Category Archives: Stuxnet

Geopolitics and Cyberpower: Why Geography Still Matters

AFPI Journal

I have a new article, “Geopolitics and Cyberpower: Why Geography Still Matters,” published in the latest issue of American Foreign Policy Interests, the journal of the National Committee on American Foreign Policy in New York City.

It’s an imperfect first attempt at an issue that is of enduring interest to me, so expect more on this from me down the road. That said, all comments and critiques are welcome. I hope you enjoy it: 10803920%2E2014%2E969174

Leave a comment

Filed under American Foreign Policy Interests, Cyberpower, Cyberspace, Cyberwar, Geography, Geopolitics, National Committee on American Foreign Policy, Publications, Shameless Self-Promotion, Strategic Theory, Strategy, Stuxnet, Theory of Cyberpower

Deciphering Cyberpower: Strategic Purpose in Peace and War

Inf_internet1

Strategic Studies Quarterly, published by Air University at Maxwell AFB, Alabama, has just published its Summer 2011 edition online. In it I have an essay titled "Deciphering Cyberpower: Strategic Purpose in Peace and War," part of my continuing effort to discern from cyberpower an enduring strategic perspective, despite the rapid change in cyber technologies. In the essay, I assert that the strategic purpose of cyberpower today is:

the ability in peace and war to manipulate perceptions of the strategic environment to one’s advantage while at the same time degrading the ability of an adversary to comprehend that same environment.

That, at least, is my take, and doubtless I'll change my mind at some point in the future. Am I right? Comments, suggestions, critiques, and even better, an alternative view, are very much welcomed.

Leave a comment

Filed under Cyberpower, Cyberspace, Cyberwar, Publications, Shameless Self-Promotion, Strategic Studies Quarterly, Strategic Theory, Strategy, Stuxnet, Theory of Cyberpower

Stuxnet and Cyberpower in War

111610-tehran-natanz-ahmadinejad-stuxnet_full_600

World Politics Review has just published an essay I wrote titled "Stuxnet and Cyberpower in War." The following is an extract and then a link to full piece at the World Politics Review website:

In June 2009, a computer worm called Stuxnet was unleashed against the nuclear enrichment plant at Natanz, Iran. Designed to infect the operating system used by the Iranians to control their nuclear centrifuges, Stuxnet significantly disrupted, and thus delayed, Iranian nuclear efforts, according to a New York Times report on Jan. 15, 2011. The Times report also provided a breathtaking peek behind the scenes of what appears to have been a large and complex covert operation to develop the Stuxnet worm. If the revelations are true, then the Stuxnet attack provides significant insights about the potential character of war by cyber means. They also raise serious questions about the use of cyberweapons in the future.

Since Stuxnet was discovered, there has been much commentary about what it means for cyberwar, a term that has become part of the contemporary strategic lexicon. The problem is that "cyberwar" is both an inaccurate descriptor of what Stuxnet and other possible cyberweapons portend, and artificially differentiates cyberpower — the ability to use cyberspace in peace and war in order to achieve political objectives — from the other military instruments as a tool of national power. Cyberpower must be analyzed and considered within the context of 21st century war and peace, not as an isolated phenomenon. To that end, the term "cyberwar" does not promote sound strategic thinking. Instead, it is more useful to talk of cyberpower in war, or war by cyber means.

While the Stuxnet worm reveals a number of characteristics about war by cyber means, it also raises many questions about this kind of warfare that policymakers would do well to ponder. Only by examining both sets of issues is it possible to determine whether Stuxnet is in fact a game-changer in the evolution of the cyber domain and in warfare in general.

http://www.worldpoliticsreview.com/articles/print/8570

 

Leave a comment

Filed under Cyberpower, Cyberspace, Cyberwar, Iran, Israel, Nuclear Weapons, Publications, Strategy, Stuxnet, Theory of Cyberpower

Stuxnet: Idaho National Laboratory/Siemens 2008 Presentation on Siemens PCS-7

PCS7v7.1_hires

Yesterday's New York Times story on Stuxnet mentions a 2008 PowerPoint presentation made by Idaho National Laboratory and Siemens at a conference in Chicago, on the vulnerabilities of the Siemens Process Control System (PCS) 7 operating system used by the Iranians. The New York Times  reports that the presentation is no longer available on the Siemens website, but I have obtained a copy here:

http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf

Leave a comment

Filed under Cyberpower, Cyberspace, Cyberwar, Iran, Israel, Nuclear Weapons, Stuxnet, Theory of Cyberpower, Web/Tech

Stuxnet and the Evolution of Cyberwar: Some Thoughts and Questions

Stuxnet

Today's New York Times has a fascinating story that purports to reveal the forces behind the Stuxnet worm alleged to have significantly disrupted – if not sabotaged – and thus delayed Iranian nuclear efforts.

If the revelations in this story are only partially correct there is enough in it to raise the provervbial eyebrow, though in general the revelations fall in line with much of the informed speculation of the past few months.

However, assuming that the New York Times story is credible, Stuxnet reveals a number of issues about the current character of cyber war and also raises a number of important questions strategists and policy makers need to consider about the use of such capabilities.

Stuxnet and the Evolving Character of Cyber War

1. Stuxnet has shown that certain cyber weapons have strategic utility, but that utility resides in the ability to disrupt, deny, and deceive an adversary's strategic intentions, not coercion. For all the apparent damage Stuxnet seems to have done to the Iranian nuclear program, it has not coerced the Iranian regime into giving that program up. The extent to which Stuxnet seems to have delayed the Iranian program, however, is not too far off the extent to which an air strike would have conceivably achieved. This is significant.

2. Stuxnet worked because the Iranians had to use a foreign-made operating system that controlled their centrifuge operation. That particular system is made by Siemens of Germany, and according to the New York Times, Siemens cooperated with the Department of Energy's Idaho National Laboratory to test their operating system for 'cyber vulnerabilities'. If the Iranians had the resources, expertise and overall wherewithall to design and manufacture their own operating system using open-source software, tailoring a cyber weapon capable of producing a strategic effect similar to that of Stuxnet would have been much more difficult and much more reliant on having reliable human intelligence assets within the Iranian program. Of course, Siemens are not the only company that manufactures operating systems for large scale industrial processes, but it is reasonable to assume that intelligence agencies have, or are in the process of, uncovering the vulnerabilities of all the various makes.

3. The Stuxnet attack reveals the importance of possessing resilient and redundant cyber networks in the face of such offensive capabilities. Had the Iranians acquired back-up operating systems from a variety of manufacturers, as well as their own domestically-built operating system, and had them in reserve it is reasonable to speculate that Stuxnet's effect would have been short-lived. This raises the prospect that in the future countries like Iran will place a greater emphasis on resilience and redundancy, despite the delay and cost of doing so. In other words, Iran and others are already wise to the threat, devising work-arounds and defenses, and the onus is now back on the offense. This raises questions about offensive persistence in cyber war and the capacity on both sides for a conceivably rapid offense-defense cycle.

4. While is seems that the Israelis were the prime lead for this operation, it obviously required the backing and assistance of allies such as the United States, as well as, it appears, the U.K. and Germany – though in the case of the latter two it is unclear whether they played a knowing role in the operation. Cyber operations of this scale have many moving parts and are thus subject to the friction that will inevitably arise out of such complexity.

5. In light of this, Stuxnet also confirms the notion that such cyber attacks require years of detailed, careful, and persistent intelligence efforts, and not inconsiderable luck. Stuxnet has been years in the making and is suggestive of the massive intelligence burden required to make it work. Precise cyber attack will be burdensome and time-consuming.

6. The unique chracteristics of Stuxnet, thanks to this massive intelligence effort, suggests that cyber weapons can be precise, though this does not mean that it will not have unknown second and third order effects.

7. Stuxnet, along with previous known cyber attacks such as those against Estonia and Georgia, all take place within a wider, known strategic context and have not been carried out in isolation from other, more traditional means. In Estonia the strategic context revolved around the Bronze Statue in an immediate sense, and the protests and riots that took place in response to its removal. In a broader sense, the strategic context is the political warfare campaign waged by Russia against Estonia and other former Soviet states in order to undermine their political and economic viability. The Estonian cyber attacks were just one data point in that context. The same is also true for the cyber attacks against Lithuania, Georgia, and Krgyzstan, among others. In Iran, the Stuxnet attack has taken place in the wider context of regional and international concern of not only Iran's nuclear program, but its apparent rise and regional hegemonic aspirations. In an immediate sense, the Stuxnet attack has taken place against the backdrop of a longstanding campaign of spiking nuclear equipment bound for Iran by Western intelligence agencies; assassinations od leading Iranian nuclear scientists by parties/entities unknown; and a seemingly biting sanctions regime. In short, context matters a great deal and cyber weapons/attacks seem most effective when used in conjunction with  other instruments of power.

Some Questions Arising Out of Stuxnet

1. While Stuxnet has demonstrated the real strategic utility of cyber weapons, it does raise serious questions about legitimacy, accountability and restraint in the use of such weapons. In this particular case many might understandably argue what the beef is – Iran's nuclear program has been significantly disrupted, and therefore delayed, and this is surely a good thing. Well, yes … but, what if a cyber weapon created unintended consequences that resulted in the death of civilians (say a power outage that kills patients in an affected hospital)? In such cases how should a victim respond, and what should the obligations, if any, of the international community be? Who ultimately should make the decision to employ such weapons? This is not a call for hand-wringing – in terms of proportionality Stuxnet is infinitely preferable (and probably cheaper in a number of ways) than an air campaign; but these important questions remain noevertheless and should be given serious consideration.

2. So far, cyber attacks – ranging from the various denial-of-service attacks against the likes of Estonia, Georgia, etc., through to Stuxnet – have produced a disruptive strategic effect. On that emprical evidence one can confidently assert, for the time-being, that cyberpower is a disruptive strategic instrument. But we are also at the dawn of the age of cyber war. Is there a direct destructive potential of cyber we are not yet aware of? This is a meta question worth pondering and debating over time. More immediately, however, Stuxnet raises real questions that complicate the notion that we might be able to defend, or even deter, against such weapons. For example, do we know with any certainty both the cyber capabilities and capacity of our adversaries (real and potential)? Do we have an inkling of their 'thresholds' for when a disrupting cyber attack becomes, for them, a casus belli that spills over into a more traditional military response? The effects of a nuclear attack, or varieties of conventional munitions, are more or less widely understood. To borrow from the theology of nuclear strategy, we know where the escalation ladder ends when it comes to nuclear weapons. We do not know where that limit is for cyber weapons. As a result, all talk about defense and deterrence is worse than premature, it is downright misleading.

3. While few might argue that Iran didn't have this coming, Stuxnet raises a serious question about blowback. Iran, along with a number of other state and non-state actors are also investing in cyber war capabilities. Do we, in the West, possess the resilience, robustness, and redundancy in our various networks that could not only withstand a Stuxnet-style (or worse) attack, but also be able to respond if required and if the perpetrator could be identified with a certain degree of confidence (even if that certainty is not necessarily of the standards required in a court of law)? I doubt it, and those issues need to be urgently addressed.

4. Given our seeming lack of knowledge about the extent of cyber war capabilities, yet at the same time evidence of its emerging strategic utility, cyber arms control proposals seem nonsensical at best. Caution and prudence is undoubtedly required, but as Stuxnet seems to have demonstrated, unlike a number of destructive capabilities, states seem to consider cyber weapons, despite their riks, eminently usable and useful.

These are thoughts in progress, and have been inspired not only by this particular story but also by the excellent discussions with SAASS students in the ongoing Cyber course there.

I hate strategic analogies – they are cognitive crutches that we rely upon for far too long and it produces nothing more than lazy thinking. Cyber is rife with silly nuclear and airpower strategic analogies that the conceptual field must rapidly abandon in favor of inductive reasoning based on what we do know. However, and temporarily putting aside my own animus toward them, there is an analogy from airpower history that seems appropriate at this point. In 1911 Italian forces bombed from the air a Turkish camp at Ain Zara in what is now Libya – it is the first recorded occurrence of bombing from aeroplanes (rather than balloons). Our theorizing and knowledge of cyberpower is as extensive and as mature as what little airpower theory existed prior to World War One. Extrapolating the future of cyber war from one data point such as Stuxnet should be done with humility and caution, virtues I hope I possess.

Leave a comment

Filed under Cyberpower, Cyberspace, Cyberwar, Iran, Israel, Strategic Theory, Strategy, Stuxnet, Theory of Cyberpower, Uncertainty, Web/Tech