The recent attacks in Lebanon using pagers and two-way radios weaponized into bombs is an unprecedented and deeply problematic change in how countries undertake war.

The novelty is not in the sabotage of technologies to target enemies. As history demonstrates, regimes have long employed Trojan horse tactics by exploiting communications or military equipment to go after specific targets.

The attacks in Lebanon are controversial because it is widely believed the Israeli military and security services orchestrated the simultaneous detonation of devices in broad circulation amongst civilian populations. This included medical staff in hospitals and people going about their daily lives in markets and homes.

The device attacks killed 37 people in Lebanon, including two children and several Hezbollah commanders, and wounded close to 3,000 people.

Experts in international humanitarian law charge the attacks violated international law for their failure to discriminate between legitimate military targets and civilian populations and for their use of prohibited booby traps of everyday devices likely to endanger civilian populations.

For security analysts, this example may represent the harbinger of  a new era featuring the weaponization of everyday objects.

Back-door weaponization of electronics

At the same time, we may begin to see attacks whereby “Internet of Things” devices are sabotaged or disabled by deliberately corrupting the devices’ software. Because manufacturers control the product’s software that enables the products to collect and act upon data, these same companies have the built-in ability to improve or downgrade functionality.

This also enables “regulation by bricking,” when firms deliberately reduce functionality, by strategically withholding software updates.

Russian troops received a lesson in this in May 2022 after they stole John Deere farm equipment from a Ukrainian dealership which was rendered inoperable remotely.

Away from the battlefield, a dispute between a train manufacturer and railway company in Poland left several just-repaired trains unusable for months in the summer of 2022 because the manufacturer used digital locks remotely to immobilize the trains.

Virtual battlefield

These examples underline the importance of control over software in an era of increasingly networked products and infrastructure.

Rather than use sabotage or surreptitiously manufacture devices packed with explosives using false front companies, as technology experts contend was the method used in the Lebanon attack, hostile state or non-state actors may simply target software. Hostile actors could infiltrate manufacturers to manipulate the provision of product software, exploit breaches or simply hack into system networks.

Security intelligence agencies have long stressed the need to safeguard critical infrastructure that is increasingly reliant upon digital networks. This includes everything from smart energy grids or emergency communications systems, traffic control systems.

The Canadian Security Intelligence Service (CSIS), for example, warned in 2021 that hostile actors’ exploitation of critical infrastructure systems will have “serious financial, social and health and safety implications in Canada.” Imagine a scenario, CSIS wrote, where coordinated cyberattacks “took down safety locks that prevent catastrophic explosions at a petrochemical facility, while simultaneously controlling traffic lights to inhibit the emergency response.”

Vulnerability of supply chains – and public confidence

Understanding potential impact requires looking no further than relatively mundane occurrences. A two-day outage for customers of Rogers Communications Inc. in July 2022 took down the internet and mobile services of more than 12 million customers across Canada due to a faulty system upgrade.

The same outage also downed critical electronic payment services and emergency 911 services, leading to a “catastrophic loss of all services,” concluded the Canadian Radio-television and Telecommunications Commission in its report on the outage. While this outage was the result of human error, one could imagine a similar outage from a malicious attack.

The attacks on Lebanon must be investigated for possible violation of international law for the targeting of civilians and use of booby traps against civilian populations. The weaponization of communications devices in the attack must be thoroughly investigated. Former CIA director Leon Panetta has described the attacks as a form of terrorism.

All the facts must be brought to light around the particularly deceptive nature of the suspected creation of a front company to deliver weaponized technologies, seemingly without the knowledge of the original manufacturer. When “you have terror going into the supply chain,” Panetta remarked, “it makes people ask the question: ‘What the hell is next?’”

Assuring consumer trust

When multiple manufacturers and distributors are involved in assembling a product, the end consumer must be able to trust in the integrity of the supply chain that made and delivered it. In the case of the Lebanon attacks, the economic—and political—effects are being felt far and wide and trust will be difficult to rebuild.

In addition to examining the attacks’ repercussions on global supply chains, there are policy implications for manufacturers of Internet of Things goods that behoove the strengthening of corporate governance practices. One useful step is the US Federal Communications Commission’s (FCC) 2024 approval of a voluntary Internet of Things labelling program that permits manufacturers to display the U.S. Cyber Trust Mark.

The goal is to help consumers make informed purchasing decisions and incentivize manufacturers to meet increased cybersecurity standards. The degree to which a voluntary program, even with oversight from a federal institution with the reach of the FCC, remains to be seen.

The attacks in Lebanon underscore the need for governments at all levels to make requirements for the procurement and operation of digital infrastructure appropriately robust. This must include clearly setting out who is responsible for operating and repairing infrastructure to better ensure public safety in the face of a new era of cyberthreats at our doorstep.

Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission, or a letter to the editor. 
Natasha Tusikov
Natasha Tusikov is an associate professor in the department of social science at York University. Her research examines the intersection of law, crime, technology and regulation. X: @NTusikov 

You are welcome to republish this Policy Options article online or in print periodicals, under a Creative Commons/No Derivatives licence.

Creative Commons License