The terrifying specter of a future of cyberattacks is that someday, a malicious actor will reach through the internet and cause real, tangible, physical harm. It sounds like a Hollywood plot: a computer is compromised, and suddenly the machinery of a factory is broken. Yet despite the panic, until recently there’s only been one such confirmed case. That was Stuxnet, an American-made virus which disrupted an Iranian centrifuge used to enrich uranium in the late 2000s. Then, last month, Germany published a report of another cyberattack turned physical: a furnace at a steel mill that wouldn’t shut down.
The attack caused physical damage, though the report doesn’t clarify if the damage was intentional or a by-product of the malicious access of the steel mill’s computers. And the physical damage is significant. Most of what is labeled cyberwar, like the Sony hack is information theft or involves damage to files, which is certainly harmful but falls under norms governing espionage, theft, and intelligence collection. Damage like this is sabotage, and is more clearly a kind of harm that justifies a use of force.
In the future, if there are attacks through the internet that reach anything like the level of war, it will be viruses like Stuxnet or hacks like the German steel mill that count as cyber war.