The debate over Iran’s nuclear programme heated up over the summer, with advocates for a military strike against Tehran at loggerheads with analysts calling for a diplomatic resolution. Unknown to many of them at the time, a computer virus, likely written by a government, was moving quickly around the globe, infecting specific computer systems at nuclear plants.
“An electronic war has been launched against Iran,” Mahmoud Liaii, a top official in Tehran, was quoted as saying in September, after the country confirmed the worm infected its systems.
By the time he reacted, a technology firm in Bulgaria had already exposed the existence of what became known as the Stuxnet virus and Siemens, the German company which made the targeted systems, was working on a fix.
Experts believe the virus was likely around since 2009, sliding under firewalls undetected.
Stuxnet alerted the world yet again to a recurring problem which was brought to the international forefront in 2000, when a virus with the enticing message, “I love you”, caused billions of dollars in damage around the world.
Two Philippine students, using equipment worth less than $1,000, were behind that attack and were later set free after authorities realised they had violated no law.
Since then, viruses have become subtler, faster, more aggressive and harder to trace, while the nascent rulebook is still weak.
“We are not looking at threats in a traditional sense. It is not business as usual,” said Alex Ntoko, who heads up the International Telecommunications Union’s (ITU) Corporate Strategy Division. “Any individual who can write code is a potential superpower.”
Consultants suggest that even the technological heavyweights have been lax in the cyber world.
Israel only recently began to limit its soldiers’ access to the web when they were on military computers – years after the first top-secret documents accidentally entered public online domain.
Earlier this year, Noah Shachtman, writing for the Progressive Policy Institute, noted that the Pentagon was looking to ban access from its computers to social media sites, seeing no other way to ensure confidentiality, even as it kept secret data flowing through unencrypted networks.
The US and Israel are the prime suspects in the Stuxnet virus. But they are not the only countries believed to be engaging in dirty programming wars.
China ran afoul of the US and its private sector behemoths, including Google, on various occasions in the last eight years, accused of numerous hacks. North Korea has been charged with trying to overload or disrupt Western networks.
And the Georgian parliament’s website was embarrassingly hacked in 2008, during the country’s brief and disastrous war with Russia.
“In Georgia, we saw a case that might have been an example of cyber war, but only because it occurred at time of declared war. But Georgia never followed it up as such,” said Eneken Tikk, the legal adviser to the CCD COE, a cyber research unit accredited to NATO.
For now, though, cyber war and its legalities remain theoretical.
In 1863, modern warfare established its first rules. Over the years, new technologies were used on the battlefields and the agreements morphed into the generally accepted laws of war laid out in the Geneva Convention.
The International Committee of the Red Cross (ICRC) believes the rules were created by open-minded people.
“International humanitarian law applies to any new technology. It doesn’t matter that the technology was not dreamed of by the founders,” says Robin Geiss with the ICRC’s legal team.
Geiss recently attended the Bruges Colloquium in Belgium, where military specialists, lawyers and tech gurus gathered to discuss legislation on cyber-warfare, the military use of outer space, drones and automated weapons systems.
“We traditionally dealt with kinetic violence, meaning that we saw the damage right away. With cyber, it is more clandestine and may not be immediately visible,” he explained.
But the rules of attack still apply. Which means the launcher of a virus must differentiate between civilian and military targets. Failure to do so could be tantamount to a war crime.
A cyber attack “is not just about inflicting harm on a computer but harm on critical infrastructure”, said Ntoko at the ITU. Power grids, water networks, railway tracks are all online in some form.
Last month, in the first ever public appearance by a head of the British secret services, Sir John Sawyer laid out his outlook.
“It’s more than obvious that the dangers of terrorism, nuclear proliferation and cyber attack are not much impressed by international borders,” Sawyer said.
Ntoko believes this borderless threat requires a UN brokered treaty to regulate the networks.
However, extreme differences still remain between major powers.
For example, officials in Washington have seen Moscow’s proposals for an international treaty as efforts to ensure control rests in the hands of governments, placing restraints on the internet.
“The discipline is too immature to push for international consensus,” said Tikki, the lawyer.
In the meantime, rights groups in the West are worried about privacy. US officials have admitted that the top-secret National Security Agency was “over-collecting” information on citizens.
The balance for security, liberty and humanitarian checkpoints in the cyber world is not easily reached, experts warn.
The people at the Red Cross hope at least safeguards can be put in place before hostilities rage, to ensure protection for the weakest: civilians who suffer first and harshest in any war.