SVG
Commentary
Weekly Standard Online

Does Stuxnet Mean Cyberwar?

Former Senior Fellow

If it's still unclear exactly what the Stuxnet worm was meant to target, it's possible that we won't entirely understand the consequences of this now notorious malware attack for many years to come. Maybe it will turn out that Stuxnet was little more than the over-hyped tech version of the recent hurricane that left a path of destruction everywhere it touched down over large parts of Asia – or maybe we'll see that it ushered in a new era whose anxieties and terrors surpassed the most maudlin and morose predictions of futurists and Hollywood directors.

First reports showed that the Stuxnet worm had targeted the industrial control systems, also called SCADA, at Iran's Bushehr nuclear reactor, but others contended that a different Iranian nuclear facility at Natanz was the destination. Centrifuge production at Natanz is down 23 percent since May 2009, which is roughly when the earliest version of the Stuxnet worm was first noticed. However, just last week the Iranians announced that the Bushehr site was not going to go on line for at least three more months. But, says Tehran, the delays have nothing to do with Stuxnet – even as the Iranians acknowledge that some personal computers belonging to staff at the Bushehr plant have been affected.

Some are wondering why a regime as opaque and paranoid as the Islamic Republic's has admitted to suffering any effects at all. One reason is that the Iranians' complaints of sabotage serve to highlight the contention that theirs is a civilian nuclear program – which Tehran's adversaries are violating international laws in order to subvert. Then there's simply the fact that the Iranians apparently can't stop talking about their nuclear program, like a proud first-time father showing off pictures of his child.

Compare Iran's nuclear logorrhea to Israel's nuclear ambiguity. For Jerusalem, the nuclear program is strictly a matter of national security. For Tehran the program is not just a strategic asset, but also a token of prestige: A state bearing a legacy as great and as ancient as Persia's deserves a nuclear program. However, Stuxnet may have shut the door to technological modernity right in Tehran's face – at least for the time being.

The atomic age isn't exactly over, but it seems we may have entered a new phase of it. In the age of cyberwarfare, what does it mean to have a nuclear weapon if someone else may own your command and control systems – and you may not even know that they do? If the Iranians do manage to build a bomb, can they now risk embarrassment, not to say a nuclear catastrophe, by testing it? And even if they test it successfully, what's its strategic worth if they don't know whether or not they can actually use it? Even concepts like nuclear deterrence will have to be reviewed. The relative stability of the Cold War was a function of clarity: Deterrence is a strategy premised on clear red-lines, warnings and threats. Cyberwarfare is precisely the opposite, where no one has to own anything and there is little, if any, accountability.

"One of the things that we are trying to reason through is what are the rules for using weapons in cyberspace," says former CIA director Gen. Michael Hayden. The U.S. discussion, explains Hayden, is in terms of distinction and proportionality. "You only want to hit who or what you're mad at, and then you need to decide if the good done outweighs the evil. I look at the amount of collateral damage from Stuxnet and it strikes me that this would be a challenging policy question for us, whether it meets what Americans would describe as distinction and proportionality."

Not every nation with a cyberwar program is concerned with these same issues, and since there is as yet nothing like a Geneva conventions applicable to cyberspace, each country's program will reflect the character of their intelligence services. A clandestine service that aggressively collects against its rivals, and friends, will also be aggressive in cyberwarfare. The Germans have advanced capacities, but very few cyber-security experts believe they could have had anything to do with Stuxnet — and not just because Siemens, which manufactured the SCADA systems the worm was designed to attack, is a German company. For obvious historical reasons, the Germans are relatively restrained in their clandestine work.

The Russians are famously not so restrained. Indeed, the Russians were responsible for what were, before Stuxnet, the two most famous CNAs, or Computer Network Attacks – first against Estonia in the spring of 2007 and, prior to that, during their short war against Georgia in the summer of 2008. The other most publicly aggressive cyberwar program is China's, which has engineered some of the most daring acts of espionage or CNEs, Computer Network Exploitations that have proved embarrassing for their victims, like the penetration of the Pentagon in 2007.

Despite Russia and China's formidable resources, the U.S. is still as the top of the list in cyberspace, says Hayden. "Last year the D.C.-based think-tank Center for Strategic and International Studies asked a bunch of people from around the world, 'who do you fear most in cyberspace?' And the number one answer was the U.S. I surmise they recognize the United States has powerful intelligence agencies, including the NSA, the CIA and others."

U.S. Cyber Command, based in Ft. Meade, Maryland, is a sub-command of U.S. Strategic Command and directed by Gen. Keith B. Alexander, former director of the National Security Agency. USCYBERCOM collates the efforts of the Army, Navy and Air Force, but a joint project like this might not be the best of ideas. The Air Force argues that they should control cyber because it's part of the "air," not as strange a rationale as it might seem at first. In fact, a useful analogy is to think of the intra-service fight over cyber as similar to the battle over air power more than a half a century ago. Before the creation of the Air Force, the existing service branches had their own air wings, all of which served different purposes. For the army, air power was primarily tactical – e.g., providing cover for infantry units; for the navy, it was more strategic, serving as another asset in a blue-water navy's efforts to project power anywhere in the world. Whoever got to own air power got to define it, and the same holds for cyber – to unite these different services with their different needs and ideas under one command is like putting a tent over a steel-cage match, and an increasingly costly one at that.

Some estimates suggest that the cost of cyberwar will eventually wind up somewhere close to 10 percent of the defense budget, a figure that might have seemed steep two weeks ago, but maybe less so after Stuxnet. We want to be able to defend our own systems against similar attacks, or even worse ones. "You hear people say, 'no one would bring the financial system down,'" says Stewart Baker, George W. Bush's former assistant secretary for policy at the Department Homeland Security, and author of Skating on Stilts: Why We Aren't Stopping Tomorrow's Terrorism. "It's wishful thinking to believe we all have an interest in the survival of the existing system. Obviously it's not good for us if the system goes down, but maybe someone else sees it differently. Maybe the calculation is that while it hurts them, too, it will only hurt them for a year or so, while it sets us back a century. That's a bargain some countries might be willing to make."

The apparent success of Stuxnet suggests that the best Computer Network Defense (CND) is a good offense, or CNA and CNE capacity, the latter two are obviously the most highly classified aspects of U.S. cyberwarfare. To return to the air power analogy, offense has outpaced defensive countermeasures from the beginning. Indeed, ideas about how to use offensive air power are ever evolving into more unpredictable scenarios. "Forty years after the Wright Brothers, half of the capitals of Europe were turned to rubble by airpower," says Baker. "No one imagined that in 1905." Nor before 9/11 had many imagined terrorists using air power to such effect.

Despite our size and financial resources, we were vulnerable on 9/11 for the same reason we still are today: The advantage in cyberwar goes not necessarily to those who have the most money and manpower, but to those who are most capable of surprise, improvisation and cunning, a few of the qualities that distinguish Israel's elite combat units. This applies even to those parts of the Israeli Defense Force that are not primarily tech units, explains Saul Singer, co-author, with Dan Senor, of Start-up Nation: The Story of Israel's Economic Miracle. "The military is what makes Israel so driven," says Singer. "The leadership skills, the ability to improvise and innovate, this comes out of military training, even if you are not exposed to tech work."

However, elite IDF units are always technologically advanced, says Shmuel Bar, a veteran of the Israeli intelligence community and founder of IntuView, an Israeli tech company that has developed an "artificial intuition" technology that interprets and summarizes Islamic- and/or terrorist-related material. Bar says that while Unit 8200 is the most famous Israeli high-tech outfit, there are many other units with very advanced technological capabilities in all areas of IT. "All of these units," says Bar, "get a percentage of the elite kids recruited right out of high school."

The military identifies the most talented kids and brings them in sometimes as early as two years before they're even scheduled to start their compulsory service. Says Bar: "They ask the kids, do you want to spend three years in a regular military unit - something anyone can do - or contribute to the country in a way that only a select few can do, add a few years to your service and at the same time receive unparalleled on the job training that will be invaluable in your future resume?"

Another two years in addition to the compulsory three, plus the two years prior to duty, and you have 25-year-olds with seven years of real-world—high-pressure—experience in tech before they even enter college. This is the engine of Israel's thriving IT industry, which has more companies listed on NASDAQ than any other country except for the U.S. (Indeed, the $3 billion annual aid package to Israel gets the U.S. government in on the ground floor of some of this Israeli tech R&D.)

But just as military training prepares Israel's most talented and ambitious for the business world, their private sector work is not dissimilar from what these tech units do when they're called back for reserve duty, a requirement for all Israeli men up to the age of 40. This back and forth ties the business sector to the military in a fashion many countries may envy but cannot emulate.

Even those countries that do have conscript armies, says Singer, are paradoxically at a disadvantage. "These armies are less tech-oriented because they are based more on masses of soldiers. Since Israel has never enjoyed numerical superiority over its enemies," Singer continues, "it had to rely on its training and technological advancement."

"What percentage of the U.S.'s high-tech sector has even been in the military or the intelligence services?" asks Bar. "Even if you wanted to recruit your top 5 percent, you're working against a left-wing academic culture that doesn't want to 'collaborate' with those they perceive as 'the forces of darkness.' In Israel, the military can co-opt high school teachers to help them hunt talent and even the most left-wing professors have served in the army and know that Iranian nukes are not going to bypass their home just because they're left wing."

Indeed, while in some Israeli circles there's concern that urbane and international Tel Aviv's relationship to the rest of Israel is ambivalent, if not detached, the reality is different. Some of those high-salaried IT CEOs sampling the Gamla at a Neve Tsedek wine bar are the same reservists in the elite tech units serving on the front lines of cyberwar.

How good are the Israelis at this new way of making war? "If we were not very advanced," says Bar, "the American military and homeland security establishment would not have such a keen interest in what we are doing, and we would not be able to sell to the American market. I think that says it all."

Or, it says as much as anyone's willing to say right now about Israel's cyberwar abilities.