The Brave New World Of Cyber Warfare
Are the Stuxnet and Flame attacks the opening shots in a dangerous new era of secret war?
Columbia University Professor Misha Glenny, writing in a New York Times Op-Ed that appeared on Sunday, touches on a subject I’ve written about before, namely the dangerous new world of Cyber Warfare made possible by viruses such as Stuxnet and Flame:
The decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Separately, Tyler Cowen raises similar concerns:
By the way, didn’t it just come out in The Washington Post that the United States helped attack Iran with Flame, Stuxnet and related programs? If they did this to us, wouldn’t we consider it an act of war? Didn’t we just take a major step toward militarizing the internet? Doesn’t it seem plausible to you that the cyber-assault is not yet over and thus we face immediate questions looking forward? Won’t somebody fairly soon try to do it to us? Won’t it encourage substitution into more dangerous biological weapons?
I do understand that these are fairly superficial questions and that I do not have the expertise to write a detailed and insightful blog post on these topics. Still, it seems odd not to mention them at all. While I read in limited circles, I do not see many writers devoting much attention to the matter. Shouldn’t this have set off a large-scale national debate?
Though writing separately, Glenny and Cowen both raise the same basic point. We’re dealing with, and apparently now using on a regular basis a brand new form of warfare that has the potential to do great damage in a manner that allows an attacker to achieve veritable anonymity while causing massive social chaos in the nation attacked. Imagine what would happen, for example, if someone managed to launch and attack that brought down the Eastern Power Grid in the same manner as the accident that led to a blackout that covered massive portions of the Northeastern US and Canada in 2003. For most people, that blackout came to an end within seven hours but for some it would be until the next morning when power was restored. Imagine the same thing happening again, but with a blackout that last for days, in the middle of a cold winter or a hot summer. It would likely lead to significant chaos and confusion, especially if it took time to even figure out what had happened.
Cowen is right that this is an issue that we ought to be discussing more openly, and Glenny is right that it may be appropriate to start talking about international agreements limiting the use of this kind of technology (although it’s hard to see how such agreements could stop non-governmental hackers from doing what they do), but because this is something that happens behind the scenes it doesn’t happen. Perhaps it won’t really happen until there is a real Cyber attack that has an impact on civilian infrastructure, which would be unfortunate if only because it would likely mean that there would be a lack of preparedness for the consequences of such an attack. Then again, that’s usually how we approach problems like this, with our heads in the sand.
The one issue that Glenny and Cowan don’t touch on is the one that I think is potentially the most important:
In what respect are the electronic attacks that we and the Israelis have unleashed on the Iranian nuclear program not an act of war?
In that regard, I think we can distinguish to some extent between Stuxnet, which was clearly designed to sabotage, and Flame, which at least from the reports that have been made public, appears to be designed exclusively as an espionage tool. Espionage is, perhaps in some sense, an “act of war” but I don’t think that you can really say that what Flame did is functionally different from what human spies have done for generations, and nobody has ever reasonably considered that to be a casus belli. It’s just the way the game between nations is played and if a spy gets caught, they get caught, it doesn’t lead to war between the respective nations. Things tend to get a lot more complicated, though, when you start talking about sabotage, even when it’s sabotage of a purely military target. How is a cyber attack directed at the nuclear plant in Nantz, Iran any different than if we flew a few squadrons of B-2’s over there and bombed the hell out of the place? The level of damage will be different, obviously, but is the act any different? If not, then we have already committed acts of war against Iran.
Glenny closes with this:
Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.
Indeed, as I’ve noted before, given that plenty of destructive hacking has already been done by non-government actors, there’ s no reason to believe that if this technology is used against us there will even be a government to retaliate against.