In 1921, Italian military strategist Giulio Douhet published an essay titled “The Command of the Air,” which argued that planes would change the future of warfare, allowing armies to strike their enemies quickly and with great force, bypass traditional battlefields, attack the home front directly and destroy not just vital infrastructure, economies and homes but also the target’s morale and will to fight as civilian suffering and deaths mounted. In other words, the home front was the new war front.
This philosophy — clearly immoral in my eyes and now illegal according to the Geneva Conventions of 1949, which classify civilians and civilian infrastructure as off-limits as legitimate military targets — was widely expressed for the first time in World War II, when air campaigns targeted cities. This century-old idea is also extremely fitting in order to understand today’s emerging cyber warfare, which allows states to bypass traditional physical fighting and air warfare and strike directly at their enemies’ infrastructure, economies and civilians. The emergence of cyber warfare takes Douhet’s philosophy to the next level.
Cyberattacks can be used as a prelude, addition or substitute to physical fighting. And depending on the targets, some cyber tactics could very well be a legitimate form of conflict. A famous example of this is the Stuxnet worm, the world’s first cyber weapon, which was used in 2007 to damage Iranian nuclear enrichment equipment. But the overall lesson here is that like air power — which continues to grow more precise and powerful with the advent of drones, guided missiles and in-air refueling technology — cyber tactics will become the most powerful weapon of tomorrow for reaching an enemy directly and causing widespread damage without having to pick up a gun.
And there is not a single home front, not even Israel or the United States with the world’s most innovative weapons, that is prepared for this growing threat. Like the inhabitants of cities under fire in World War II that did not have adequate places to hide, most of today’s population is also vulnerable to damage, chaos and even loss of life from cyberattacks.
Hints of this future scenario as a prelude to kinetic war emerged from Russia’s ongoing invasion of Ukraine. Weeks before Russia invaded its neighbor, it targeted it with cyberattacks. Although these attacks were not as catastrophic as some had predicted, they show how cyber weapons can disrupt life and cause chaos, but at the same time don’t cause immediate blood or smoke or even make the identity of an attacker obvious. This allows states like Russia to slowly and quietly cause havoc for enemies without suffering immediate retaliation, therefore weakening or confusing an enemy prior to a physical attack.
As was clear from the 2021 U.S. Colonial Pipeline attack, likely by the Russian group DarkSide, cyber tactics on their own, without any military follow-up, cause extreme havoc. The Colonial attack resulted in a lack of fuel supply for airplanes and local gas stations and led President Joe Biden to declare a national emergency.
Another example of a swift and quiet cyberattack came from Iran in 2020 when hackers from the increasingly cyber-talented Islamic Republic broke into Israel’s water system to try to surreptitiously raise chlorine levels to life-threatening amounts. Fortunately, the attackers were detected and stopped.
But the pipeline and water system attacks show how states can cause severe damage to countries with strong and large armed forces from afar at the push of a button, often without being detected. As more countries, even those without large or sophisticated armed forces, are equipped with cyber tools and abilities, we will see more sophisticated sorts of cyberattacks that, like Douhet argued more than a century ago, could damage the target country’s ability to function and fight.
When cyber warfare is used along with traditional weapons, wars will become even more chaotic and destructive, especially for civilians. The possibility of injury and loss of life is real and will only become greater as nations embark on a cyber arms race.
Therefore it is obligatory for every country to evaluate its preparedness at four levels: At the national level, governments need to have a plan for responding to damaging cyberattacks, including mitigation and retaliation on the party that carried out the attack. They need to have plans for vital communication within the government and with civilians, in case regular infrastructure is not functioning. Many countries are prepared on this level for physical war. For example, Israel can deploy its Iron Dome batteries to deflect incoming missiles.
National governments should also weigh increased regulation and legislation to ensure better protection for critical infrastructure systems. In the United States, for example, several sectors must meet certain cyber standards. And it is laudable that efforts are underway to expand such requirements in the transportation, communications, water and health care sectors. But it is key that regulations be expanded to suppliers of software and services to critical infrastructure systems. Suppliers, often small businesses without robust security measures, could provide easy gateways to otherwise well-fortified and valuable targets.
At the critical infrastructure level itself, providers need to take additional responsibility and measures in addition to meeting regulations. Many of the energy and water providers, especially in the United States, are private companies, and they need to be proactive in defense and prepared for an attack. They need to hold drills and prepare contingency plans for such scenarios.
At the municipal or local level, governments need to prepare civilians to handle cyber emergencies, just as they prepare them for severe weather or other emergencies. For example, tornado and earthquake drills are held regularly at schools and businesses and public places. Municipal buildings have weather and, depending on the location, bomb shelters. Civilians are educated about what to do in these situations and are advised to keep first-aid kits and other emergency supplies at home. The same attitude needs to be taken toward preparing civilians for a cyberattack that could take down critical infrastructure or communications systems or cause outright physical threats like weapons launches, plane crashes or explosions.
Volunteer civilian response teams should be trained to respond to cyberattacks, including providing life-saving and rescue operations that could be necessary if transportation, medical or energy systems are disrupted.
Businesses also need to do their part. Every single business needs to embrace the fact it could be targeted by a state-level attacker and make sure its threat hunting and risk assessments include such possibilities. Business disruption from cyberattacks could cause shortages, safety issues and economic havoc which can all lead to public panic and wide-scale damage to society. This puts civilian commercial companies at the forefront of the safety of the home front. It is the responsibility of every company to act continuously and ensure that their systems are ready to face cyber threats.
World War II and the growing threat of aviation warfare triggered significant efforts to develop air raid sirens, shelters and aerial defense systems to protect infrastructure and civilians. The new warning systems mitigated the element of surprise in aerial attacks — an element that Douhet’s theories emphasized as integral to achieving airpower objectives. And shelters allowed civilians to defend themselves to some extent.
Similar efforts are critical today to mitigate the surprise element of a cyberattack. Similar to air attacks, surprise can result in increased damage from cyberattacks. It is the obligation of national governments, local authorities — and infrastructure providers and other companies, which ultimately serve as the route of attack — to develop the equivalent of shelters and to understand the need for immediate physical protection for civilians as a result of a cyberattack.
It is more clear than ever that we have entered the age of the cyber arms race. Every nation, local authority, critical infrastructure provider and commercial company must continuously engage in cyber defense, and a key part of that defense is preparing to protect civilian lives.
(Shmulik Yehezkel is the chief critical cyber operations officer and CISO at CYE.)