On Sarin and Cyberwar
The horror that unfolded Tuesday after the Assad regime dropped nerve gas on the city of Khan Sheikhun, Syria, was like a nightmare out of the past. Writing 100 years ago, the WWI poet Wilfred Owen described similar scenes of asphyxiated agony:
“But someone still was yelling out and stumbling,
And flound'ring like a man in fire or lime . . .
Dim, through the misty panes and thick green light,
As under a green sea, I saw him drowning…
….If you could hear, at every jolt, the blood
Come gargling from the froth-corrupted lungs,
Obscene as cancer, bitter as the cud
Of vile, incurable sores on innocent tongues….”
Those are hard lines to read. And the videos from Tuesday’s attack are hard to watch, particularly if you have a personal connection to the region, as I do (I was born in Beirut). But they are facts, tragic entries in the global register of human-on-human atrocities.
The events this week also provided a condensed view of the past and future of weapons technology. Assad’s attack on Tuesday used sarin gas, an old technology dating from 1938 (but no less horrible for being old). The U.S. response on Thursday used Tomahawk missiles, a tech dating from the 1970s. And the most instructive glimpse of what the future will hold came in the form of the (intended or unintended) symbolism of the timing of the U.S. announcement: right after President Trump’s dinner with Chinese president Xi Jinping.
The U.S. has accused China numerous times over the years of cyberespionage and hacking. In 2010, Google reported targeted attacks on its corporate infrastructure coming out of China. Since then, 34 other companies have been hacked in a similar manner, including Symatec, Yahoo and Adobe. China has also accused the U.S. in engaging in its own form of hacking.
The point is not that China is a lone bad actor in this new world of cyberwar, but that, going forward, technically sophisticated sovereign states will increasingly turn to hacking, rather than brute physical force, to achieve their aims.
But cyber attacks can cause real physical damage. One example is the Stuxnet worm, allegedly co-developed by the U.S. and Israel, which damaged Iran’s sophisticated uranium enrichment centrifuges in 2010. Imagine that being a self-driving car or your front door lock, and the threat gets more personal.
Indeed, the proliferation of internet-connected devices only increases the likelihood of such attacks. Gartner estimates that 6.4 billion IoT devices were in use last year, and by 2019 that number will be 21 billion. IoT devices, by nature, either hold or are connected to massive amounts of personal and corporate data. Despite this, IoT devices are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and lacks established quality controls or standards.
On October 21, 2016, the DNS provider Dyn suffered the largest distributed denial-of-service (DDoS) attack in history. The attack severely impaired hundreds of Internet services, including those run by sophisticated companies like Amazon and Netflix. The source of the attack was a botnet coordinated through 100,000 Mirai malware-infected IoT devices. It turned out that the chips in these devices, many of which were made by Chinese company XiongMai Technologies, had security vulnerabilities that left them open to attack. Whether this vulnerability was a bug or a feature—whether they were purposely designed to be hackable—has still not been determined.
We live in a time of jarring contrasts, in which unprecedented human achievement shares the stage with common human barbarity (what Hannah Arendt called "the banality of evil"). The irony is that, even while we’re busy inventing the future, we’re still dragging pieces of that past along with us. The lizard brain just won’t let go.
Perhaps this dilemma is best understood as a choice, one expressed by Elliot in the TV show Mr. Robot: “I only need to press one key to run the exploit. Or I can press another and disable the entire plan.”