When the news first broke about a deadly series of explosions last week involving wireless communication devices against the Hezbollah group, headlines were chock full of references to cyber weapons and cyberattacks. In the confusion about the types of devices that were targeted, many initially assumed that the first round of explosions was triggered by malware, which was also assumed to have been implanted in the pagers. However, it soon became clear that cellphones had not been affected, and that Hezbollah’s reliance on such “old school” communications technology like pagers and walkie-talkies was itself a response to a perceived digital threat: that its cellphones were no longer secure and were presumed to have become tools of Israeli surveillance.
According to expert analyses by the BBC and New York Times based of the trigger mechanism used, the devices were carefully engineered to maximize physical damage with minimal quantities of explosives. The human cost of sabotaging civilian devices in this way –a common terrorist tactic used in the London car bombings, for example, or in attacks using improvised explosive devices, among others– cannot be understated. At the same time, the kinetic nature of this incident is illustrative for several reasons, all of which help to dispel the myth that problems like attribution challenges, supply chain vulnerabilities, and brief shelf lives are unique to the cyber domain or make the cyber domain itself wholly distinct from other domains of conflict.
Details are still emerging about precisely what caused thousands of pagers and, one day later, hundreds of walkie-talkies to detonate. Israel is widely assumed to be responsible. However, the cyber dimension of the two incidents appears to be less consequential than first assumed, with less speculation about the role of hacking operations and cyberattacks.
Weaponizing Dual-Use Technologies and Supply Chains
First, the incident demonstrates how information and communications technology (ICT) can be weaponized. The attack was reportedly engineered through an intelligence operation that intercepted shipments of civilian communication devices (pagers and two-way radios known as walkie-talkies) and sabotaged them to create severe security risks for the end-users, presumably intended to be Hezbollah operatives. This tactic of interfering in the supply chain of civilian communications technology to introduce vulnerabilities has been used in prior Israeli operations and concerns over data vulnerabilities were raised in the past with regard to Huawei hardware. Notably, in 1996, Israel assassinated Hamas’ chief explosive engineer, Yahya Ayyash, by remotely detonating a cellphone bomb triggered by a phone call. The dilemmas that apply to such ubiquitous, integrated dual-use (or in some cases, purely civilian) items also apply to cyber capabilities and so-called weapons, making accountability and regulation challenging.
Relatedly, last week’s attacks highlight the complexities of the ICT supply chain landscape and raise concerns about security and integrity. Investigation into this incident has revealed the involvement of actors ranging from a Taiwanese manufacturer of wireless pagers to an Israeli shell company located in Hungary and the suspected use of counterfeit products from a Japanese company, which has not distributed the devices in question or their batteries, in over a decade. The distributed and interconnected nature of ICT products has long been a point of anxiety for industry and governments alike; weak spots in a supply chain open the potential for foreign adversaries to implant and later exploit vulnerabilities for espionage purposes or, as played out last week, to take more direct action that can have kinetic effects in the real world—and human costs. Supply chain security is currently ‘managed’ through a web of frameworks, standards, and methods such as bilateral agreements, national policies, and industry standards. They have varying levels of applicability depending on the actor in question leading to gaps that can be exploited, as this incident demonstrates.
Hybrid Tactics and Attribution Challenges
The specifics of the attack also demonstrate the utility of hybrid tactics in and beyond the cyber domain. Not unlike a cyberattack, the explosions afforded the alleged perpetrators a layer of protection from definitive attribution of responsibility. While the attack has been widely attributed to Israel, including by the government of Lebanon and numerous reporters in the U.S. based on their discussions with U.S. government officials, the fact remains that Israel has not formally taken responsibility, and there has not yet been a conclusive third-party investigation into the origins of the attack. Thus, while Hezbollah has already pledged to retaliate against Israel, effectively making a political attribution for the attack, there remains a shadow of “plausible deniability” until technical (and possibly legal) attributions can be made through forensic investigation. Whether these attacks constitute a violation of international law and laws of armed conflict is unclear, although the Lebanese government maintains that the attack constitutes a violation of Lebanon’s sovereignty. A panel of UN experts also recently concluded that “simultaneous attacks by thousands of devices would inevitably violate humanitarian law, by failing to verify each target, and distinguish between protected civilians and those who could potentially be attacked for taking a direct part in hostilities.” Even if the physical footprint of the attacks can be traced to the point of origin, there is enough uncertainty to inhibit accountability or proportional retaliation.
The Poor Shelf Life of Hybrid Weapons
A frequent question has been around the timing of the operation. If the perpetrator risked being exposed, the systematically engineered operation might fail and lose its military value or escalate beyond initial calculations (consider, for instance, if one of the carriers of the sabotaged pagers had been on a commercial flight). This imposed constraints on the attackers’ timeframe: they could “use” the exploit (in this case, sabotaged electronic communications devices) in a less-than-ideal scenario and achieve some of their military objectives, or “lose” the opportunity when it was exposed and achieve none of their objectives while alerting the target to their capabilities. Most actors would rationally choose to use their capability, increasing their risk tolerance and the chances of collateral damage. This makes it crucial to tighten the security and integrity of civilian and dual-use technologies and their supply chains since hybrid perpetrators are likely to be more risk-tolerant if they encounter the ‘use it or lose it’ dilemma.
Major instances of the successful deployment of a “cyber weapon” are often framed by this dilemma, making the timing and context particularly instructive. Early advancements in telecommunications were influenced by considerations around information operations. Not unlike Hezbollah’s efforts to build resilience and avoid surveillance by switching to analog devices, the United Kingdom (U.K.) was reluctant to upgrade from cables to wireless radio, since radio communications were easy to intercept. The U.K.’s rival Germany had to make a choice between intercepting and exploiting British radio communications for espionage or severing and destroying submarine and underwater cable lines (and thereby losing access to enemy communications), whereby the U.K. severed all but one German subsea cable and tapped it for surveillance. Across time and space, intelligence operations have been framed by the dilemma of “use or lose,” and specifically, a choice to exploit enemy technologies for surveillance, or sabotage.
While it remains unclear if this was the case in the attacks on Hezbollah, early reporting indicates that it was likely a factor. Even if timing mattered, it is impossible to know why or what the ideal scenario was, or what led to this sequence of events. It is thought that cyber capabilities alleviate some of these constraints, by avoiding irreversible kinetic impacts. Most exploits are easy to fix, and there are ways to collect intelligence and destroy critical data or information without losing access to networks. Despite this, cyberattacks are not necessarily replacing hybrid tactics despite their theoretical advantages, allaying fears that the Hezbollah pager attacks signify a turning point in cyber warfare.
The Tendency to See ‘Cyber’
In the first week of analyses around the confounding kinetic effects of an ostensibly cyber-enabled attack, there was the tendency to draw implications for all Internet-linked devices, such as smart appliances, heralding a “new era in sabotage.” Observers cautioned the advent of a new period in cyberwarfare, pointing to the “first and frightening glimpse of a world in which ultimately no electronic device, from our cellphones to thermostats, can ever be fully trusted,” as suggested by a former member of the National Security Agency. David Sanger, a veteran correspondent for the NYT and author of The Perfect Weapon, admonished mainstream concerns by highlighting the difficulty of conducting attacks as sophisticated as this one, and the fact that it did not introduce a novel threat vector.
Despite such nuance in mainstream discourse, the paradigm for evaluating hybrid tactics that use ICTs or networks is still two-dimensional. Shorter shelf lives, difficulties with assigning responsibility to actors, and a reliance on dual-use items, are characteristics traditionally associated with cyber capabilities and “cyber warfare” and are often used as a checklist of qualifiers for a cyberattack. While these problems tend to be pronounced in cyber conflict, they are by no means exclusive to cyberspace and have preceded modern ICTs, as discussed above. That such problems bedevil other global threats also lends credence to the idea that cyber capabilities and the cyber domain are not wholly unique nor are they aspects of modern conflict that transcend (inter)national laws and norms of state behavior.
Cyber War (Still) Isn’t Here
There are numerous successful cyber operations every day that do not lead to the kinetic damage, loss of human lives, and disruption that was seen in the aftermath of the pager attacks in Lebanon. Yet, the cyber domain is often seen as a transcendent, lawless, and ungovernable space where arms control or risk reduction approaches cannot be achieved and should not be attempted. The resulting theory about cyber capabilities has influenced perceptions of any operations that include aspects traditionally (and uniquely) associated with cyberspace—reproducing the idea that everything that qualifies must be a cyber attack, and cyberspace must therefore be unique. Dispelling these notions and demystifying cyber operations to study them within the requisite historical and geopolitical context is urgent and important, as evidenced by the events in Lebanon last week.
Old Tactics, New Targets: Unraveling Lebanon’s Pager Attacks
By Allison Pytlak • James Siebens • Shreya Lad
Emerging Technology
Thousands of pagers and walkie-talkies in Lebanon exploded in a two-day attack on September 17 and 18, that has been widely attributed to Israeli intelligence services. In quick succession, observers highlighted the potential for this operation to have been a cyberattack despite little forensic evidence. What explains this tendency to ‘cry cyberwar’ in the face of destructive sabotage operations?
While signs point to Israel as the perpetrator of these attacks, definitive attribution of responsibility is difficult. This challenge, coupled with implications for supply chain security, the weaponization of dual-use technologies, and the brief shelf life of such sabotage operations makes this attack analogous to a kinetic-effect cyberattack. In this Commentary, the Stimson Center’s Cyber Program deconstructs some mainstream assumptions around cyber operations and hybrid war.
When the news first broke about a deadly series of explosions last week involving wireless communication devices against the Hezbollah group, headlines were chock full of references to cyber weapons and cyberattacks. In the confusion about the types of devices that were targeted, many initially assumed that the first round of explosions was triggered by malware, which was also assumed to have been implanted in the pagers. However, it soon became clear that cellphones had not been affected, and that Hezbollah’s reliance on such “old school” communications technology like pagers and walkie-talkies was itself a response to a perceived digital threat: that its cellphones were no longer secure and were presumed to have become tools of Israeli surveillance.
According to expert analyses by the BBC and New York Times based of the trigger mechanism used, the devices were carefully engineered to maximize physical damage with minimal quantities of explosives. The human cost of sabotaging civilian devices in this way –a common terrorist tactic used in the London car bombings, for example, or in attacks using improvised explosive devices, among others– cannot be understated. At the same time, the kinetic nature of this incident is illustrative for several reasons, all of which help to dispel the myth that problems like attribution challenges, supply chain vulnerabilities, and brief shelf lives are unique to the cyber domain or make the cyber domain itself wholly distinct from other domains of conflict.
Details are still emerging about precisely what caused thousands of pagers and, one day later, hundreds of walkie-talkies to detonate. Israel is widely assumed to be responsible. However, the cyber dimension of the two incidents appears to be less consequential than first assumed, with less speculation about the role of hacking operations and cyberattacks.
Weaponizing Dual-Use Technologies and Supply Chains
First, the incident demonstrates how information and communications technology (ICT) can be weaponized. The attack was reportedly engineered through an intelligence operation that intercepted shipments of civilian communication devices (pagers and two-way radios known as walkie-talkies) and sabotaged them to create severe security risks for the end-users, presumably intended to be Hezbollah operatives. This tactic of interfering in the supply chain of civilian communications technology to introduce vulnerabilities has been used in prior Israeli operations and concerns over data vulnerabilities were raised in the past with regard to Huawei hardware. Notably, in 1996, Israel assassinated Hamas’ chief explosive engineer, Yahya Ayyash, by remotely detonating a cellphone bomb triggered by a phone call. The dilemmas that apply to such ubiquitous, integrated dual-use (or in some cases, purely civilian) items also apply to cyber capabilities and so-called weapons, making accountability and regulation challenging.
Relatedly, last week’s attacks highlight the complexities of the ICT supply chain landscape and raise concerns about security and integrity. Investigation into this incident has revealed the involvement of actors ranging from a Taiwanese manufacturer of wireless pagers to an Israeli shell company located in Hungary and the suspected use of counterfeit products from a Japanese company, which has not distributed the devices in question or their batteries, in over a decade. The distributed and interconnected nature of ICT products has long been a point of anxiety for industry and governments alike; weak spots in a supply chain open the potential for foreign adversaries to implant and later exploit vulnerabilities for espionage purposes or, as played out last week, to take more direct action that can have kinetic effects in the real world—and human costs. Supply chain security is currently ‘managed’ through a web of frameworks, standards, and methods such as bilateral agreements, national policies, and industry standards. They have varying levels of applicability depending on the actor in question leading to gaps that can be exploited, as this incident demonstrates.
Hybrid Tactics and Attribution Challenges
The specifics of the attack also demonstrate the utility of hybrid tactics in and beyond the cyber domain. Not unlike a cyberattack, the explosions afforded the alleged perpetrators a layer of protection from definitive attribution of responsibility. While the attack has been widely attributed to Israel, including by the government of Lebanon and numerous reporters in the U.S. based on their discussions with U.S. government officials, the fact remains that Israel has not formally taken responsibility, and there has not yet been a conclusive third-party investigation into the origins of the attack. Thus, while Hezbollah has already pledged to retaliate against Israel, effectively making a political attribution for the attack, there remains a shadow of “plausible deniability” until technical (and possibly legal) attributions can be made through forensic investigation. Whether these attacks constitute a violation of international law and laws of armed conflict is unclear, although the Lebanese government maintains that the attack constitutes a violation of Lebanon’s sovereignty. A panel of UN experts also recently concluded that “simultaneous attacks by thousands of devices would inevitably violate humanitarian law, by failing to verify each target, and distinguish between protected civilians and those who could potentially be attacked for taking a direct part in hostilities.” Even if the physical footprint of the attacks can be traced to the point of origin, there is enough uncertainty to inhibit accountability or proportional retaliation.
The Poor Shelf Life of Hybrid Weapons
A frequent question has been around the timing of the operation. If the perpetrator risked being exposed, the systematically engineered operation might fail and lose its military value or escalate beyond initial calculations (consider, for instance, if one of the carriers of the sabotaged pagers had been on a commercial flight). This imposed constraints on the attackers’ timeframe: they could “use” the exploit (in this case, sabotaged electronic communications devices) in a less-than-ideal scenario and achieve some of their military objectives, or “lose” the opportunity when it was exposed and achieve none of their objectives while alerting the target to their capabilities. Most actors would rationally choose to use their capability, increasing their risk tolerance and the chances of collateral damage. This makes it crucial to tighten the security and integrity of civilian and dual-use technologies and their supply chains since hybrid perpetrators are likely to be more risk-tolerant if they encounter the ‘use it or lose it’ dilemma.
Major instances of the successful deployment of a “cyber weapon” are often framed by this dilemma, making the timing and context particularly instructive. Early advancements in telecommunications were influenced by considerations around information operations. Not unlike Hezbollah’s efforts to build resilience and avoid surveillance by switching to analog devices, the United Kingdom (U.K.) was reluctant to upgrade from cables to wireless radio, since radio communications were easy to intercept. The U.K.’s rival Germany had to make a choice between intercepting and exploiting British radio communications for espionage or severing and destroying submarine and underwater cable lines (and thereby losing access to enemy communications), whereby the U.K. severed all but one German subsea cable and tapped it for surveillance. Across time and space, intelligence operations have been framed by the dilemma of “use or lose,” and specifically, a choice to exploit enemy technologies for surveillance, or sabotage.
While it remains unclear if this was the case in the attacks on Hezbollah, early reporting indicates that it was likely a factor. Even if timing mattered, it is impossible to know why or what the ideal scenario was, or what led to this sequence of events. It is thought that cyber capabilities alleviate some of these constraints, by avoiding irreversible kinetic impacts. Most exploits are easy to fix, and there are ways to collect intelligence and destroy critical data or information without losing access to networks. Despite this, cyberattacks are not necessarily replacing hybrid tactics despite their theoretical advantages, allaying fears that the Hezbollah pager attacks signify a turning point in cyber warfare.
The Tendency to See ‘Cyber’
In the first week of analyses around the confounding kinetic effects of an ostensibly cyber-enabled attack, there was the tendency to draw implications for all Internet-linked devices, such as smart appliances, heralding a “new era in sabotage.” Observers cautioned the advent of a new period in cyberwarfare, pointing to the “first and frightening glimpse of a world in which ultimately no electronic device, from our cellphones to thermostats, can ever be fully trusted,” as suggested by a former member of the National Security Agency. David Sanger, a veteran correspondent for the NYT and author of The Perfect Weapon, admonished mainstream concerns by highlighting the difficulty of conducting attacks as sophisticated as this one, and the fact that it did not introduce a novel threat vector.
Despite such nuance in mainstream discourse, the paradigm for evaluating hybrid tactics that use ICTs or networks is still two-dimensional. Shorter shelf lives, difficulties with assigning responsibility to actors, and a reliance on dual-use items, are characteristics traditionally associated with cyber capabilities and “cyber warfare” and are often used as a checklist of qualifiers for a cyberattack. While these problems tend to be pronounced in cyber conflict, they are by no means exclusive to cyberspace and have preceded modern ICTs, as discussed above. That such problems bedevil other global threats also lends credence to the idea that cyber capabilities and the cyber domain are not wholly unique nor are they aspects of modern conflict that transcend (inter)national laws and norms of state behavior.
Cyber War (Still) Isn’t Here
There are numerous successful cyber operations every day that do not lead to the kinetic damage, loss of human lives, and disruption that was seen in the aftermath of the pager attacks in Lebanon. Yet, the cyber domain is often seen as a transcendent, lawless, and ungovernable space where arms control or risk reduction approaches cannot be achieved and should not be attempted. The resulting theory about cyber capabilities has influenced perceptions of any operations that include aspects traditionally (and uniquely) associated with cyberspace—reproducing the idea that everything that qualifies must be a cyber attack, and cyberspace must therefore be unique. Dispelling these notions and demystifying cyber operations to study them within the requisite historical and geopolitical context is urgent and important, as evidenced by the events in Lebanon last week.
Recent & Related