Cyber Weapons 2
In addressing the viability cyber-weapons in the international arena, it is worthwhile to note that the technology is so new as to have few case studies available for analysis, and virtually no cases for which longitudinal outcomes are available. Any analysis of cyberweaponry occurs in the absence of any system of norms or regulations addressing this new mode of combat. That being said, contrary to Lucian’s earlier post, it’s worth considering the position that while defensive technologies are certainly a crucial part of our national defense strategy, a focus on defense does not preclude our pursuing offensive capabilities. The reasons for maintaining equally strong, if not stronger offensive cyberwarfare development are as follows.
We should develop stronger offensive cyberweapons, if not out of direct need to have the offensive strength to inflict damage upon enemy targets, then out of a need to better understand potential means of attack on the United States. Indeed, one of the best ways to develop strong defensive technologies is to anticipate the offensive technologies our enemies might wish to use against us. The development and release of the Stuxnet virus, for example, called attention to the security gaps in programmable logic controllers in infrastructure in the United States, and electricity providers are now taking steps to ensure that their grids are well secured.
It’s easy to imagine how this course of action might lead to an escalating cyber arms race, and far be it from the goal of any country to pursue a course of mutually assured destruction with its many. But all evidence indicates that America’s adversaries (and even some of her ostensible allies) have begun developing offensive capabilities. China, among other countries, has been the source of an enormous volume of attacks on the United States, having made multiple attempts at breaching the Pentagon’s servers. Given the Chinese government’s tight control on the Internet usage of their subjects, I find it implausible that authorities in Beijing are unaware of these attacks—although they may not directly sponsor them, their tacit consent is cause enough for concern. Our collaboration with Israel’s defense agency, Mossad, on Stuxnet and other cyberattacks has demonstrated that Israel already considered the implications of cyberwarfare and is moving swiftly to develop that capability.
Granted, the United States is right to use cyberweaponry with a hefty dose of caution—the high development costs and limited possibility for reuse of any one virus means that each attack must be carefully considered. The zero-days that made the Stuxnet virus so devasting and so sophisticated are useless to exploit once revealed (Microsoft, for example, issued a patch for one of the zero-days within weeks of the Stuxnet story being released).
I would also urge caution in asserting too hastily that conventional methods of warfare are adequate for the changed landscape of modern conflicts. As has been noted previously, we are establishing a risky precedent in engaging in attacks on targets that are ostensibly civilian, if not actually so. That being said, traditional standards of warfare are no longer sufficiently graduated as to accommodate the full spectrum of policy options that the United States wishes to pursue. Let us consider, for example, the attack on the Natanz enrichment facility in Iran using the Stuxnet virus, for which the U.S. and Israeli governments have tacitly, if not explicitly acknowledged responsibility.
Traditional policy options to address the possibility of Iran’s escalating nuclear capabilities would have included economic sanctions, drone strikes, or at worst, invasion of the country (as we did in Iraq a decade ago). Iran has long been subject to both uni- and multilateral economic sanctions from the United States, European Union, and U.N. Security Council. Members of the Iranian Revolutionary Guard have had their assets frozen, and an embargo on many products stifles the flow of goods into the country, yet our intelligence indicates that Iran’s nuclear program is as strong as ever. Drone strikes would have been able to effectively disable Iran’s nuclear capabilities for months or even years, but the United States would have a difficult time denying responsibility for the attacks. This lack of plausible deniability would have been perceived by an overt act of war, embroiling the United States in yet another ill-advised conflict in the Middle East. Invasion, by any standard an extreme response, would have most certainly escalated the issue far beyond the range of what would have been considered acceptable to U.S. military brass. Stuxnet, while not entirely effective, was most likely a happy medium between inaction and overreaction. The use of cyberweaponry allowed the United States some degree of plausible deniability while maintaining flexibility in future policy actions.
Furthermore, this view of offensive capabilities ignores the possibility of using cyberweaponry as a tool for espionage. While neither offensive nor defensive, espionage using code rather than physical means (whether personnel or drones) poses a much smaller risk to the United States’ intelligence resources. The utility of code in industrial espionage has already been well-established; Symantec at first glance suspected Stuxnet to be a particularly sophisticated means of industrial espionage. For targets that are well-connected to the Internet, using viruses to relay information about factory layouts rather than risking the security of personnel on the ground seems to be a far more prudent and effective use of our large, but limited national security resources.