When a U.S. Navy surveillance drone was shot down over the Strait of Hormuz on June 20, the U.S. blamed Iran. The commander of Iran’s Islamic Revolutionary Guard Corps (IRGC) said his country was “ready for war,” and President Donald Trump responded by declaring that Iran had made a “very big mistake.” Around the world, observers worried that the two countries were headed for battle. In a sense, however, they were already at war.
Also on June 20, the U.S. military conducted a Trump-approved cyberstrike on Iran-linked computer systems, U.S. officials say; two days later, the Department of Homeland Security reported it had seen a “rise in malicious cyber activity” directed at U.S. industry by hackers with Tehran ties. These were the latest moves in a rapidly escalating cyberconflict that is proving to be a test run in the future of war. Compared with a potential military clash over the drone’s destruction, the little noticed computer skirmish may seem reassuring. But if it was an off-ramp from the highway to airstrikes and invasion, it also posed new dangers of its own.
There are no international rules governing digital conflict; tracing attacks is notoriously difficult, and targets can include industry, infrastructure and ordinary citizens. “There is not even an agreed-upon definition of what constitutes a cyber ‘act of war,’ assuming the term itself is still relevant,” former U.S. Director of National Intelligence James Clapper tells TIME. The U.S. has powerful capabilities in this new area. Military hackers and coders at Fort Meade, Md., maintain a long list of potential targets. The command, created in 2009, has played a larger role in war planning since the Trump Administration granted commanders new authority and Congress quietly issued a declaration defining online operations as a traditional military activity.
The U.S. military refused to comment on the latest offensive, after Yahoo News first reported that hackers with U.S. Cyber Command had taken aim at computers belonging to a spy group connected to the IRGC. Subsequent reports revealed U.S. attacks on networks belonging to a proxy militia and military missile-launch systems. But Iranian officials said they failed, and cybersecurity firms say Tehran-linked hackers retaliated by increasing attacks on U.S. networks.
Such attacks have been going on for more than a decade, mostly for espionage. But cyberacts hold potential for physical destruction. It is believed that the U.S. and Israel teamed together on a cyberattack in 2010 that briefly disabled spinning centrifuges at a uranium-enrichment facility in the Iranian city of Natanz, and in 2016, a grand jury in the Southern District of New York indicted an Iranian, Hamid Firoozi, for hacking into the control system of a dam near New York City. A 2018 report by Collin Anderson and Karim Sadjadpour of the Carnegie Endowment for International Peace described the evolving risks, noting “legitimate reasons to be concerned” that Iran is readying for a world in which such actions are part of its wartime toolbox.
The U.S. is worried that those preparations are about to pay off. Since it walked away from the 2015 six-nation deal to curb Iran’s nuclear-weapons program, the Trump Administration has continued to ratchet up its “maximum pressure” campaign against Tehran, imposing ever tougher economic sanctions. That, experts like Georgetown University professor Trita Parsi say, prompted Iran’s latest series of attacks on shipping in the Persian Gulf. As the U.S. runs out of economic pressure to apply and Trump balks at the costs of a new military conflict in the Middle East, cyberspace seems like the inevitable next arena of conflict.
For now, the costs of cyberwar have gone largely unnoticed. But a series of ransomware attacks, in which hackers lock their victims out of computer networks until they pay up, have stung the U.S. A recent breach cost the city of Baltimore $18 million to regain control of its data, and attacks on institutions such as hospitals, schools and local police endanger public safety.
As threats increase, so do efforts to establish rules akin to those governing armed conflict. For years, U.N. officials have worked to establish a sort of cyber–Geneva Convention to protect civilians from state-sponsored cyberattacks. After all, while digital warfare may keep troops safe from combat, shutting down an adversary’s infrastructure or communications could affect hospitals or aid organizations, and not just in the target country. But world powers haven’t yet taken concrete steps toward a comprehensive agreement. Sergio Caltagirone, a vice president at cybersecurity firm Dragos, said that’s unlikely to happen until a catastrophic event forces them to the negotiating table. In the meantime, he says, there’s a greater risk of “harm to civilian lives and livelihoods.”
What push there has been for rules and norms–to define acceptable behavior and the types of targets allowed–has so far been stymied by “more aggressive strategies carried out by the world’s powers,” says Peter W. Singer, a co-author of LikeWar, a book on the weaponization of social media. “Until that effort is taken up again, it’s essentially a free-fire zone online.”
This appears in the July 08, 2019 issue of TIME.