The pundits have called it a superweapon, a guided missile, and the herald of a new age in warfare. It’s a computer worm called Stuxnet... and they’re right.
The exact details of Stuxnet are sketchy. No one is sure of when it was created; its current form was discovered in mid-July by a Belarussian security firm, but an earlier, less sophisticated version of the worm was detected by Symantec over fifteen months ago.
No one is sure what it was intended to do. At first, researchers guessed it was intended for espionage — later the hypothesis changed to one of sabotage, but sabotage of what? Stuxnet was designed to infect off-grid industrial control systems designed by Siemens, check if the system matched its intended target, and then manipulate the control logic of the system, causing an accident. Most Stuxnet infections have been found in Iran, making the likely target the uranium enrichment facility in Natanz — unconfirmed reports on Wikileaks of a nuclear accident at the facility, combined with a drop in the facility’s output, make this scenario plausible.
No one is sure who designed it. Given the level of sophistication in the attack — the Stuxnet worm has four zero-day exploits, two stolen security keys, and a host of sophisticated methods — it must have been created by a nation-state. Presumably, if its target was indeed Iranian nuclear facilities, the perpetrator was an enemy of Iran; the usual suspects include the United States, the United Kingdom, and Israel.
Stuxnet is, in a sense, the first of its kind. It sophistication bordering on overkill, its penetration of off-grid nuclear control systems, and its highly engineered precision have left security experts ooo-ing and aaah-ing while industrial control engineers scramble to patch their systems before less finicky versions of the worm are engineered by copycats to wreak havoc on civilization.
In another sense, Stuxnet is far from the first of its kind. In just the past few years, cyber attacks have been used to steal secrets from the Pentagon, wage war against Syria, Estonia, and Georgia, and cause billions of dollars in damages to U.S. systems. Even today, Chinese computers continue to wage an unrestrained cybernetic war against Google. “Operation Aurora” has caused the company to pull out of China entirely and seek protection from the National Security Administration.
Ultimately, to split hairs over Stuxnet’s purpose, capabilities, provenance, or novelty, is to miss the forest for the trees. It doesn’t matter when it arrived; cyberwar is here, and it’s nasty.
Advances in weaponry are often highly disruptive — in part because the tactics of war lag the pace of technological development (recall the tragically belated disappearance of massed frontal assaults after the arrival of the machine gun) — and in part because political leaders, uncertain of the significance of new technologies, miscalculate the strength of nations and in doing so invite war (just ask 1940 France of the significance of motorized infantry). For this reason alone, cyberwar deserves a prominent place in American defense thinking.
However, the advent of cyberwar carries with it more than just the traditional risks associated with new weapons technology. Firearms, artillery, aircraft... each caused a minor revolution, but none overturned a fundamental feature of war that has existed for millennia: to wage a conflict that goes above the nuisance level, you must reveal your identity to your opponent — you can’t roll tanks through the Ardennes without someone noticing their origin and intentions.
As a species, we have learned, in a limited way, to manage the problem of security in an anarchic environment. Place twenty strangers with knives in a room, and international relations theorists can offer a dozen ways to keep the peace: collective security, balancing alliances, deterrence, appeasement, etc. Place twenty strangers with knives in a room and turn off the lights, and the only way to guarantee security might be to stab nineteen people.
We have faced the specter of anonymous, yet destructive attacks before. When China developed nuclear weapons, we worried that tomorrow might find us staring at the cinders of New York City, the victim of a smuggled nuclear device, unable to determine whether responsibility lay with Beijing or Moscow. How can you deter an enemy you cannot identify?
Today, the fear of nuclear terrorism remains very real. We lack both the border control to prevent an attack and the forensics to identify the aggressor after the fact. Thus far, we have, owing a great deal to luck, avoided calamity. Nuclear weapons are not impossible to obtain, and most moderately-sized economies can acquire them within a decade of effort — South Africa did it in nine years during the 1970’s — however they continue to remain largely out of reach for rogue states and subnational groups. The resulting paucity of nuclear states reduces the probability of attack, not just because there are fewer decision makers with the potential to take such an action, but also because when an aggrieved state looks for someone to retaliate against, the list is likely to be small, and include the guilty party.
We have also benefited, somewhat perversely, from the inherent nihilism of the act itself. The use of nuclear weapons, in any form, has become a major political taboo. There are psychological barriers that place the atomic bomb on a separate shelf from other options — it’s acceptable for the Soviets to funnel arms to North Vietnamese terrorists, it’s unacceptable for us to hand a nuclear weapon to Afghan Mujahideen and watch Volgograd get leveled.
More significantly, it is hard to circumscribe the damage that nuclear weapons do, and as a result, it is hard to achieve practical aims. Unless the goal is to generally weaken an opponent, nuclear terrorism doesn’t seem like a compelling tactic.
Unfortunately, none of these natural limiters on nuclear terrorism apply to cyberwar. There are no proliferation controls — everyone, every state, every subnational entity, every script-kiddie with a PC and a dream has access to the technology and the resources to conduct an attack. There are no taboos in place — cyber attacks occur across such a subtle spectrum of intensity that there is no clear cordon to be drawn around tolerable and unforgivable activities. And while nuclear weapons are good for little else but mass destruction, cyberwarfare can have highly specific targets, and meet a broader range of goals than sheer brutality.
It is easy to overstate the potential impact of cyber attacks. A good example is Richard Clarke’s (a former member of the National Security Council) recent novelization of Live Free or Die Hard, creatively named Cyber War. Despite including many pages of sound analysis, Mr. Clarke chooses to spend some chapters indulging in massive hyperbole — his imagined doomsday, where China or Russia destroys the entirety of the U.S’s financial system, infrastructure, and military networks simultaneously in some sort of “digital Pearl Harbor” is not just technically unlikely, but defies any rationalization of the motives behind such an assault.
However, even if the apocalyptic fiction of cyberwar never comes to pass, the reality is not much prettier. We face a low level, continuous, constantly intensifying, constantly escalating war. The dynamics of this conflict are such that we have no obvious means of reigning it in, no game theoretic approach that offers a road to peace.
The U.S. is poorly positioned to engage in cyberwar — our technologically based economy, network-centric combat tactics, and reluctance to encroach upon the freedom of our citizens make us especially vulnerable in the face of cyber threats. Despite all this, we remain at square one: we are just now beginning to get our heads around the problem, just beginning to answer fundamental questions of doctrine, tactics, and diplomacy.
Sixteen months ago, President Obama announced a new cyber security initiative. At the time it was greeted as a significant shift. Today, it is looking more like President Bush’s similar 2003 initiative — plenty of flash, but no follow-through.
This time however, the clock has run out. We can no longer kick the can down the road and leave the next administration to formulate our defense. Between the economy, Afghanistan, and the rest of the nation’s pressing issues, President Obama has a full load on his plate. But as tough as it is, he must make room for cyber security.