Cyberwar: Reality or Exaggeration?Parsing Definition to Determine True Cyberthreats
Dare I suggest that the Stuxnet attack on Iranian nuclear facilities was cyberwarfare?
A report this past weekend in The New York Times suggests that the United States and Israel worked together to develop the Stuxnet worm that's blamed for crippling Iran's program to develop a nuclear weapon. The worm reportedly knocked out one-fifth of Iran's nuclear centrifuges. To look at it one way, the alleged virtual assault on the Iranian nuclear facilities did what a real bombing attack would try to do: disable an enemy's capability to wage war. Isn't that warfare? Would a digital attack be cyberwarfare?
But many experts poo-poo the idea of cyberwar, at least as an independent undertaking. Reducing Systemic Cybersecurity Risk - a paper issued this past week by the Organization for Economic Cooperation and Development, a forum of 34 nations, that promotes democracy and the market economy - contends virtual attacks defined as cyberwar usually are temporary disruptions of Internet services, vandalism or spying, and muddle attempts to clearly analyze the damage they cause by digital assaults. Wrote authors Peter Sommer of the London School of Economics and Ian Brown of Oxford University:
"Analysis of cybersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. ... Cyberespionage is not a 'keystrokes away from cyberwar,' it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.
"It is unlikely that there will ever be a true cyberwar. The reasons are: many critical computer systems are protected against known exploits and malware so that designers of new cyberweapons have to identify new weaknesses and exploits; the effects of cyberattacks are difficult to predict - on the one hand they may be less powerful than hoped but may also have more extensive outcomes arising from the interconnectedness of systems, resulting in unwanted damage to perpetrators and their allies. More importantly, there is no strategic reason why any aggressor would limit themselves to only one class of weaponry.
Is Stuxnet a Game Changer?
With Stuxnet, the designers identified new weaknesses, and if the news report is to be believed, its designers knew exactly how the centrifuges would react (including giving operators the false impression they functioned properly). And, in Israel's situation, there could be a reason to limit its armaments to one class of weaponry: the ramifications of a kinetic attack could cause far more damage to Israel. Imagine the fallout - and potential war - that would result if Israeli jets attacked an Iranian nuclear facility (see Will Israel Nuke Iran's Nukes Virtually). Of course, if the report is true, Israel (or the United States, for that matter) isn't at war with Iran, since this conflict so far has been one sided, and most definitions of warfare involve at least two opposing sides (unless, of course, Iran retaliated virtually, but there's no evidence of).
Surviving Cyberwar author Richard Stiennon, in an interview last year (see Cyberwar: Defining It, Surviving It), said a cyberattack, in itself, isn't warfare, "just like shooting somebody in the street isn't warfare." In fact, he said cyberwar can only work in the context of a kinetic war, a view shared by James Miller, principal deputy assistant secretary of defense for policy (see Placing Limits on Cyberwar). But, in that conversation with Stiennon, he added: "But when it is state sponsored and the intents and purpose is war-like, in other words to somehow gain an advantage over another state adversary, that is when you start entering the realm of warfare. ... I don't think it would fall into the realm of warfare until there was shooting on both sides."
No shooting on both sides, yet, but with Stuxnet, it seems that Israel (and perhaps the U.S.) have entered the realm of warfare. It may not be a cyberwar, but it sure feels like one.
Cyberweaponry as Nuclear Deterrent
What does Stiennon think today? I e-mailed him Monday, and he responded that his view of cyberwar revolves around the risks, dangers and repercussions of the use of cyberweapons to upset the delicate balance of power established by procession of nuclear weapons, and Stuxnet is the most important development to date:
"If Stuxnet was indeed created by a state and if it's target was Iran's uranium-enrichment capability, then it was as much a weapon of war as a cruise missile or drone. Most would agree that a kinetic attack using cruise missiles, smart bombs or a nuclear warhead against another country's means of producing weapons is an act of war. Using carefully engineered software to accomplish the same thing would fall under the same definition."Still, without a declaration of war, the Stuxnet attack could be viewed as cybersabotage, Stiennon says, adding:.
"Stuxnet is certainly a cyberweapon. How to classify its use is going to be up to Iran."
Whether the United States government was behind the Stuxnet attack really doesn't matter from a perception standpoint; most people abroad will believe it was, bolstering America's reputation as the nation most feared of launching a cyberattack (see Which Nation is Most Feared in Cyberspace?), even if what happened wasn't cyberwar.