I don’t know about you, but the following two articles scare the bejesus out of me. The Washington Post reports the Pentagon has integrated U.S. cyber warfare assets into its conventional military inventory. So just as we might send jets to bomb Iraq or any other enemy target, we now can employ cyber worms like Stuxnet, which the U.S. is reputed to have played a major role in creating, in similarly lethal fashion:
The Pentagon has developed a list of cyber-weapons and tools, including viruses that can sabotage an adversary’s critical networks, to streamline how the United States engages in computer warfare.
The classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA, said military officials who spoke on the condition of anonymity to describe a sensitive program. The list forms part of the Pentagon’s set of approved weapons or “fires” that can be employed against an enemy.
“So whether it’s a tank, an M-16 or a computer virus, it’s going to follow the same rules so that we can understand how to employ it, when you can use it, when you can’t, what you can and can’t use,” a senior military official said.
The integration of cyber-technologies into a formal structure of approved capabilities is perhaps the most significant operational development in military cyber-doctrine in years, the senior military official said.
And lest you worry your silly little head about how and when we will cause failures of massive Chinese dams or Iranian nuclear plants, potentially killing tens or hundreds of thousands, you needn’t. Our president has it all under control:
The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later…
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
So the Stuxnet worm, which the NY Times portrayed as likely having been developed in close collaboration with Israel, would need approval of the president before it was deployed. That’s supposed to comfort us when the president might be someone like George Bush? And given Obama’s enthusiasm for targeted assassinations why should we not assume he knew, and approved of Stuxnet wreaking havoc within Iran’s nuclear facilities? Yes, Stuxnet appears not to have killed anyone. But where is the line between cyber weapons that kill and those that don’t? And how can you guarantee that you don’t cross that line (if indeed you don’t want to…which raises another question)? How do you guarantee that Stuxnet only disabled a nuclear plant and doesn’t cause a Fukushima-style core meltdown with concomitant civilian exposure to massive levels of radioactivity?
It is only slightly encouraging that this new strategic doctrine emphasizes the use of cyber-methods largely for defensive purposes. But who’s to define what is defensive and what is offensive? Is disabling Iran’s Natanz and Bushehr plants defensive? Clearly, the U.S. thinks so or it wouldn’t have participated in the project. But what if the worm had killed Iranians? What then? Do we argue that slightly delaying the date by which Iran gets a nuclear weapon (if they are trying to make one) is a defensive act that justifies killing or injuring Iranians, if any are harmed?
The NY Times takes a markedly different approach to the same story. It reports the Pentagon is readying a new military doctrine which will declare any cyber attack against the U.S. which endangers the lives of civilians to be an act of war:
The Pentagon, trying to create a formal strategy to deter cyberattacks on the United States, plans to issue a new strategy soon declaring that a computer attack from a foreign nation can be considered an act of war that may result in a military response.
Several administration officials…have suggested publicly that any American president could consider a variety of responses — economic sanctions, retaliatory cyberattacks or a military strike — if critical American computer systems were ever attacked…
The new military strategy…makes explicit that a cyberattack could be considered equivalent to a more traditional act of war. The Pentagon is declaring that any computer attack that threatens widespread civilian casualties — for example, by cutting off power supplies or bringing down hospitals and emergency-responder networks — could be treated as an act of aggression.
Which raises an interesting question. Clearly, the Stuxnet attack, if perpetrated here, would be considered an act of aggression to which the U.S. might respond militarily. If that’s so, then would Iran be justified attacking Israel for its involvement? And just how do you prove that a specific country mounted such an attack against you? What level of certainty do you need?
Of course, we would not countenance an Iranian attack against Israel for giving it the “gift” of Stuxnet, which is why Iran has not retaliated (yet). So this means that there are two sets of rules operating concerning cyber-warfare: one set is for the big guys like us and another is for the littler, less powerful fellas like Iran. Hit us and we’ll knock you to Kingdom Come (if we can). Hit Iran, well not so much. How do you spell h-y-p-o-c-r-i-s-y?
Related articles
- Cyber combat: act of war (warincontext.org)
This can become a very dirty war, even if waged with clean hands behind computer desks. While American military power doesn’t have a match in the world, this cyber warfare can be successfully waged by small countries and groups operating in such manner that one cannot even determine where attacks are originated and who’s responsible. Wikileaks, for example, have set up infrastructure whereby it’s impossible to find out who and from where has leaked a document.
As for your question, what is “defensive”, taken these two articles together, and considering the New And Improved Presidential Rule Of Law, established by Bush jr. and by now affirmed by Obama (“It’s legal when the President does it”), my suspicion is: it’s defensive when “we” do it, and offensive when anyone does it to “us”.
The condition of Presidential approval of any cyber-attack, err, I mean cyber-defense, makes me laugh though. Unlike physical weapons, pieces of computer code are immediately reproducible in unlimited numbers – just ask the RIAA. Once such a virus or whatever has been stolen or leaked or whatever – the question is not if, but when – the genie can’t be put back into the bottle – again unlike physical weapons, which (in theory at least) can be found and seized back. I think in the long term the Pentagon is shooting itself, and everyone else, in the foot in a big way.