No bombs, no tanks, just a computer and the internet: the warriors of the 21st century will sit in air-conditioned offices, but they might still be able to bring countries to their knees.
Dirty, stinking water dribbles out of the tap, but no-one knows why. There's no electricity; it's hard to get information about what's going on. There are traffic accidents all over the city because the traffic lights aren't working. People are talking about a problem at the nuclear power station as well.
That's what cyberwar could look like - a massive attack on a country's computer-controlled infrastructure, an attack without bombs, remote-controlled over data networks by soldiers who don't need tanks, hand grenades or bulletproof jackets, just powerful computers, programming skills and an Internet connection.
"Luckily, we're living in a very peaceful situation, so we don't have to fear such attacks," says Sandro Gayken, computer security expert at the Free University of Berlin. But if the geopolitical situation should change, Germany would find itself inadequately protected: "Especially the critical infrastructure in German has a poor security standard in many areas. If somebody wanted to attack us with cyberwar methods, we would quickly find ourselves defenseless."
There are cyber attacks every day somewhere in the world - smaller attacks, directed at government infrastructure, military facilities and companies. No-one ever finds out who's behind many of the attacks; sometimes the truth emerges only after months or years. Often it's hackers who enjoy finding weak spots and trying out how far one can exploit them in order to cause damage. Sometimes it's governments themselves which plan targeted cyber attacks.
One of the best-known cases in recent years was the Stuxnet virus, which is believed to have caused the centrifuges in the Iranian Natans nuclear facility to get out of control. According to the information which is so far available, the virus manipulated the frequency with which the centrifuges rotate as they enrich uranium, and thus made them useless. According to the New York Times, the virus was developed by the US secret service agency NSA and Israeli agents.
As the British daily "The Guardian" reported a few weeks ago, US President Barack Obama has ordered a list of all the possible targets for cyber attacks on US facilities abroad. The paper published the memo, which was marked "top secret," on its website.
NATO issues guidelines
But how far are such attacks to be considered as acts of war? How can a state that has come under such an attack respond? The Tallinn Manual on the International Law Applicable to Cyber Warfare was published in March by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. It contains 95 rules against which NATO states can orient themselves with regard to cyberwar, although its proposals are not legally binding.
The German international law expert Wolff Heintschel von Heinegg of the Europa University in Frankfurt (Oder) contributed to the manual. He told Deutsche Welle how cyber attacks were seen in legal terms: "It makes no difference whether considerable damage is done by a mortar being fired or whether the considerable damage is carried out by a cyber attack."
All the same, it wouldn't be legitimate to respond to every cyber attack as if it were an armed attack which would justify responding under the law of self-defense. "It would be necessary that the damage would be particularly severe," says von Heinegg. If that were the case, though, the victim could respond with conventional weapons like bombs.
IT expert Gaycken doesn't think such a scenario is likely. He sees cyber attacks as much more of an insidious threat: "You could sabotage specific aspects of key industries, so that, for example, cars or airplanes would have to recalled and a brand would lose its credibility."
In conjunction with industrial espionage, it would be possible to cause serious damage to a country's economy and, in the long term, bring it close to collapse.