In 2012, the New York Times’s David Sanger broke a bombshell story detailing a joint US-Israel cyber attack on Iran that undermined its nuclear enrichment facilities. The computer virus, dubbed “Stuxnet,” disabled 1,000 of Iran’s 5,000 centrifuges at the time.
In 2014, a Chinese hacking group, known as Unit 61398, penetrated the computer networks of major US companies like Westinghouse and US Steel in order to loot trade secrets. This was one of numerous such attacks by Unit 61398.
In 2016, Russian government hackers gained access to Democratic National Committee computer networks, stole sensitive information, and systematically leaked it in an effort to damage Hillary Clinton’s presidential campaign.
And just a week ago, the Washington Post reported that the United Arab Emirates had hacked various Qatari government social media accounts, sparking one of the most dangerous diplomatic crises in the Middle East in decades.
A new book, The Darkening Web, argues that stories like these are going to become more and more common as countries seek to project power in cyberspace. The author is Alexander Klimburg, a program director at the Hague Centre for Strategic Studies and an adviser to several governments and international organizations on cybersecurity strategy and internet governance.
Klimburg games out a few possible futures for the internet. One of them is apocalyptic: Imagine the world’s major powers unleashing malicious code on one another, irreparably destroying vital infrastructure. Another is an Orwellian world in which the internet has become a tool of subjugation, monitored and restricted by state powers. Still another possibility is that the internet remains free, controlled by non-state actors, and a wondrous instrument of global connection.
It’s hard to say which of these scenarios is most likely. For Klimburg, it’s a matter of mobilizing concern now before it’s too late. “Ultimately,” he told me, “it will take the attention of the free society that built the internet to save it.”
Have we lost control of the internet?
I don’t see the internet as a fumbling, evil machine that’s out of control. What I think is it’s more like a man-made ocean that suddenly just became deeper and more complex than we previously envisioned. It’s still an overwhelmingly positive development and one of the greatest human inventions ever.
What I am concerned about is the direction it might take if we continue down a route we’ve embarked on in the last couple of years, particularly the last year or two, in which, effectively, we are increasingly asserting government influence over the internet. The internet was originally intended as a non-state domain, run by a multitude of different actors that balance each other out and prevent one group from taking over and gaining control.
You mentioned government influence just now, and your book is largely about cyberwarfare between countries. Why are you worried about this?
Well, the worst-case scenario is a no-holds-barred exchange of every single malware kit (software that identifies vulnerabilities in computers in order to upload and execute malicious code) we’ve developed entering into cyberspace, and the worst possible outcome is not simply that the lights go off and then you go and you flip on the generator and it’s back again. It’s that the infrastructure is destroyed irreparably and cannot be reconstituted.
A serious cyberattack could burn out the power transmitters and utterly decimate vital infrastructure. If this were to happen, we would not be able to reconstitute our infrastructure because there would be no way to build it, and we’d have to rely on other parts of the world delivering generators to get us started.
A full-scale cyberattack could be the functional equivalent of a massive electromagnetic pulse or a solar flare that totally shuts down all of our electrical systems, only it would be a man-made disaster.
Is the ability to execute a cyberattack like this widely shared among major powers?
It’s hard to tell because we don’t know to what extent they’ve invested in acquiring these capabilities. We know only that it’s theoretically possible given the right intent and focus. We know that the US has these capabilities, and we can be reasonably sure that other major powers do as well.
Are there any critical institutions or systems that aren’t on some level completely vulnerable to cyberattack?
No is the short answer. You can’t simply disconnect from the internet — it doesn’t work like that. Anything that uses internet technology is connected to an internal network. Once you’re in the internal network and you can jump from device to device, it doesn’t matter if you’re connected to the global internet or not. Every single device, even down to tractors in agriculture, which these days are increasingly controlled via the internet itself, [is] suspect to being hacked.
You lay out all of these ways in which the internet could be used to upend civilization, and yet the book is also a plea to resist efforts to restrict what can be done on it. Why?
The internet has been an incredible boon to mankind, both in terms of our liberties and also in terms of our productivity. But we’ve taken it for granted. This is really what my book’s about. We’ve got to stop taking it for granted, because the internet doesn’t obey fixed laws. There’s no gravity in cyberspace except the gravity that we say exists.
That’s why I’m increasingly concerned that if we cast the security threat that comes from the internet in such stark terms, then we’re simply advancing the narrative of those powers that want to put an internet that is run by a multi-stakeholder galaxy under more centralized control in order to simplify the problem. But we should be very wary of any attempt to do this because it will only further the interests of undemocratic powers.
That’s a fair point, and I certainly agree that so far the benefits of the internet far outweigh the costs, but I wonder if we’ll still feel that way in 10 or 20 years.
That’s a valid question. I think it depends on whether the internet maintains its status as a global commons, free from singular control. That’s what my book is dedicated to. I want people to understand that this man-made domain, like finance, touches every part of our life. If the internet gets undermined by special interests or corporations, if governments are allowed to militarize cyberspace, the internet will become something different.
But haven’t governments already militarized cyberspace? Aren’t we having this conversation precisely because the internet has changed?
That’s certainly partly true. I’m worried that the governments of the world are turning the internet into a domain of security and fear. If we continue along this path, then that’s what it will become: a domain of fear and control. We can already see what this looks like in countries like China and Russia, and it’s what will happen in democracies too if we allow it.