San Francisco Chronicle
June 10, 2012
The U.S. government has extended its military superiority into the digital realm, developing highly sophisticated cyber weapons – and raising a host of questions about the new rules of war.
The New York Times’ remarkable reporting late last month confirmed to the satisfaction of most that the United States and Israel were behind the Stuxnet virus that hobbled Iran’s nuclear program in 2010, as was long suspected. The weaponized code slipped into Iran’s facilities on a thumb drive, sent the centrifuges spinning out of control and possibly set the nation’s nuclear ambitions back years.
In other words, a computer virus sabotaged another nation’s infrastructure without risking soldiers’ lives or civilian casualties. In that light, cyber attacks can seem like a way to conduct bloodless wars, without all the messy scrutiny or approvals necessary for the kinetic variety. And there’s a plausible deniability that’s simply impossible when your aircraft drop bombs.
So why wouldn’t we take advantage of such weapons?
I’ll neither argue that we shouldn’t generally or shouldn’t have in this case. I’ll simply say that cyber warfare is far from the risk-free gambit we might be lured into believing it to be. In fact, the seemingly innocuous nature could be the very thing that makes it particularly dangerous, because it makes it so tempting.
But as the Times’ reporting reminds us, deniability lasts only so long – particularly during a political campaign in which a sitting president wants to bolster his security credentials. When such suspicions are confirmed, it raises the threat of retaliation and escalation.
And not every actor will be interested in ensuring that counterstrikes are bloodless. An attack on another nation’s centrifuges could prompt an assault on our power grids, water-treatment facilities or air traffic-control systems, putting human lives at stake.
These aren’t entirely hypothetical risks.
A 2011 report from the Center for a New American Security found that U.S. military networks are “probed or scanned” about 250,000 times every hour, foreign agents have infiltrated the nation’s power grid, and in one test, a hacker was able to wrest control of the equipment that added chemicals to the public’s drinking water in Southern California.
An estimated 85 percent of the nation’s critical infrastructure lies in private hands, and by most accounts, large portions aren’t adequately secured.
Eric Jensen, a former military lawyer and associate law professor at Brigham Young University, said Stuxnet could constitute an “armed attack” under U.N. rules, which would grant Iran the right to take proportional actions in self-defense.
“If I was a legal adviser to Iran, I’d say there’s enough (evidence) to respond,” he said.
In fact, he suspects the nation will respond. It probably lacks the technical sophistication to retaliate on its own, but Jensen said there are surely international crime syndicates happy to sell their cyber services.
Kate Jastram, a lecturer in residence at UC Berkeley Law School, doesn’t think the U.S. action qualifies as an armed attack. But she does think Stuxnet and similar efforts demand a re-evaluation of questions surrounding the traditional rules of war, such as: What level of damage from a cyber attack constitutes a use of force or armed attack? What’s a proportional response, and how sure should we be of the source of an attack before we can respond?
One problem with the United States and it allies conducting cyber warfare out of the public eye is that the battles are preceding the policy conversations.
“Analysts are still not clear about the lessons of offense, defense, deterrence, escalation, norms, arms control, or how they fit together into a national strategy,” Harvard’s Joseph Nye wrote in his 2011 paper “Nuclear Lessons for Cyber Security?”
Cyber terror next?
It’s high time to sort through these issues, since all signs point to increasing cyber conflicts.
Late last month, security experts identified another virus, known as Flame, that reportedly seeks to collect information from nation states in the Middle East, including Iran. And Israel’s military declared emphatically on its website late last week that “cyberspace will be used to execute attacks and intelligence operations.”
Another major risk stemming from the U.S. role in Stuxnet is that it could grant license to other nations to launch their own digital attacks – on us or others. When a democratic superpower takes such actions, it recalibrates international norms, Jensen said.
But others disagree, including James Andrew Lewis, senior fellow at the bipartisan think tank Center for Strategic and International Studies in Washington. China and Russia have by no means been waiting around for anyone’s permission, engaging for years in online espionage and network attacks, he said.
Lewis believes that cyber warfare is just another weapon in our arsenal and that the scale of any foreign assault will be limited by the traditional calculus of war – chiefly, the size and strength of our military.
“We’re not limited to a cyber response,” he said, noting the Defense Department made this point explicitly last year. “Maybe we’ll send missiles.”
But two unique attributes of cyber warfare complicate that particular equation: the fact you can’t always know who launched such an attack, and the well-founded fear that malicious code can fall into the hands of non-state actors far more easily than traditional weapons of mass destruction.
“Sooner or later, terror groups will achieve cyber-sophistication,” former Vice Adm. Mike McConnell was quoted saying in 2010. “It’s like nuclear proliferation, only far easier.”
James Temple is a San Francisco Chronicle columnist. Dot.commentary runs three times each week.