Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says

20120622-081428.jpg

View original
By Ellen Messmer, Network World
June 18, 2012 05:11 PM ET

Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran’s uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S. solve geopolitical problems or actually making things worse?

Bruce Schneier, noted security expert and author, whose most recent book is “Liars and Outliers,” argues the U.S. made a mistake with Stuxnet, and he discusses why it’s important for the world to tackle cyber-arms control now in an interview with Network World senior editor Ellen Messmer.

The question is going to be debated whether Stuxnet was a good tactic to stop Iran from developing a nuclear weapon by sabotaging its facility through a malware attack in a covert action that was ultimately discovered. In an interview with Chris Wallace on Fox News last night, former National Security Agency director, retired Gen. Michael Hayden, said he thought it amounted to “taunting Iran.” Based on the mix of military leadership, governmental leadership and ethical questions it raises, is Stuxnet a suitable approach?

There are two parts to this analysis. The first is tactical: Is a cyber-weapon more or less suitable than a conventional weapon? In 2007 Israel attacked a Syrian nuclear facility; it was a conventional attack with warplanes and bombs. Comparing the two, Stuxnet seems far more humane — even though it damaged networks outside of Iran. The other part to the analysis is more strategic. Stuxnet didn’t just damage the Natanz nuclear facility; it damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response. For that reason, Stuxnet was a destabilizing and dangerous course of action.

David Sanger’s NY Times article of June 1, headlined “Obama order sped up wave of cyberattacks against Iran,” offers a vivid account of how President Obama decided cyberattacks against Iran should proceed through cooperation with Israel through use of the Stuxnet malware. However effective this might have been in stopping Iran from developing a nuclear weapon, it’s now widely thought that the Stuxnet malware got out of control, spreading in the wild. What’s your view on this, assuming the Times article is fully accurate?

It seems to be correct.

Sanger’s article was very interesting, and it is worth reading, but it basically confirmed everything we all knew. We knew that Stuxnet was the work of Israel and the United States. We knew that it was intended as a pinpoint attack, and spread beyond its intended target. Other investigative journalists uncovered these truths already. What Sanger’s article added to the discussion was detail about the program from inside both the Obama and the Bush administrations.

Richard Clarke’s book “Cyber War” draws the distinction between cyber-espionage and cyberattacks. He argues cyber-espionage should basically be considered a routine, acceptable practice of any country as part of government intelligence operations. But he argues other state-sponsored operations, such as putting malware secretly into a power grid for example, or launching an actual attack, is distinctly different, and has to be considered in the realm of offensive weapons. Clarke suggests cyberweapons should be subject to arms control agreements of various sorts much as other types of weapons that can be used in war are today. Do you draw the distinction between cyber-espionage and cyberweapons along these lines? And should there be an effort by the U.S. and others to craft treaties related to cyber-arms?

Of course there’s a difference between intelligence gathering and offensive military actions. Throughout history, there has been a bright line between the two. And what’s true in the geopolitics of the physical world is no different in cyberspace. This same distinction also exists in computer security more generally. There is a fundamental difference between passive eavesdropping attacks and more active attacks that delete or overwrite data. As to arms control agreements, I think it is vital for both society and cyberspace that we begin these discussions now. We’re in the early years of a cyberwar arms race, an arms race that will be expensive, destabilizing, and dangerously damaging. It will lead to the militarization of cyberspace, and the transformation of the Internet into something much less free and open. Perhaps it’s too late to reverse this trend — certainly you can argue that military grade cyberweapons like Stuxnet and Flame have already destroyed the U.S.’s credibility as a leader for a free and open Internet — but the only chance we have are cyberweapons treaties.

If so, how do you think that should proceed?

I’m not an idealist. I know that cyberwar treaties will be difficult to negotiate and even more difficult to enforce. Given how easy it is for a country to hide a chemical weapons plant, I know that it will be even easier to hide a cyberweapons plant. I also know that there is a lot of money and power trying to sow cyberwar fears.

But even with all of this, I think there is enormous value in the treaty process — and in the treaties themselves. I think we need to proceed by starting the dialogue. We made a mistake with Stuxnet: We traded a small short-term gain for a large longer-term loss. We can’t undo that, but we can do better in the future.

Advertisements

3 thoughts on “Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says

  1. While I generally agree with the tone of the article, I don’t think it does a very good job at justifying itself, or making any meaningful suggestions.

    First, is it the attack itself, the perception that America led the attack, or the public admission that America led the attack that is most significant? They are all very different politically and militarily.

    Second, what is the incentive to arms control, especially when the nation with the most to lose uses the weapon offensively. If the US is willing to use it, why would anyone else desire immunity? And if the US came out today and said they are willing to negotiate an arms control treaty, what credibility would they have to make this statement?

    Third, the only way an arms control treaty could function in cyberspace is if there is some sort of established international legal regime making it more difficult to disguise government sabotage as private sabotage. We waste breath talking about the former until we can set a societal standard for the latter.

    And does the author know how successful or unsuccessful “Olympic Games” have been? How can he judge the long/short term repercussions? Keeping Iran from nuclear capability may have been/will be crucial. Maybe it is futile, but it’s good to remember that America isn’t using cyber war because an American war statue was moved (Russia v Estonia) or to illegally invade a peaceful state (Russia v Georgia).

  2. I’m not sure he is debating the success of the project or not… more the “what now” piece of it. I agree the article might be a bit weak, but it could be an entire paper…don’t you think? Perhaps for a masters program at Cambridge?

    So the author might have a ton of data, but was attempting to make it readable… I don’t know, but I had the same thought as you on that one… not much in the–what do we do category… the treaty is interesting and I mentioned that to a bud in a FB reply a couple of days ago…. don’t know how that would work, but something to ponder perhaps.
    I do sense this is something akin to nuclear weapons… not in the death and destruction, but in the concept that we don’t know where it could lead… or what twist it could take–my gut says between this and drones… we are in deed looking at some sort of Brave or Strange New World.

    • “We made a mistake with Stuxnet: We traded a small short-term gain for a large longer-term loss. We can’t undo that, but we can do better in the future.”

      I thought this was unfair of the author, unless he is going to comment on the long term affect the cyber-weapons had on Iran’s ability to get nuclear weapons. And still, he treats the whole Stuxnet ordeal rather simply. Again, is the use of the cyber-weapon itself a mistake, or is getting caught the mistake? Or the admission of responsibility? Or all 3?

      But I agree entirely- networking has been militarized. If the US had any foresight, it would save all its money on sophisticated network protection, and get rid of all but the most necessary networks. Without networks, it’s hard to do cyber war.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s