and other areas with cities built around historic mills.

    We have seen that events that are close to citizens’ near-environment affect them highly, which makes sense. If they perceive a threat to their immediate environment, it creates rapid public shifts of belief; erodes trust in government; generates extreme pressure under an intense, short time frame for government to act to stabilize the situation; and public vocal outcry.

    One such example is the Three Mile Island accident, which created significant public turbulence and fear – an incident that still has a profound impact on how we view nuclear power. The Three Mile Island incident changed U.S. nuclear policy in a completely different direction and halted all new construction of nuclear plants even until today, forty years later.

    For a covert state actor that seeks to cripple our society, embarrass the political leadership, change policy and project to the world that we cannot defend ourselves, environmental damages are inviting. An attack on the environment feels, for the general public, closer and scarier than a dozen servers malfunctioning in a server park. We are all dependent on clean drinking water and non-toxic air. Cyber attacks on these fundamentals for life could create panic and desperation in the public – even if the reacting citizens were not directly affected.

    It is crucial for cyber resilience to look beyond the information systems. The societal effect is embedded in the secondary and tertiary effects that need to be addressed, understood and, to the limit of what we can do, mitigated. Cyber resilience goes beyond the digital realm.