'The Great Tech Game' excerpt: No global consensus on whether and when cyber-incidents constitute an act of war

(Representational image) Cyberattacks have been increasing in frequency and scope. (Photo: Tim Kabel via Unsplash)

The centre of power in the world is shifting once again. And India Internet Fund managing partner Anirudh Suri argues in his new book - The Great Tech Game: Shaping Geopolitics and the Destinies of Nations - that technological advancement will have everything to do with which countries emerge on top.

Sample the first line of Part One of the book, launching today: "The future of our world will be determined by the choices we - as a species, as nations and as citizens - make about technology in the coming decades."

Having spelled out what's at stake, Suri looks at the arenas in which this game will be played out: from setting industry standards to cyber attacks.

Excerpted below is a section from chapter 8: "The Golden Age of Cyberespionage":

New incidents: Cyberattacks

Cyberattacks have been increasing in frequency and scope. Just in the last decade or so, the key incidents in the cyber-domain have included attacks in Estonia, Georgia, and Ukraine, the Snowden leaks, WikiLeaks, the Shadow Brokers theft of NSA cyberweapons, the allegedly US–Israeli-led Stuxnet attack on the Iranian centrifuges and on the North Korean-built Syrian nuclear facilities, and the NotPetya attack. Most incidents have either been Distributed Denial of Services (DDoS) attacks or ransomware incidents.

The incidents are not always attacks. In some cases, like the Shadow Brokers incident, the hacker group Shadow Brokers actually stole secrets from the NSA and published information about major vulnerabilities in Cisco routers, Linux mail servers and Microsoft software (including most prominently the NSA hacking tool known as EternalBlue). In the months that followed, several other hacker attacks relied on EternalBlue, including a major ransomware attack known as WannaCry.

Source: Table 8.1. Anirudh Suri, The Great Tech Game (HarperCollins, Feb 2022), pp. 263-64.

In May 2021, in one of the largest, most prominent cyberattacks on critical US infrastructure, a ransomware attack on Colonial Pipeline, a top US oil pipeline operator, forced it to halt systems for its 5500 miles of pipeline for several days. Given Colonial’s pipelines carry around 45 per cent of the US East Coast’s fuel supplies across to fourteen states, the disruption caused chaos across gas stations in many states. The US Federal Bureau of Investigation (FBI) issued a statement confirming that DarkSide, a criminal ransomware gang, was behind the cyber-extortion attempt. Eventually, after several days of being unable to get its main systems up and running, Colonial Pipeline had to pay roughly $4.4 million in cryptocurrency to the attackers who were holding its computer systems hostage. (Later, the US Justice Department would state that it had recovered over half of that ransom amount).

Around the same time as the attack on Colonial Pipeline, a US-based meat company allegedly paid a ransom of $11 million after a similar attack caused a shutdown of plants that process roughly one-fifth of the US’s meat supply.  Earlier, in February 2021, a water treatment plant in Florida had been attacked, while a major (allegedly) Russian attack earlier on Texas-based SolarWinds, a technology company, had led to the US imposing sanctions on Russia. All these incidents showcase not just how sophisticated the attackers are but also the incredibly dangerous impact these attacks can now have on the economy and lifelines of a country, whether it be food, electricity or fuel.

A blind spot for most countries

Unlike nuclear weapons, whose development and conditions of use were debated heavily in the public realm, especially after their first use in World War II, the same has not happened yet for cyber weapons. Geopolitical analysts lament the ‘absence of the kind of grand strategic debates surrounding cyber that dominated the first nuclear age’.

Much like any other technological change, the capabilities in the cyber domain are also evolving and growing so rapidly that governments and citizens are unable to understand what’s happening, much less come together to devise a coherent strategy or response. As David Sanger explains, ‘Rarely in human history has a new weapon been adapted with such speed, customized to fit so many different tasks, and exploited by so many nations to reshape their influence on global events without turning to outright war.’

One of the reasons for this has been the secretive, invisible nature of the weapons. Countries and governments, especially the intelligence and military agencies who have been managing the cyberweapons, have been very reticent about their capabilities, choosing instead to only highlight the attacks that they have been the victims of. When the United States engages in cyberattacks, they’re called ‘cyber network exploitations’, but when Americans are the targets, they are called ‘cyberattacks’.

Cyber weapons also ‘come in many subtle shades, ranging from the highly destructive to the psychologically manipulative’. Many governments have until recently focused on the cyberthreats with the highest destructive potential, such as threats to nuclear installations. But it is the ‘dialled down cyber weapons’ that are being used daily by nations ‘not to destroy an adversary but rather to frustrate it, slow it, undermine its institutions, and leave its citizens angry or confused’.43 These are the harder ones to protect against, as they are employed in ways that do not cross the threshold that would lead to retaliation.

In any case, there is still hardly any agreement or consensus in the international community on whether and when cyber-incidents constitute an act of war, a terrorist attack or mere incidents of cyber-espionage or cyber-vandalism. Governments, in any case, often just deny the attacks ever took place. For example, reports suggested that in the midst of the tense border clashes between India and China in May 2020, a Chinese government-linked hacker group, RedEcho, had targeted India’s critical power grid system. This malware attack caused a major power outage in India’s financial capital, Mumbai. However, the Indian power ministry denied any such attack. While the India–China clashes were considered a military conflict, it is unclear how the Indian government would have internally categorized the malware attack.

As the Colonial Pipeline and the SolarWinds attacks have demonstrated, the vulnerabilities are expanding rapidly as well, given the increased digitization of all societies, corporations, infrastructure and governments. As Rob Joyce, the first cyber czar appointed by US President Donald Trump in 2016, explained, ‘so much of the fabric of our society rests on the bedrock of our IT. We continue to digitize things; we store our wealth and treasure there; we run operations; we keep our secrets all in that cyber domain.’

The implications for this lack of general consensus are manifold. For one, many governments and leaders have been experimenting with ‘short-of-war aggression’. Most countries’ frequent denials of attacks, lack of transparency about their cyber-capabilities, and unwillingness to accept some constraints have made it impossible to even begin the process of negotiation of widely accepted norms of cyber-behaviour.

Though nations benefit from this strategic ambiguity in that it helps them buy time while ‘stretching both technological and normative boundaries’, yet this state of uneasy equilibrium is quite risky and unprecedented. Even minor cyberattacks could end up escalating into serious disasters. As a recent report by the Carnegie Endowment for International Peace pointed out, cyber operations or attacks, whether by China against the United States, or vice versa, can easily provoke countries and escalate sharply into a conventional or nuclear war, even if one or both countries actually desired to avert such a disaster.

Excerpted with permission from HarperCollins India from The Great Tech Game: Shaping Geopolitics and the Destinies of Nations by Anirudh Suri; hardback Rs 799; 556pp.