The recent attacks in Lebanon using pagers and two-way radios weaponized into bombs is an unprecedented and deeply problematic change in how countries undertake war.
The novelty is not in the sabotage of technologies to target enemies. As history demonstrates, regimes have long employed Trojan horse tactics by exploiting communications or military equipment to go after specific targets.
The attacks in Lebanon are controversial because it is widely believed the Israeli military and security services orchestrated the simultaneous detonation of devices in broad circulation amongst civilian populations. This included medical staff in hospitals and people going about their daily lives in markets and homes.
The device attacks killed 37 people in Lebanon, including two children and several Hezbollah commanders, and wounded close to 3,000 people.
Experts in international humanitarian law charge the attacks violated international law for their failure to discriminate between legitimate military targets and civilian populations and for their use of prohibited booby traps of everyday devices likely to endanger civilian populations.
For security analysts, this example may represent the harbinger of  a new era featuring the weaponization of everyday objects.
Back-door weaponization of electronics
At the same time, we may begin to see attacks whereby âInternet of Thingsâ devices are sabotaged or disabled by deliberately corrupting the devicesâ software. Because manufacturers control the productâs software that enables the products to collect and act upon data, these same companies have the built-in ability to improve or downgrade functionality.
This also enables âregulation by bricking,â when firms deliberately reduce functionality, by strategically withholding software updates.
Russian troops received a lesson in this in May 2022 after they stole John Deere farm equipment from a Ukrainian dealership which was rendered inoperable remotely.
Away from the battlefield, a dispute between a train manufacturer and railway company in Poland left several just-repaired trains unusable for months in the summer of 2022 because the manufacturer used digital locks remotely to immobilize the trains.
Virtual battlefield
These examples underline the importance of control over software in an era of increasingly networked products and infrastructure.
Rather than use sabotage or surreptitiously manufacture devices packed with explosives using false front companies, as technology experts contend was the method used in the Lebanon attack, hostile state or non-state actors may simply target software. Hostile actors could infiltrate manufacturers to manipulate the provision of product software, exploit breaches or simply hack into system networks.
Security intelligence agencies have long stressed the need to safeguard critical infrastructure that is increasingly reliant upon digital networks. This includes everything from smart energy grids or emergency communications systems, traffic control systems.
The Canadian Security Intelligence Service (CSIS), for example, warned in 2021 that hostile actorsâ exploitation of critical infrastructure systems will have âserious financial, social and health and safety implications in Canada.â Imagine a scenario, CSIS wrote, where coordinated cyberattacks âtook down safety locks that prevent catastrophic explosions at a petrochemical facility, while simultaneously controlling traffic lights to inhibit the emergency response.â
Vulnerability of supply chains â and public confidence
Understanding potential impact requires looking no further than relatively mundane occurrences. A two-day outage for customers of Rogers Communications Inc. in July 2022 took down the internet and mobile services of more than 12 million customers across Canada due to a faulty system upgrade.
The same outage also downed critical electronic payment services and emergency 911 services, leading to a âcatastrophic loss of all services,â concluded the Canadian Radio-television and Telecommunications Commission in its report on the outage. While this outage was the result of human error, one could imagine a similar outage from a malicious attack.
The attacks on Lebanon must be investigated for possible violation of international law for the targeting of civilians and use of booby traps against civilian populations. The weaponization of communications devices in the attack must be thoroughly investigated. Former CIA director Leon Panetta has described the attacks as a form of terrorism.
All the facts must be brought to light around the particularly deceptive nature of the suspected creation of a front company to deliver weaponized technologies, seemingly without the knowledge of the original manufacturer. When âyou have terror going into the supply chain,â Panetta remarked, âit makes people ask the question: âWhat the hell is next?ââ
Assuring consumer trust
When multiple manufacturers and distributors are involved in assembling a product, the end consumer must be able to trust in the integrity of the supply chain that made and delivered it. In the case of the Lebanon attacks, the economicâand politicalâeffects are being felt far and wide and trust will be difficult to rebuild.
In addition to examining the attacksâ repercussions on global supply chains, there are policy implications for manufacturers of Internet of Things goods that behoove the strengthening of corporate governance practices. One useful step is the US Federal Communications Commissionâs (FCC) 2024 approval of a voluntary Internet of Things labelling program that permits manufacturers to display the U.S. Cyber Trust Mark.
The goal is to help consumers make informed purchasing decisions and incentivize manufacturers to meet increased cybersecurity standards. The degree to which a voluntary program, even with oversight from a federal institution with the reach of the FCC, remains to be seen.
The attacks in Lebanon underscore the need for governments at all levels to make requirements for the procurement and operation of digital infrastructure appropriately robust. This must include clearly setting out who is responsible for operating and repairing infrastructure to better ensure public safety in the face of a new era of cyberthreats at our doorstep.