The History of Cyberwar: When Code Became a Weapon

Zusammenfassung

On June 17, 2010, a Belarusian antivirus company found a piece of malware on an Iranian customer’s computer. It was unlike anything security researchers had seen: four zero-day exploits, a rootkit signed with stolen digital certificates, and targeting logic so precise that it did nothing at all on computers that did not match a specific industrial configuration. Stuxnet was the proof of concept that militaries had been developing toward for two decades: a cyberweapon that caused physical damage to critical infrastructure without firing a shot. Since Stuxnet, the doctrine, institutions, legal frameworks, and operational precedents of cyberwar have developed at a pace that treaty negotiation and international law cannot match. Every major power has offensive cyberwarfare capability; most have used it; and the world has not yet agreed on what constitutes an act of war in cyberspace.

The Theoretical Foundation: Information War Before the Internet

Military thinkers identified information as a decisive dimension of warfare long before computers made it a practical domain. Sun Tzu’s observation that supreme excellence consists in breaking the enemy’s resistance without fighting describes, in abstract, what cyberwarfare achieves: imposing costs on an adversary through means that fall below the threshold of kinetic military action.

The U.S. Air Force began developing formal information warfare doctrine in the early 1990s, following the Gulf War’s demonstration that precision-guided munitions could destroy command-and-control infrastructure while avoiding civilian casualties. The 1996 report “Information Warfare: Legal, Regulatory, Policy and Organizational Considerations for Assurance” (Air Force Information Warfare Center) described offensive information operations as a legitimate military instrument alongside kinetic weapons. The National Security Presidential Directive 16 (2002, classified) established U.S. policy for offensive cyberoperations.

John Arquilla and David Ronfeldt of RAND Corporation published “Cyberwar is Coming!” in 1993, coining the term for the academic and military policy community. Their concept encompassed both attacks on enemy information infrastructure and broader “netwar” — the use of networked communications by non-state actors for political and military purposes. The framework proved prescient in ways neither the authors nor their intended audience fully anticipated.

The First Cyberwar Incident: Eligible Receiver and Moonlight Maze

Operation Eligible Receiver (1997) was a classified NSA exercise in which teams of NSA hackers, using only publicly available tools and techniques, simulated attacks on U.S. military and civilian infrastructure. They penetrated the Pacific Command’s power grid, 911 systems, and military command computers. The exercise was classified at the time and revealed publicly only years later. Its internal impact was significant: it demonstrated to military leadership that the U.S. was more vulnerable than assumed.

Moonlight Maze (1998–1999) was the first confirmed nation-state cyber-espionage campaign against the United States. Russian hackers spent approximately two years systematically extracting data from Pentagon, NASA, Department of Energy, university research labs, and defense contractors — hundreds of gigabytes of classified technical information. The attribution to Russia was confident within government but not publicly stated at the time; the Russian government denied involvement. Moonlight Maze established the pattern of sustained, quiet intelligence collection through cyber means that would define state-sponsored espionage for the following decades.

Levels of Cyber Conflict

Security analysts distinguish between:

Cyber espionage: Intelligence collection without disruption — the dominant activity of most state actors, occurring continuously.
Cyber sabotage: Disruptive or destructive attacks on systems or infrastructure — threshold operations that may or may not constitute acts of war.
Cyberwar: Integrated cyber and kinetic operations in the context of armed conflict — the conceptually clearest category, demonstrated in the Russia-Georgia war (2008) and Russia-Ukraine conflicts. Most of what is called “cyberwar” in media reporting is cyber espionage. True cyber sabotage against critical infrastructure has occurred but remains rarer than the terminology suggests.

Estonia (2007): The First Test of Collective Cyber Defense

In April 2007, the Estonian government relocated a Soviet-era war memorial — the Bronze Soldier of Tallinn — from the city center to a military cemetery, provoking riots among Estonia’s Russian-speaking minority and diplomatic conflict with Russia. Within days, a coordinated distributed denial-of-service (DDoS) attack knocked Estonian banking, government, and media websites offline. The attacks lasted three weeks, were sophisticated enough to absorb Estonia’s attempts to filter traffic, and were attributed (without conclusive evidence at the time) to Russian nationalist groups with possible state support.

Estonia, one of the most internet-dependent societies in the world (“e-Estonia” had pioneered digital government services through the 1990s), faced a proportionally severe impact. The incident prompted Estonia to host NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, which became the primary NATO body for developing cyberwarfare doctrine and produced the Tallinn Manual — the most authoritative attempt to apply existing international law to cyberoperations.

Georgia (2008): Cyber Operations Alongside Kinetic Warfare

The brief Russia-Georgia war of August 2008 was the first conflict in which cyberoperations were conducted in coordination with conventional military action. Russian-aligned hackers took down Georgian government and media websites, including the president’s site, simultaneously with the conventional invasion. The cyberoperations were relatively unsophisticated by later standards — mostly website defacements and DDoS attacks — but their timing and coordination with kinetic operations demonstrated that cyber capabilities had been integrated into Russian military planning.

The Georgia operations also illustrated cyberwar’s asymmetry: Russia’s kinetic military superiority was overwhelming, making the cyberoperations more symbolic than militarily decisive. Against a more capable adversary, or against one whose society was more digitally dependent, the effect would have been larger.

Stuxnet (2010): The First Cyberweapon

The Stuxnet operation — code-named Olympic Games by the U.S. government and jointly operated with Israel — was operationally active from approximately 2007 to 2010. The target was Iran’s Natanz uranium enrichment facility, specifically the Siemens S7-315 programmable logic controllers driving centrifuge cascades. The objective was to damage centrifuges in a way that would appear to be mechanical failure, setting back Iran’s enrichment program without a kinetic strike that would invite retaliation.

Stuxnet’s technical sophistication was unprecedented:

Four zero-day exploits in Windows, used to spread via USB drives and network shares to reach air-gapped industrial control systems.
Rootkit functionality that hid the worm’s files and registry entries from detection tools.
Precise targeting logic that verified the specific Siemens controller configuration before activating its payload — systems that did not match were infected but remained dormant.
PLG payload that commanded centrifuges to spin at destructive speeds while falsifying sensor readings to operators.

Approximately 1,000 centrifuges at Natanz were damaged. Iran’s enrichment capacity was set back by an estimated one to two years. The operation was revealed publicly in 2010 when Stuxnet spread beyond its intended target (via a programming error) to industrial computers worldwide, where security researchers discovered and analyzed it.

The Obama administration confirmed U.S. involvement in 2012. The New York Times reporting (David Sanger’s Confront and Conceal, 2012) provided the first detailed public account. The operation established several precedents: that cyberweapons capable of physical destruction existed and had been used; that the U.S. and Israel were willing to use them in gray-zone conflict; and that cyberweapons, once used, could spread beyond their intended targets.

The Snowden Revelations (2013) and the Scope of NSA Collection

Edward Snowden, an NSA contractor, leaked approximately 1.7 million classified documents to journalists Glenn Greenwald and Laura Poitras in 2013. The revelations documented:

PRISM: NSA access to user data from Google, Microsoft, Facebook, Apple, Yahoo, and other major internet companies.
Upstream collection: NSA collection of internet communications as they passed through the physical infrastructure of internet backbone providers.
XKeyscore: An NSA tool for searching through collected internet communications.
Tailored Access Operations (TAO): NSA’s offensive hacking unit, which had penetrated thousands of foreign computer systems.
MUSCULAR: Joint NSA-GCHQ collection of data from Google and Yahoo’s private cloud connections.

The disclosures were operationally damaging (revealing collection methods and targets) and diplomatically significant (revealing surveillance of allied leaders, including German Chancellor Angela Merkel). They prompted the USA FREEDOM Act (2015), which limited some domestic collection authorities, and the EU’s Safe Harbor framework was invalidated by the European Court of Justice in 2015, citing Snowden-revealed surveillance as evidence that U.S. data protection was inadequate. The replacement frameworks (Privacy Shield, invalidated 2020; Data Privacy Framework, 2023) have been repeatedly challenged on the same grounds.

NotPetya (2017): Cyberwar as Economic Weapon

The NotPetya attack of June 27, 2017, attributed by multiple governments including the United States, United Kingdom, and Australia to the Russian military intelligence agency (GRU) Sandworm team, caused an estimated $10 billion in damages — the most costly cyberattack in history. NotPetya was initially disguised as ransomware but was designed as a wiper: it encrypted master boot records and file tables, destroying data permanently, with no functional decryption mechanism.

The attack spread through a backdoored update to M.E.Doc, a Ukrainian accounting software package required for doing business with Ukrainian government entities — making it a supply chain attack against companies operating in Ukraine. The wiper’s propagation mechanism (EternalBlue, the leaked NSA exploit) caused it to spread globally to any organization that had network connectivity to Ukrainian subsidiaries. Maersk, the Danish shipping giant, had its entire global IT infrastructure destroyed, affecting 45,000 PCs and 4,000 servers across 600 locations. Recovery cost an estimated $300 million and required Maersk to reinstall 45,000 PCs and 4,000 servers in ten days. Merck pharmaceutical lost $870 million. FedEx lost $400 million.

NotPetya demonstrated that cyberweapons designed for geopolitical conflict could cause collateral economic damage at a scale without precedent, and that the concept of “proportionate response” in cyberspace was undefined.

Iran, North Korea, and the Proliferation of State Cyberpower

Iran’s cyberoperations program expanded substantially after Stuxnet, which Iran used as justification for developing offensive capability. Iranian actors attributed to groups including APT33 (Elfin) and APT34 (OilRig) have conducted espionage against governments and private companies in the Middle East, United States, and Europe. The Shamoon wiper (2012), attributed to Iran, destroyed approximately 30,000 computers at Saudi Aramco, replacing their master boot records with an image of a burning American flag — a destructive attack on a competitor of Iran’s oil industry.

North Korea’s cyber program, operated by Unit 121 (Lazarus Group), combines intelligence collection with financially motivated attacks. The Bangladesh Bank heist (2016) used fraudulent SWIFT international wire transfer messages to steal $81 million (of a planned $1 billion) from Bangladesh’s account at the Federal Reserve Bank of New York. The WannaCry ransomware (2017), attributed to North Korea, infected 200,000+ computers globally but generated relatively little ransom income while causing billions in damage to hospital systems, telecommunications providers, and manufacturers.

North Korea’s cyber program is estimated to have generated over $2 billion for the regime through cryptocurrency theft and ransomware between 2016 and 2020 — a significant revenue stream for a heavily sanctioned economy.

The Tallinn Manual and the International Law Problem

The Tallinn Manual (2013, updated 2017), produced by international legal scholars assembled by NATO’s CCDCOE, is the most authoritative attempt to apply existing international humanitarian law to cyberoperations. Its conclusions are largely what lawyers might predict:

A cyberoperation constitutes a use of force (violating UN Charter Article 2(4)) if its effects are comparable to conventional armed attacks — if it destroys infrastructure, kills people, or causes major damage.
A cyberoperation justifying armed self-defense requires a “grave” attack equivalent in scale and effect to an armed attack.
Proportionality and discrimination requirements from the laws of armed conflict apply to cyberoperations in the context of armed conflict.

The gap between what the Tallinn Manual documents and what states actually do is vast. The persistent cyber espionage operations conducted by every major power against every other major power are not addressed by existing law, because the law governing peacetime espionage is largely customary and unwritten. The supply chain attacks, infrastructure prepositioning, and gray-zone sabotage operations that define modern cyberconflict fall below the threshold of armed attack without triggering any existing legal response. The international community has not produced binding norms governing offensive cyberoperations, and the prospects for treaty-level agreement between adversarial states are poor.

Dead End: “Cyber Pearl Harbor”

Since at least 2002, American officials have warned repeatedly of a “Cyber Pearl Harbor” — a devastating cyberattack on critical infrastructure that would cause mass casualties or catastrophic disruption. Secretary of Defense Leon Panetta used the phrase in 2012. It has been invoked before Congressional committees, in budget requests, and in strategic planning documents consistently for two decades.

The attacks that have occurred — Stuxnet, NotPetya, the Colonial Pipeline ransomware (2021), the SolarWinds supply chain compromise (2020) — have been serious and in some cases historically significant. None has approached the described scenario of sudden, mass-casualty infrastructure destruction. This is partly because attacking critical infrastructure to cause mass casualties would trigger escalation that most state actors rationally wish to avoid, and partly because infrastructure systems have redundancy and manual fallback modes that make total destruction harder than the “Cyber Pearl Harbor” framing implies.

The metaphor is a dead end in a more fundamental sense: it frames cyberconflict as an event — a single devastating attack — when the reality is a continuous state of low-level intrusion, espionage, and sabotage that accumulates strategic effect without triggering the threshold of response. The U.S. and its allies are simultaneously conducting and suffering from this continuous cyberconflict. The right frame is not Pearl Harbor but the Cold War: a permanent competition below the threshold of kinetic conflict, with occasional crises and no expected resolution.