A New Tactical Era of Supply-Chain Sabotage at Scale
Preliminary thoughts on Israel's mass detonation of pagers in Lebanon. Now we have a different angle to understand the assertion that supply-chain vulnerabilities are national security concerns
Edited by Sam Thielman
I'M WRITING THE NEXT IRON MAN SERIES FOR MARVEL COMICS! IF YOU PREORDER IT, I'LL SEND YOU FREE STUFF! FOLLOW THE PROCEDURE AT THE LINK AND THEY'RE YOURS!
I SPENT MUCH OF YESTERDAY messaging with colleagues and technically-minded sources about Israel's stunning mass remote detonation of a model of pager manufactured by Taiwanese brand Gold Apollo and apparently ordered for use by Hezbollah. There is much we don't know. But the toll of death and wounded—at least 12, including two children so far, and at least 2800 wounded—from such a specific attack makes this feel like the kind of point of tactical departure that 13 years ago I argued the Stuxnet worm attack represented. (Although that's the apparent end of any similarities between this and Stuxnet, including technical ones.)
Many of my message chains zeroed in on the scale of the damage as an indication that the devices were tampered with, rather than relying on remotely overheating the pagers' small lithium battery until it catches fire. These were explosions that required amputations for survivors. I've seen some people, impressed by the technical sophistication of the operation, argue that the Israeli detonations were targeted to the device-holder, which they figure was purely Hezbollah. Clearly the children were not Hezbollah operatives.
But more broadly, the explosive yield does not itself indicate precision in targeting. It indicates only the size of the amount of explosive that can be placed within a small device without compromising normal function. I couldn't help but recall the ubiquitous 2010s-era assertion that drone strikes are precise because they didn't always collapse neighboring buildings, a factor more properly attributable to the size of the munitions they fired.
While reporting indicates that Hezbollah placed a pager order from Gold Apollo following leader Hassan Nasrallah's instructions in February against using cellphones, it does not appear to be only Hezbollah that used the pagers, and certainly civilians were present during many of the detonations and required hospitalization or worse. Technocratic Lebanese information minister Ziad Makary, who was the first to attribute the detonations to Israel, called it "a blatant attack on Lebanese sovereignty, that targeted civilians, not only Hezbollah members" that he said he would take to the United Nations (for all the good that will do). And that speaks to how this operation might have gone down.
I'm trying to write this in a way that avoids speculation, but maybe it's better to say here that we are dealing with facts not in evidence, and everything about the picture that follows might change. But most of the reporting thus far points to what, in my opinion, is the likeliest and most technologically plausible way this could have gone down. And it's one that puts a different spin on the Biden-era line that supply-chain vulnerabilities are national-security issues.
The Snowden documents familiarized readers with a National Security Agency entity called Tailored Access Operations, which penetrates hardened digital targets. Usually TAO's entry points are software vulnerabilities and their own digital exploitation tools. But other times TAO inserts vulnerabilities or relays through tampering with routers or personal devices.
I am not attributing this pager attack to the NSA. I bring this up instead to say it looks like Israel has now scaled up similar approaches by inserting not only software vulnerabilities—that is, the "execute" message that it pinged to the pagers—but also actively inserting explosives at either the point of manufacture or the point of shipping. The New York Times, like others, reports that "over 3,000 pagers" were included in the Lebanon order, which went to Hezbollah but apparently, per Makary, not only to them.
Not to belabor the point, but sabotaging the devices before they've shipped entails an acceptance that they will indeed kill and maim some users who are not combatants. And scaling tailored operations necessarily sacrifices discrimination at the point of targeting, which is a necessary condition for a legal military operation according to international humanitarian law.
You can’t make that vital discrimination by detonating these devices outside a battlefield environment where combatants would be separable from civilians. The explosions happened at grocery stores, on streets, in cafes, on roads, and overwhelmed Lebanese medical infrastructure. Al-Monitor has some reporting that the Israelis launched the attack prematurely out of concern that Hezbollah had potentially learned about the operation, although yesterday's events don't really indicate Hezbollah taking any anticipatory precautions. Whatever the reasoning, the pager detonations show what Irish Foreign Minister Micheàl Martin called a "wanton disregard" for civilian life, not a discriminating operation. There will be some who blame Hezbollah for using human shields, which is to say living amongst a civilian population instead of in barracks, but that's simply a way to handwave away the obligation of combatants not to kill civilians who are "in the way" of their opposing forces. The utility of the term comes from its evasion of the concept of state terrorism.
Then there's the psychological element of the operation. The explosions now instill widespread fear over not only the use of pagers, but any personal communications equipment. If they could rig pagers to explode, there's no reason why they can't do it to phones; or if there is, that technological hurdle will be cleared soon enough. Metadata surreptitiously intercepted from phones was crucial for drone strikes. Sabotaging the source of signal emission seems like an ominous way of cutting out a middleman. How could you feel safe carrying such a device around after this?
UPDATE: As if to underscore the point, right as we published this edition, Lebanon's health ministry reported that over 100 are injured in a similar series of detonations that appear to be a follow-on attack.
I will be very interested to learn where the point of sabotage occurred. Gold Apollo is pointing fingers at a Hungarian company, Budapest's BAC Consulting KFT. Viktor Orban's antisemitism has been no obstacle to his collaboration with fellow nationalist Benjamin Netanyahu, as it comes with Islamophobia that Netanyahu finds useful. Israeli news outlet Israel Hayom, looking at BAC, puts it bluntly: "An inquiry into the Hungarian company has only raised more questions, chief among them whether it might be a front for those behind the extraordinary operation against the Lebanese terror group." Reportedly, the Gold Apollo CEO, Hsu Ching-kuang, claimed that BAC's payments to licensee Gold Apollo were routed through the Middle East. Its registered address is a private residence and a Hungarian news site found "no evidence of [BAC's] involvement with pager technology."
Again, all of this is preliminary, as we've got more questions than answers. But from now on, whenever U.S. national-security functionaries talk about the necessities of securing supply chains, this is what I'm going to be thinking about. Not the need to preserve commercial patterns and stabilize prices of consumer goods, but exclusive or limited access to the points of manufacture and distribution for the Rules-Based International Order to weaponize that economic activity for the moment of detonation. This will not be the last time this sort of thing happens, and Israel will not be the only state culprit.
A SENATE HEARING into rising Islamophobia and antisemitism on Monday became a gross farce when Louisiana Republican John Kennedy—a man whose name makes him the Willie Mays Hays of politics—attempted to portray civil-rights leader Maya Berry as a supporter of Hamas and Hezbollah. My response would have been to similarly demand that Kennedy explain whether he supports the KKK, the Proud Boys, the Oathkeepers, the January 6th insurrectionists, and so on, so he can understand through experience the presumption of collective guilt. But the Muslim Civic Coalition is classier than I am:
The Republican Senators politicized the hearing by demanding expert witnesses discuss irrelevant foreign issues, denounce freedom of speech if its for Palestinians, and agree to end peaceful protests on college campuses. Senators even questioned the integrity, and lobbed personal attacks on the only Arab and Muslim expert witness, Maya Berry, who is a respected organizer and leader.
Democrat Senators? Well, some of them did not even show up. Senators Durbin, Klobuchar, and Welch tried to stem the hate-filled rhetoric, but it felt weak against the coordinated onslaught from the other side.
WALLER VS. WILDSTORM, the superhero spy thriller I co-wrote with my friend Evan Narcisse and which the masterful Jesús Merino illustrated, is available for purchase in a hardcover edition! If you don't have single issues of WVW and you want a four-issue set signed by me, they're going fast at Bulletproof Comics!
No one is prouder of WVW than her older sibling, REIGN OF TERROR: HOW THE 9/11 ERA DESTABILIZED AMERICA AND PRODUCED TRUMP, which is available now in hardcover, softcover, audiobook and Kindle edition. And on the way is a new addition to the family: THE TORTURE AND DELIVERANCE OF MAJID KHAN.