Today's New York Times has a fascinating story that purports to reveal the forces behind the Stuxnet worm alleged to have significantly disrupted – if not sabotaged – and thus delayed Iranian nuclear efforts.
If the revelations in this story are only partially correct there is enough in it to raise the provervbial eyebrow, though in general the revelations fall in line with much of the informed speculation of the past few months.
However, assuming that the New York Times story is credible, Stuxnet reveals a number of issues about the current character of cyber war and also raises a number of important questions strategists and policy makers need to consider about the use of such capabilities.
Stuxnet and the Evolving Character of Cyber War
1. Stuxnet has shown that certain cyber weapons have strategic utility, but that utility resides in the ability to disrupt, deny, and deceive an adversary's strategic intentions, not coercion. For all the apparent damage Stuxnet seems to have done to the Iranian nuclear program, it has not coerced the Iranian regime into giving that program up. The extent to which Stuxnet seems to have delayed the Iranian program, however, is not too far off the extent to which an air strike would have conceivably achieved. This is significant.
2. Stuxnet worked because the Iranians had to use a foreign-made operating system that controlled their centrifuge operation. That particular system is made by Siemens of Germany, and according to the New York Times, Siemens cooperated with the Department of Energy's Idaho National Laboratory to test their operating system for 'cyber vulnerabilities'. If the Iranians had the resources, expertise and overall wherewithall to design and manufacture their own operating system using open-source software, tailoring a cyber weapon capable of producing a strategic effect similar to that of Stuxnet would have been much more difficult and much more reliant on having reliable human intelligence assets within the Iranian program. Of course, Siemens are not the only company that manufactures operating systems for large scale industrial processes, but it is reasonable to assume that intelligence agencies have, or are in the process of, uncovering the vulnerabilities of all the various makes.
3. The Stuxnet attack reveals the importance of possessing resilient and redundant cyber networks in the face of such offensive capabilities. Had the Iranians acquired back-up operating systems from a variety of manufacturers, as well as their own domestically-built operating system, and had them in reserve it is reasonable to speculate that Stuxnet's effect would have been short-lived. This raises the prospect that in the future countries like Iran will place a greater emphasis on resilience and redundancy, despite the delay and cost of doing so. In other words, Iran and others are already wise to the threat, devising work-arounds and defenses, and the onus is now back on the offense. This raises questions about offensive persistence in cyber war and the capacity on both sides for a conceivably rapid offense-defense cycle.
4. While is seems that the Israelis were the prime lead for this operation, it obviously required the backing and assistance of allies such as the United States, as well as, it appears, the U.K. and Germany – though in the case of the latter two it is unclear whether they played a knowing role in the operation. Cyber operations of this scale have many moving parts and are thus subject to the friction that will inevitably arise out of such complexity.
5. In light of this, Stuxnet also confirms the notion that such cyber attacks require years of detailed, careful, and persistent intelligence efforts, and not inconsiderable luck. Stuxnet has been years in the making and is suggestive of the massive intelligence burden required to make it work. Precise cyber attack will be burdensome and time-consuming.
6. The unique chracteristics of Stuxnet, thanks to this massive intelligence effort, suggests that cyber weapons can be precise, though this does not mean that it will not have unknown second and third order effects.
7. Stuxnet, along with previous known cyber attacks such as those against Estonia and Georgia, all take place within a wider, known strategic context and have not been carried out in isolation from other, more traditional means. In Estonia the strategic context revolved around the Bronze Statue in an immediate sense, and the protests and riots that took place in response to its removal. In a broader sense, the strategic context is the political warfare campaign waged by Russia against Estonia and other former Soviet states in order to undermine their political and economic viability. The Estonian cyber attacks were just one data point in that context. The same is also true for the cyber attacks against Lithuania, Georgia, and Krgyzstan, among others. In Iran, the Stuxnet attack has taken place in the wider context of regional and international concern of not only Iran's nuclear program, but its apparent rise and regional hegemonic aspirations. In an immediate sense, the Stuxnet attack has taken place against the backdrop of a longstanding campaign of spiking nuclear equipment bound for Iran by Western intelligence agencies; assassinations od leading Iranian nuclear scientists by parties/entities unknown; and a seemingly biting sanctions regime. In short, context matters a great deal and cyber weapons/attacks seem most effective when used in conjunction with other instruments of power.
Some Questions Arising Out of Stuxnet
1. While Stuxnet has demonstrated the real strategic utility of cyber weapons, it does raise serious questions about legitimacy, accountability and restraint in the use of such weapons. In this particular case many might understandably argue what the beef is – Iran's nuclear program has been significantly disrupted, and therefore delayed, and this is surely a good thing. Well, yes … but, what if a cyber weapon created unintended consequences that resulted in the death of civilians (say a power outage that kills patients in an affected hospital)? In such cases how should a victim respond, and what should the obligations, if any, of the international community be? Who ultimately should make the decision to employ such weapons? This is not a call for hand-wringing – in terms of proportionality Stuxnet is infinitely preferable (and probably cheaper in a number of ways) than an air campaign; but these important questions remain noevertheless and should be given serious consideration.
2. So far, cyber attacks – ranging from the various denial-of-service attacks against the likes of Estonia, Georgia, etc., through to Stuxnet – have produced a disruptive strategic effect. On that emprical evidence one can confidently assert, for the time-being, that cyberpower is a disruptive strategic instrument. But we are also at the dawn of the age of cyber war. Is there a direct destructive potential of cyber we are not yet aware of? This is a meta question worth pondering and debating over time. More immediately, however, Stuxnet raises real questions that complicate the notion that we might be able to defend, or even deter, against such weapons. For example, do we know with any certainty both the cyber capabilities and capacity of our adversaries (real and potential)? Do we have an inkling of their 'thresholds' for when a disrupting cyber attack becomes, for them, a casus belli that spills over into a more traditional military response? The effects of a nuclear attack, or varieties of conventional munitions, are more or less widely understood. To borrow from the theology of nuclear strategy, we know where the escalation ladder ends when it comes to nuclear weapons. We do not know where that limit is for cyber weapons. As a result, all talk about defense and deterrence is worse than premature, it is downright misleading.
3. While few might argue that Iran didn't have this coming, Stuxnet raises a serious question about blowback. Iran, along with a number of other state and non-state actors are also investing in cyber war capabilities. Do we, in the West, possess the resilience, robustness, and redundancy in our various networks that could not only withstand a Stuxnet-style (or worse) attack, but also be able to respond if required and if the perpetrator could be identified with a certain degree of confidence (even if that certainty is not necessarily of the standards required in a court of law)? I doubt it, and those issues need to be urgently addressed.
4. Given our seeming lack of knowledge about the extent of cyber war capabilities, yet at the same time evidence of its emerging strategic utility, cyber arms control proposals seem nonsensical at best. Caution and prudence is undoubtedly required, but as Stuxnet seems to have demonstrated, unlike a number of destructive capabilities, states seem to consider cyber weapons, despite their riks, eminently usable and useful.
These are thoughts in progress, and have been inspired not only by this particular story but also by the excellent discussions with SAASS students in the ongoing Cyber course there.
I hate strategic analogies – they are cognitive crutches that we rely upon for far too long and it produces nothing more than lazy thinking. Cyber is rife with silly nuclear and airpower strategic analogies that the conceptual field must rapidly abandon in favor of inductive reasoning based on what we do know. However, and temporarily putting aside my own animus toward them, there is an analogy from airpower history that seems appropriate at this point. In 1911 Italian forces bombed from the air a Turkish camp at Ain Zara in what is now Libya – it is the first recorded occurrence of bombing from aeroplanes (rather than balloons). Our theorizing and knowledge of cyberpower is as extensive and as mature as what little airpower theory existed prior to World War One. Extrapolating the future of cyber war from one data point such as Stuxnet should be done with humility and caution, virtues I hope I possess.