The coming theatre of jiu-jitsu international conflict
May 13, 2024Jiu-jitsu is a martial art in which one leverages one’s opponent’s strength in order to subdue them. It is increasingly likely to become the predominant mode of international conflict in the future. It will deploy the adversary’s greatest strength, its internal network of digital interconnections, as a wrecking ball. It is difficult to know if this will be a less destructive or more destructive form of international combat. We need to think carefully about this.
In 2007, U.S. President George W. Bush was under pressure from Israel and its powerful U.S. backers to do something to stop Iran from producing weapons-grade uranium at its Natanz nuclear facility. Diplomacy hadn’t worked. A second option was to allow Israel to launch an airstrike on the plant, as it did on an Iraqi nuclear reactor that was under construction in 1981. But Bush was told that such a strike could push oil prices way up and draw American troops into a conflict.
It was director Keith Alexander of the U.S. National Security Agency, the NSA, who proposed a third alternative. Weapons-grade uranium is produced from uranium ore by removing its less fissionable isotopes, leaving a high concentration of highly-fissionable U-235. The method of removal is to spin the uranium ore in centrifuges to separate isotopes with different densities from each other. Iran’s Natanz facility was operating thousands of these centrifuges. Alexander proposed a cyberattack that would take control of the computers operating Natanz’s centrifuges, and send them spinning at dangerous rates of speed that could damage or destroy them.
Such an attack did take place in late 2009 or early 2010. It did successfully damage Iran’s centrifuges, setting back its weapons-grade enrichment program.
Unfortunately, although the cyberattack’s computer worm was expertly designed to surgically target only Natanz’s centrifuges, the worm escaped Natanz’s computers and spread worldwide. It became known as “Stuxnet” and caused problems with computer systems throughout the world, far beyond its original Iranian target.
This story is retold in an important book, “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race”, by Nicole Perlroth, The New York Times’s cybersecurity reporter. Although the book was published in 2021, and was shortlisted for the Financial Times Book of the Year award, it has not received the attention it deserves. It has perhaps been eclipsed since then by the AI furor (artificial intelligence), amid warnings that it will kill us all – a less likely eventuality than cyberwar, unless the two are combined to disastrous effect.
A nuclear weapons attack on a country is unlikely to disable its entire electric grid. But a cyberattack could do it. It could shut down a nation’s entire grid, or a large region of it, depending on how interconnected the grid is. And if it were to do so, it could cause a near-stoppage of the economy.
In the age of the “internet of things” the damage that could be done by large-scale and small-scale cyberattacks is virtually incalculable. People are able to turn their coffeemakers on remotely, and many other household implements. We know that individual people can be assassinated by drones. But a well-designed cyberattack, turning on and sending out of control a domestic appliance, temperature setting or water supply setting, or even an automobile could be an alternative way to target individuals for assassination or blackmail. And of course, manufacturing processes and large-scale industrial equipment are all, in advanced technological countries, run by networked computers. These are all vulnerable to cyberattacks, which would for the most part be easier to carry out than the attack on Iran’s centrifuges. And that is not even to begin to contemplate attacks on the country’s military facilities and equipment.
The process by which cyberattacks – and defences against cyberattacks – are designed and carried out is the subject of most of Perlroth’s book. In this process’s drama the main actors are independent hackers, hackers working for governments (especially their national security agencies), and computer software manufacturers.
The whole process depends upon backdoors in computer software that have not been patched by the software maker and allow hackers entry into the software. These backdoors are, rather oddly, called “zero-days”. (Perlroth says the reason for this appellation is that “as with Patient Zero in an epidemic, when a zero-day flaw is discovered, software and hardware companies have had zero days to come up with a defense.)
There is a gigantic market for zero-days. When a hacker (generally an individual or hacking operation) discovers a zero-day – a flaw in software made by Microsoft, Apple, Adobe, Meta, Google or any one of a number of other software manufacturers – the hacker has options. Originally, hackers simply informed the software maker of the problem. But this sometimes resulted in the software maker suing the hacker, making them reluctant to share it.
But then they discovered that these zero-days have value. And what value. A very big zero-day (such as one that enables a cyberattacker to take control of someone’s smartphone) can be sold for as much as millions of dollars, especially if it can do it without the smartphone user’s knowledge. Smaller, less consequential ones can sell for hundreds or thousands of dollars. The buyers are, in the main, governments, in the form of their national security agencies.
The buyers have the option to use the zero-days for offence or defence. If the buyer believes it knows much more about zero-days than its adversaries – as the United States did for years until it realised that hackers associated with the governments of Russia, Iran, North Korea, and China were in pace with them or ahead of them – then it will keep the knowledge of the zero-day to itself and reserve it for use in an offensive action, like the cyberattack on Iran’s centrifuges. But if it fears that adversaries already know about it or could soon know about it, it will take defensive action by privately informing the relevant software manufacturer of it and asking them to patch it.
It is nearly impossible to guarantee that all software used by major software companies and their many third-party providers will be perfectly secure. Zero-days will always be available to be found and exploited. This means that cyberwarfare will be a continuing feature of modern international conflict. When, sometime perhaps in the near future, a major cyberattack is launched on a country that does truly severe damage, we will all suddenly become aware of it and it could even displace AI in our pantheon of potential disasters.