Stuxnet and America’s Cyber Credibility
The United States may have slowed down Iran's nuclear program without firing a shot--not counting the one at our own foot.
Revelations that the United States is responsible for the Stuxnet virus and has been waging cyber war on Iran since the Bush administration have been greeted with interest but not much controversy, at least domestically. After all, Iran is a bad actor and stopping its development of nuclear weapons through non-violent means seems like a no-brainer.
My Atlantic Council colleague Jason Healy, who directs our Cyber Statecraft Initiative, believes otherwise. In a post titled “Stuxnets are Not in the US National Interest: An Arsonist Calling for Better Fire Codes,” he argues that this effort has likely destroyed American credibility in an increasingly important arena.
Few in the world will ever believe the peaceful motives of the United States in cyberspace again, giving us even less leverage to ensure this new cyber dimension develops in a way encompassing America’s wider economic and security interests.
Cyberspace is “the backbone that underpins a prosperous economy and a strong military and an open and efficient government,” according to President Obama. Because of this importance, not much more than a year ago, the president committed the United States to “work internationally to promote an open, interoperable, secure, and reliable” cyberspace “built on norms of responsible behavior.” He wrote that, “While offline challenges and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information. The digital world is no longer a lawless frontier … It is a place where the norms of responsible, just and peaceful conduct among states and peoples have begun to take hold. ”
Stuxnet was not an act of peaceful conduct.
Saying one thing in public while doing the opposite covertly in the shadows happens of course all of the time between governments. China is, for example, behind large-scale global cyber espionage at the same time as it asserts that such acts are illegal and forbidden.
But the United States is the one that very publicly got caught and the timing could hardly be worse. The future of the Internet is being decided and post-Stuxnet, more nations are likely to side with the Russians and Chinese.
The most important reasons why Stuxnets are not in US interests revolve around the basic argument that “those with glass industrial control systems should not throw stones.” The United States has incredibly vulnerable cyber systems, including in critical infrastructures like the electrical generation and transmission systems. Not only has the United States legitimized attacks against these systems, they are now likely open to direct reprisal from Iran.
DHS officials have testified to Congress they are “concerned that attackers could use the increasingly public information about [Stuxnet] to develop variants targeted at broader installations of programmable equipment in control systems.” General Alexander of US Cyber Command similarly told lawmakers that “Attacks [such as Stuxnet] that can destroy equipment are on the horizon, and we have to be prepared for them.” The government has been clear about the proper response to Stuxnet and other threats with Alexander writing to Congress that “Recent events have shown that a purely voluntary and market driven system is not sufficient. Some minimum security requirements will be necessary” using regulation to secure critical infrastructure.
The message to the US private sector therefore seems to be that they need to be regulated because they are not protecting themselves sufficiently against a weapon designed and launched by their own government. The arsonist wants to legislate better fire codes.
Jay isn’t a pointed headed academic–he’s an Air Force Academy grad, a plankholder (founding member) of the Joint Task Force-Computer Network Defense, the world’s first joint cyber warfighting unit, and served as Director for Cyber Infrastructure Protection at the White House from 2003 to 2005.
I think he’s right here, even though my knee-jerk instinct is the same as everyone else’s. I argued for years against the notion that the Bush Administration was going to take us into a shooting war in Iran, simply on the basis that very few experts believed there were good military options. Given the universal notion that an Iranian nuke was “unacceptable” combined with a lack of ability to do much to prevent its becoming a reality, it was likely impossible to turn down a plan to do it through a cyber back door. (Ditto the escalation of the drone war in Pakistan, Yemen, and elsewhere.)
In terms of the bilateral relationship with Iran, there’s very little downside. A year ago, Jay wrote piece called “Bringing a Gun to a Knife Fight: Striking Back in Cyber Conflict,” pointing to the Obama administration’s declaration that it reserved the right to respond to a cyber attack with a kinetic one. That is, a country that launched a virus that crippled our critical infrastructure shouldn’t feel comfortable that our response would be limited to one in kind–we might bomb the hell out of them. While the reverse is of course true as well, the fact of the matter is that Iran has few good options for a military reprisal here.
But foreign policy is more than a series of bilaterals. Our actions in Iraq a decade ago damaged our relationships with our European allies and otherwise negatively impacted our ability to influence international policy. If Jay’s right, this action against Iran–while seemingly more successful on the ground than our adventure in Iraq–may be much more damaging to our soft power.