The Brave New World Of Cyber Warfare
Are the Stuxnet and Flame attacks the opening shots in a dangerous new era of secret war?
Columbia University Professor Misha Glenny, writing in a New York Times Op-Ed that appeared on Sunday, touches on a subject I’ve written about before, namely the dangerous new world of Cyber Warfare made possible by viruses such as Stuxnet and Flame:
The decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Separately, Tyler Cowen raises similar concerns:
By the way, didn’t it just come out in The Washington Post that the United States helped attack Iran with Flame, Stuxnet and related programs? If they did this to us, wouldn’t we consider it an act of war? Didn’t we just take a major step toward militarizing the internet? Doesn’t it seem plausible to you that the cyber-assault is not yet over and thus we face immediate questions looking forward? Won’t somebody fairly soon try to do it to us? Won’t it encourage substitution into more dangerous biological weapons?
I do understand that these are fairly superficial questions and that I do not have the expertise to write a detailed and insightful blog post on these topics. Still, it seems odd not to mention them at all. While I read in limited circles, I do not see many writers devoting much attention to the matter. Shouldn’t this have set off a large-scale national debate?
Though writing separately, Glenny and Cowen both raise the same basic point. We’re dealing with, and apparently now using on a regular basis a brand new form of warfare that has the potential to do great damage in a manner that allows an attacker to achieve veritable anonymity while causing massive social chaos in the nation attacked. Imagine what would happen, for example, if someone managed to launch and attack that brought down the Eastern Power Grid in the same manner as the accident that led to a blackout that covered massive portions of the Northeastern US and Canada in 2003. For most people, that blackout came to an end within seven hours but for some it would be until the next morning when power was restored. Imagine the same thing happening again, but with a blackout that last for days, in the middle of a cold winter or a hot summer. It would likely lead to significant chaos and confusion, especially if it took time to even figure out what had happened.
Cowen is right that this is an issue that we ought to be discussing more openly, and Glenny is right that it may be appropriate to start talking about international agreements limiting the use of this kind of technology (although it’s hard to see how such agreements could stop non-governmental hackers from doing what they do), but because this is something that happens behind the scenes it doesn’t happen. Perhaps it won’t really happen until there is a real Cyber attack that has an impact on civilian infrastructure, which would be unfortunate if only because it would likely mean that there would be a lack of preparedness for the consequences of such an attack. Then again, that’s usually how we approach problems like this, with our heads in the sand.
The one issue that Glenny and Cowan don’t touch on is the one that I think is potentially the most important:
In what respect are the electronic attacks that we and the Israelis have unleashed on the Iranian nuclear program not an act of war?
In that regard, I think we can distinguish to some extent between Stuxnet, which was clearly designed to sabotage, and Flame, which at least from the reports that have been made public, appears to be designed exclusively as an espionage tool. Espionage is, perhaps in some sense, an “act of war” but I don’t think that you can really say that what Flame did is functionally different from what human spies have done for generations, and nobody has ever reasonably considered that to be a casus belli. It’s just the way the game between nations is played and if a spy gets caught, they get caught, it doesn’t lead to war between the respective nations. Things tend to get a lot more complicated, though, when you start talking about sabotage, even when it’s sabotage of a purely military target. How is a cyber attack directed at the nuclear plant in Nantz, Iran any different than if we flew a few squadrons of B-2’s over there and bombed the hell out of the place? The level of damage will be different, obviously, but is the act any different? If not, then we have already committed acts of war against Iran.
Glenny closes with this:
Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.
Indeed, as I’ve noted before, given that plenty of destructive hacking has already been done by non-government actors, there’ s no reason to believe that if this technology is used against us there will even be a government to retaliate against.
Call me crazy but I prefer it to the whole Mutual Assured Destruction era. Never fear: one way or the other the porn sites will stay up.
I read somewhere else the whole point of cyberwar is so Israel will be nice to us, so I don’t see how anyone could get upset about the whole this.
What’s sort of funny about those two op-eds, in the vein of dark comedy, is that without cyberwarfare then actual military force against Iran would have been inevitable, and of course it goes without saying the cognoscenti of the media reflexively would have opposed that course of action too. In other words, heads and the U.S. should not use its power; tails and the U.S. should not use its power. Don’t do unto others what you wouldn’t want done to you. Blah, blah, blah. Add Israel into the mix and the derangement goes to 11. Somewhere in hell Chamberlain is nodding and saying: “Jolly good.”
In any event, as with any advancement in weaponry the object is to make sure the other side can’t do what we can do. Or that we stop him from trying.
We didn’t eschew using the atomic bombs on the theory that we wouldn’t want to have atomic bombs dropped on us. That was for reasons so obvious only a leftist could be insouciant of them.
Separate but related topic: Given the new age of cyberwarfare it’s pretty darn clear that we need a lot more cyberwarriors from the likes of Cal Tech and MIT and a lot fewer big thinkers from the likes of the Loopy Univ. of Humanities, Philosophy, Sociology and Journalism. At least so far as taxpayer dollars are concerned.
I’m pretty sure that we, both our government and corporations have been attacked. That the attackers have been politely named as Chinese or Russian “criminals” is probably a fig leaf.
This is reminiscent of the cold war. Instead of fighter planes probing defenses and “lighting up” opposition targets with radar, the “hacker groups” probe banks and etc.
It’s a wrong telling to suddenly take Stuxnet and Flame as the starting point.
Russian hackers behind first successful US SCADA system attack
Grey Goose 2 ties Kremlin more closely to Georgia cyber-attacks
Chinese military exposed as experienced internet attackers
US names China, Russia as cyberespionage leaders
(all at http://www.infosecurity-magazine.com/)
Oh neat, the CS Monitor has a cyber warfare timeline here.
I think we would be much more prudent to get behind an accord banning cyberwarfare and sticking to that rather than practicing it ourselves. It’s inherently asymmetric and that works against us.
If that weren’t the case malware would not be possible.
Given that the superpowers have been active in this since the 90’s, how would you police a disarmament agreement?
Satellites and on-site inspection don’t work quite as well as they do with missiles and bombs.
Especially given this “hacker” misdirection that was impossible in the nuclear age. It’s easy for Russia, China, or the US to say “oh, sorry. those were private hackers.”
If it’s inherently asymmetrical then there is no reason to suppose that a ban would work. It would be just like terrorism in that regard. But again, I much prefer having my bank account hacked to wandering a post-nuclear landscape.
FWIW, our systems are somewhat strong because college kids have been hacking them, and defending them, for 40 years.
One possible storyline is that there will be a brief term of vulnerability, and then very strong systems will emerge.
If you want to hasten this, give more prizes to hackers (some competitions now exist) and fewer prison sentences.
It’s utterly, disgustingly naïve for a so-called pundit to believe that the US’s recently revealed participation in cyberwarfare makes one iota of difference to anyone capable of engaging us in cyberwarfare. Just because Misha Glenny and Tyler Cowen never thought of it before now doesn’t mean that our enemies are as ignorant as they are.
Sheesh! What are they, children?
@Boyd: Exactly, as if they really didn’t already know. The wingnuts bitching about this are as stupid as they think the Iranians are.
This is also impacting productivity here at home. My sister is a senior scientist for a multinational corporation. She can no longer take data from her electron microscope to her networked computer where she can actually work with it on a thumb drive or CD without it being checked by IS which can take hours or days.
In the news yesterday:
“Criminals” no doubt.