Future of Cyber War David Adams Legal and Ethical Issues in Computing CIS 4253 The discovery in June 2010 that a cyber worm dubbed ‘Stuxnet’ had struck the Iranian nuclear facility at Natanz suggested that, for cyber war, the future is now. Yet more important is the political and strategic context in which new cyber threats are emerging, and the effects the worm has generated in this respect. Perhaps most striking is the confluence between cyber crime and state action.
States are capitalizing on technology whose development is driven by cyber crime, and perhaps outsourcing cyber attacks to non-attributable third parties, including criminal organizations. Cyber offers great potential for striking at enemies with less risk than using traditional military means. It is unclear how much the Stuxnet program cost, but it was almost certainly less than the cost of single fighter-bomber. Yet if damage from cyber attacks can be quickly repaired, careful strategic thought is required in comparing the cost and benefits of cyber versus traditional military attack.
One important benefit of cyber attack may be its greater opportunity to achieve goals such as retarding the Iranian nuclear program without causing the loss of life or injury to innocent civilians that air strikes would seem more likely to inflict. Nevertheless, cyber attacks do carry a risk of collateral damage, with a risk of political blowback if the attacking parties are identified. Difficulty in identifying a cyber attacker presents multiple headaches for responding. A key strategic risk in cyber attack, finally, lies in potential escalatory responses.
Strategies for using cyber weapons like Stuxnet need to take into account that adversaries may attempt to turn them back against us. The discovery in June 2010 that a cyber worm dubbed ‘Stuxnet’ had struck the Iranian nuclear facility at Natanz suggested that, for cyber war, the future is now. Stuxnet has apparently infected over 60,000 computers, more than half of them in Iran; other countries affected include India, Indonesia, China, Azerbaijan, South Korea, Malaysia, the United States, the United Kingdom, Australia, Finland and Germany.
The virus continues to spread and infect computer systems via the Internet, although its power to do damage is now limited by the availability of effective antidotes, and a built-in expiration date of 24 June 2012. (McMillan, 2010) Stuxnet is a sophisticated computer program designed to penetrate and establish control over remote systems in a quasi-autonomous fashion. It represents a new generation of ‘fire-and-forget’ malware that can be aimed in cyberspace against selected targets.
Those that Stuxnet targeted were ‘air gapped’; in other words, they were not connected to the public Internet and penetration required the use of intermediary devices such as USB sticks to gain access and establish control. Using four ‘zero-day vulnerabilities’ (vulnerabilities previously unknown, so that there has been no time to develop and distribute patches), the Stuxnet worm employs Siemens’ default passwords to access Windows operating systems that run the WinCC and PCS 7 programs. These are programmable logic controller (PLC) programs that manage industrial plants.
The genius of the worm is that it can strike and reprogram a computer target. (Garza, 2010) Some media reports mistakenly thought the Iranian light-water power reactor at Bushehr was also a target. Iran confirmed that Stuxnet infected personal computers there while denying that much damage was inflicted. (Yong, 2010) But Bushehr seems an unlikely target, because the plutonium produced by such light-water reactors is not well suited for weapons purposes. The more likely target is Iran’s uranium-enrichment program.
Although most of the 4,000–5,000 centrifuges operating to date at the pilot and industrial-scale fuel-enrichment facilities at Natanz have been producing only low-enriched uranium, the same centrifuges could be put to use to produce highly enriched uranium for weapons. Alternatively, and in a more likely scenario, it is feared that Iran could be operating secret centrifuge facilities to produce highly enriched uranium. The key to the Stuxnet worm is that it can attack both known and unknown centrifuges.
Although there is no hard evidence that Stuxnet has exposed Ahmadinejad to public criticism that the government failed to competently defend key installations, cyber can nevertheless be a tool to discredit, destabilize and weaken the authority of adversarial regimes. Cyber also offers great potential for striking at enemies with less risk than using traditional military means. For example, North Korea poses threats other than through its nuclear program. It is involved, for example, in extensive counterfeiting.
Cyber attack offers potential options that may prove effective in countering such criminal activity. Cyber is, moreover, less costly than traditional military action. It is unclear how much the Stuxnet program cost, but it was almost certainly less than the cost of single fighter-bomber. Third parties currently working in concert with a state may or may not be held under tight control. Criminal groups are mercenary. They may well sell their services twice. Outsourcing to the underworld is a slippery slope.