On 17 September, Lebanon witnessed an unprecedented attack when thousands of pagers belonging to Hezbollah operatives suddenly detonated, resulting in nine fatalities and nearly 3,000 injuries. The following day, a second wave of attacks targeted not only pagers but also handheld radio sets, cellphones, and laptops, causing 20 deaths and over 450 injuries. Since then, Israel and Hezbollah have exchanged rocket fire.
The sophistication of these attacks was alarming. Supply chain networks were infiltrated, and explosives were strategically placed near device batteries, connected to remote command slots for detonation.
The precision and scale of the attacks suggest meticulous planning beyond typical terrorist activities.
These incidents, combining elements of cyber warfare with physical explosives, have raised serious concerns about the future of conflict and the vulnerability of digital infrastructure. Despite being an attack against a terrorist organisation, the impact of such an attack is still debatable. While all suspicion is on Israel, it has not officially claimed responsibility for the attack.
Hezbollah, known for employing low-tech communication methods to evade Israeli intelligence, had recently acquired about 5,000 new pagers from a Taiwanese company called Gold Apollo. The supply chain reportedly involved a Bulgarian supplier registered under an Indian-born individual's name. The compromised handheld radio sets bore the logos of Icom, a reputable Japanese manufacturer.
This incident raises several critical concerns:
The Convergence of Cyber and Physical Attacks: It demonstrates how digital vulnerabilities can be exploited to cause large-scale physical harm, blurring the lines between cyber warfare and conventional terrorism.
Supply Chain Vulnerabilities: The compromise of devices from reputable manufacturers highlights the risks in global supply chains, where malicious actors can introduce compromised components.
Escalation of Cyber Warfare: If nation-states are behind such attacks, it represents a significant escalation in using cyber capabilities for kinetic effects, potentially leading to an arms race in cyber-physical weapons.
Implications for Critical Infrastructure: The success of these attacks underscores the vulnerability of interconnected devices forming the backbone of modern infrastructure.
Legal and Ethical Quandaries: These tactics raise serious questions about the ethics of cyber warfare and the adequacy of existing international laws to address hybrid threats.
The United Nations (UN) has been working on a Convention against Cybercrime, with a final draft presented in August 2024 to be deliberated in the ongoing 79th session of the UN General Assembly. This convention aims to establish norms for responsible behaviour in cyberspace and prevent nations from launching or facilitating cyber-attacks.
Establishing a comprehensive and universally accepted definition of cyber warfare is crucial. While the UN Open-Ended Working Group has made progress in building upon the UN Norms of Responsible State Behaviour in Cyberspace, a more inclusive, expansive, and multifaceted dialogue is imperative to address the complex nature of cyber threats and their potential consequences.
One primary objective should be preventing the normalisation of cyber attacks as an adjunct to conventional military operations. There's growing concern that state and non-state actors may view cyber warfare as a low-risk, high-reward strategy, potentially leading to dangerous conflict escalation in both digital and physical realms.
Also, many nations are already devising cyber warfare capabilities and this also includes employing non state actors in executing the attacks. Many nations have also set the threshold for accepting cyber attacks. NATO has stated that a cyber attack could trigger Article 5 of the Washington Treaty, which is the collective defence clause. This means that a significant cyber attack against one NATO member could be considered an attack against all members, potentially leading to a collective response.
So it is imperative that certain steps be taken to prevent a catastrophe:
Improved Supply Chain Security: Stricter regulations and better monitoring of technology supply chains are necessary.
Updated Legal Frameworks: International law needs to evolve to explicitly address cyber-physical attacks and establish clear consequences for perpetrators.
Investment in Defensive Technologies: Countries and organisations must invest in developing better detection and prevention systems for cyber-physical threats.
Public Awareness and Education: Increasing awareness about the potential dangers of compromised devices and the importance of cybersecurity is crucial.
The ability to attribute cyberattacks remains a significant challenge, which could encourage more actors to employ these tactics. The potential for escalation is high, as targeted entities may feel compelled to respond in kind, potentially triggering a cycle of retaliation.
As artificial intelligence (AI) continues to advance, its potential application in enhancing kinetic weapons' capabilities adds another layer of complexity. AI could improve targeting, automate attacks, or develop new forms of cyber-physical weapons that are more difficult to detect and counter. To address these challenges, the international community must establish new norms, laws, and cooperative frameworks.
The Hezbollah pager attacks occur against a backdrop of ongoing global conflicts, including the Russia-Ukraine war and expanding tensions in the Middle East. While these conflicts have involved elements of cyber warfare, none have reached the scale and sophistication compared to the recent attacks in Lebanon.
These attacks serve as a wake-up call, highlighting the urgent need for action. As our reliance on interconnected devices continues to grow, so does our vulnerability to hybrid threats. The time to act is now before these new forms of warfare become the norm and the digital realm becomes the next major battlefield in global conflicts.
(Subimal Bhattacharjee is a Visiting Fellow at Ostrom Workshop, Indiana University Bloomington, USA, and a cybersecurity specialist. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)