2-2: On Stuxnet and Cyberwar

In their recent ‘Survival’ journal article, James Farwell and Rafal Rohozinski offer a detailed summary of the Stuxnet 2010 incident and go over what this suggests about the future of global cyber warfare in general. Clearly a means of conflict likely to be used increasingly more often in the foreseeable coming times, the two experts focus on how cyber conflict presents two major inherent differences from conventional warfare:

  • For one, it is very hard to trace the authors behind an attack. Therefore, culpability is hard to prove.
  • Secondly, it causes very little, if any at all, harm to civilians.

These two distinctive features currently make for a rather interesting dynamic since most valid international treaties predate the advent of computers, and thus do not consider something that causes no physical damage an ‘aggression’. This gray area currently offers governments the chance to act basically without any interference from international organizations or other countries. Obviously, many people believe this must change soon as cyber warfare cannot be ignored any longer, but how should one go about regulating this new means of conflict? Where does one trace the line exactly?

Simply put, there are no clear answers. Traceability being a big issue, one would have to pretty much forgo the distinction between lonely hacker and government-mandated attacks and, in most cases, also the certainty of the identity of the attacker. Yet, I imagine most people would agree on the fact that, for instance, a US citizen who is simply suspected of hacking the national Defense systems does not really merit the same punishment one would impose on a culpable hostile nation (also, most countries adhere to the legal presumption of innocence principle). Furthermore, if one opted for regulation, he would have to quantify the damage to ensure that proportionality in the response is respected. But again, how can we objectively quantify the damage brought about by a worm or a virus? It is nowhere near as easy as having to count physical damages.

Given all of these considerations, one cannot help but ask: is future regulation really advantageous in the end? Or would all the subsequent red tape and general legal ambiguity be more counterproductive than helpful? If so, just how exactly should we go about it without infringing on established constitutional and international rights? — Tommaso

13 thoughts on “2-2: On Stuxnet and Cyberwar

  1. Both domestic and international law and institutions have to be able toadapt an evolving security environment, even if such changes are driven by a technology with many ambiguous facets like cyber-capabilities. The creation and development of cyber-legislation and regulation seems to occur at such a slow pace at least in part due to the relatively lack of impact on the broader populace; however, it seems like only a matter of time before civilian life is truly affected (for example, if an electrical grid in a major metropolitan area is shut down as a result of a cyber-attack).

  2. The impact of cyber warfare can potentially cause great harm
    to civilians. Attacks on certain systems or individual computers can wreak
    havoc on nuclear plants, and the article noted the explicit example of an
    attack “cutting power from an air-traffic-control facility and causing a plane
    to crash” (30). Also Stuxnet has proved regulation difficult because the worm
    incorporates code from different sources. How can one put restrictions on code
    which is being generated constantly and can serve multiple purposes?

  3. Cwilbur makes a salient point: there exists significant opportunity for a cyber warfare attack to cause damage that severely affects a civilian population. The U.S., for example, is fairly vulnerable to an attack on energy infrastructure which could be devastating. Our energy grid in many areas relies on out-dated legacy systems that may be vulnerable to hostile attack, especially insofar as preventative measures have hitherto been slow to be implemented.

  4. I think an interesting point that this article makes is in regards to Distributed Denial of Service (DDoS) attacks. After reading this, I remembered an interesting article that I read in November during the Israeli Gaza Offensive that also mentioned DDoS — the article link: http://abcnews.go.com/Blotter/israel-combats-cyber-attacks-gaza-offensive/story?id=17763913 . In this case, Israel was the victim of DDoS attacks on the part of the hacker group Anonymous. I think the example given in the Farwell article of the Georgian government’s inability to combat this threat is an interesting contrast to the way Israel, a nation heavily invested in cyber-security, was able to do so. Anonymous is arguably the most organized cyber-criminal network, but it cannot compete with a government’s staggering investment in cyber-security. Will there come a time when this is not the case?

  5. I definitely agree that governments face many difficulties in determining what kind (if any) regulation should be created to address cyber attacks.

    One complicating factor is the unintended effects of cyberwarfare upon entities other than the target. Cyberwarfare avoids many of the additional effects of more physical warfare, such as refugee crises, nuclear fallout, the extension of terrorist networks, or perhaps most importantly, harm to innocent civilians. Yet many computers and facilities in countries outside the target are also vulnerable to cyberwarfare, raising a debate similar to that over whether drone strikes are permissible if they may also cause civilian deaths. In these cases, assuming we can even trace the attacker as others have mentioned, should the attacker be held responsible? To what extent?

    An additional complicating factor is that many materials, information, or technical skill necessary to launch a cyber attack (i.e. computers, knowledge of coding) are not, unlike highly enriched nuclear materials, exclusively dedicated to warfare. Like the difficulties government faces in dealing with homemade bombs made out of products readily available to civilians, it would be difficult to screen or somewhat prevent the launch of an attack like Stuxnet. This parallel made me think that Estonia’s Defense Minister’s comparison of DoS events to terrorist activity could be very apt.

  6. I agree that with schar that government regulation of cyber-warfare
    is difficult.

    One difficulty I feel stems from the inherent uncertainty
    regarding a cyber-warfare attack’s impact and whether it is appropriate to
    equate cyber warfare damage with actual military damage. For instance, Stuxnet
    impacted not only the Iranian nuclear enrichment centers, but also facilities
    in India, Philippines, and France. As such, it is extremely difficult to fully
    gauge the code’s impact. If we consider this with fact that culprit identification
    is extremely difficult with current existing technologies and algorithms, fully
    analyzing a code is nearly impossible.

    Moreover, the larger potential impact without the loss of
    human life resulting from cyber-attacks makes it harder to assess such attacks
    using the same criteria for military ones. For instance, an appropriate response
    to an unprovoked military attack on a small civilian plane would be a strike on
    communication facilities; whereas a small cyber-attack can easily warrant a
    large scale reaction. In short, cyberwarfare has the potential to quickly lead
    to escalated and rash attacks.

    As such, it may be wise to actual judge cyberwarfare using a
    completely different set of criteria that includes elements from criteria
    judging the impact of a military assault and criteria assessing code impact. This
    more comprehensive criterion will by no means resolve this debate, but it will
    help give a better framework to begin fully assessing cyber-attacks and help
    with understanding the larger ramifications and analysis of cyber tactics.

  7. I’m in total agreement with the general consensus on cyber regulation: it is (and should be) an entirely different ballgame from traditional military security. I think the most striking problem is that, generally speaking, cyber regulation implicates questions of sovereignty and jurisdiction which current regulatory schemata are not well-prepared to handle which compound the traceability problem Tommaso points out. It is not impossible that hostile governments could contract out cyber attacks to mercenaries from another, non-hostile country. How can the attacked state figure out who is to blame? What is the appropriate response? How is the non-hostile state implicated in all this? Delegating culpability between the multitude of actors in this situation is really difficult; the distributed nature of the attack makes it really difficult to figure out who is responsible for what.

    On another note, however, I would have to agree with cwilbur in that great harm can come to civilians via cyber attack, and that harm can be either physical (e.g. what if Stuxnet had caused a nuclear meltdown and exposed civilians to immense amounts of radiation?) or less tangible (e.g. what about infrastructural failures that cause massive disruptions in daily civil life?). As Sartori and Drell and Von Hippel point out in the context of nuclear war, immense social and psychological implications accompany the detonation of a nuclear weapon — the same kinds of implications could conceivably accompany the execution of a cyber attack as well. I realize that these implications are difficult to quantify, and hence difficult to address in policy, etc., but they simply further complicate the problems cyberwarfare poses to current policy frameworks. Basically, I agree wholeheartedly with cgalaiya in that cyberwarfare ought to be approached from an entirely new angle and judged based on a unique set of criteria in determining the appropriate preventative measures and drafting policies in response.

  8. As you said an attack on these systems could potentially harm a country’s economy and civilian population. Much of this infrastructure in the US however is run by the private sector. I think an interesting question then is how can the government motivate companies to implement new security measures. Would corporations be willing to cooperate with the government and share private information? Would our ideologically divided congress pass important legislation to compel companies to adopt new security regulations ?

  9. I agree that the difficulty of identifying the source of an attack and the challenge of quantifying cyber damage make regulation a complex task. However, I believe that better regulation is achievable and could be highly effective in the long term. A better legal framework for handling cyber-attacks would create clear payouts. The costs of such action would be more transparent to the potential attacker. This in turn could function as a deterrent mechanism similar to second strike capacity in nuclear warfare.

    Like cwilbur, I believe cyber warfare has clear implications for civilians. Although Farwell and Rohozinski mention a possible attack on “an air traffic control facility and causing a plane to crash”, they do not go far enough in their evaluation of the risks associated with cyber warfare. One can easily imagine attacks on a water treatment plant or a subway system having huge and direct repercussions for civilians. Businesses are already suffering from smaller scale cyber-attacks which steal intellectual property and data on a regular basis. In fact, there appears to be a growing awareness amongst civilians about the dangers of cyber warfare. The decision to block Huawei
    and ZTE telecommunications deals in the U.S. was largely based on concerns about the vulnerabilities created by a foreign power’s potential to control critical U.S. infrastructure through malware or cyber espionage.

    As cgalaiya points out, cyber warfare is a different animal. Policy makers and legal analysts will need to construct new legal frameworks and mechanism for analysis, so that we can prevent and respond to a cyber-attacks The existing models are insufficient. Cyber warfare will require a new type of strategic planning alltogether.

  10. In response to schar’s comment, it is worthwhile to note that enriched nuclear materials are also used for civilian purposes, such as geoengineering or alternate energy. What I think this person was getting at though, is that enriched nuclear materials are much easier to track because they are difficult to produce and must be kept in very specific kinds of facilities, whereas computers are essentially ubiquitous. This is the difficulty in tracking cyber crimes. What I found interesting about the article was that it mentioned that cyber crimes are not just difficult to trace because of their anonymous nature, but because of their prevalence as well. Cwilbur is therefore correct in saying that tracking and law enforcement is much more difficult due to the multiple sources a cyber crime might stem from. Restriction is almost impossible. As with any activity that is highly individualized, a procedure of incentivization and competition (monetary or otherwise) is then much more likely to be effective than any kind of ban or restriction.

  11. Farwell and Rohinski raise some really
    interesting questions about cyberwarfare in this article. They discuss the
    dangers that society could and probable will face in the near future because of
    cyberwarfare. So what can we do about about this? Are we even prepared? Tommaso
    above discusses whether or not regulation of cyberwarfare is really
    advantageous. I definitely understand why that question needs to be asked, but
    I believe that it is without question advantageous. Farwell and Rohinski
    explain the chaos that cyberwarfare could cause and also, for those with the
    appropriate knowledge, how low risk it is. Basically, if someone really wanted
    to, they could create huge problems through cyberwarfare with little worry of
    being caught. The consequences of not doing anything are so severe that future
    regulation is completely necessary even if it is not successful at first. But
    the real issue for me is: do we even have the capability to regulate it?
    Traceability is a huge issue and if it is traced wrong it could cause huge
    international conflict. Also, especially with Americans, the line between what
    is a violation of privacy and what is acceptable could create huge uproar.
    Also, as Tomasso states above, one of the biggest issues is that most
    international treaties disregard cyperwarfare because there is a grey area in
    how those treaties define aggression. The point is cyberwarfare is a huge issue
    that could have disastrous effects on our the world if regulation is not created
    and enforced. Unfortunately, right now we are not totally prepared to create
    that legislation, but it is vitally important that we get there soon.

  12. So far, we have talked a lot about the difficulties in identifying the party responsible for a cyber attack as well as the general uncertainty under which these attacks take place. In a sense, these cyber attacks can be thought of as being akin to acts of espionage or sabotage. In both of these cases, it is difficult to identify the attacker and even if identified, there is usually little proof to actually link those responsible to the actual act. Furthermore, as others have said, cyber attacks as well as espionage are usually specifically targeted and generally do not affect the civilian population. However, there can be cases where both of these may greatly affect civilians. While I am not familiar with the policies that nations use to deal with acts of espionage, these similarities lead me to believe that perhaps current policies on espionage can also adapted to cyberwarfare.

  13. The discussion so far has focused on the difficulties in determining culpability
    for cyber attacks and how to develop policies that could deal with this issue.
    However, Stuxnet is identified by Farwell and Rohozinski as the first use
    of a cyber weapon. The code behind the virus and the way it contaminated the
    centrifuges by spreading through many computers are feature that many other
    viruses posses. A question then certainly comes to mind: why was Stuxnet the
    first, if the technology was already available? Groups like Anonymous have
    already shown that the US and Israel are just as vulnerable as Iran, so why hasn’t
    there been any attempts by terrorist groups to cause physical damage through
    cyberwarfare?

Leave a Reply