4-2: On Cyberwarfare

The secrecy surrounding every country’s nuclear capabilities has been the key to the strategic diplomacy that has bought the world some extra time, thereby bringing about an era of stability. As David Sanger writes, the most brilliant part of the US strategy to take down the Iranian nuclear program is the psychological element to it. Israel, in another example of psychological warfare, takes out the key scientists who are working on the nuclear program at Shahid Beheshti University in order to create fear within the scientific community and turn off the scientists from working on the project that might otherwise be appealing. A psychological effect of cyber warfare is uncertainty. It makes an attack difficult to define and it is practically untraceable. Uncertainty creates too many options, and an option for one possibility may be a disastrous course of action for another.

An attack that is meant to disable is indistinguishable from the routine technological failures that occur in every day life. A cyber attack does not look like an attack, because it is non-violent in the conventional sense of that term. This poses a problem of proportionality in warfare. Furthermore, even if an attack is defined with some reasonable certainty, if the target is initially a secret, it is difficult to know what to do about it without compromising valuable information. What this points to is a necessity for creating new norms and rules for cyber attacks: first, how do we define them and what is “permissible?,” and second, what would a proportional response look like? One interesting thing I found about the article was about the precautions the United States took so that the computer virus would not violate certain codes of war: for example, the virus could not disrupt hospitals or schools, and had to be confined strictly to the Iranian centrifuges.

There is one critical issue with subtle warfare like cyber warfare, which is that it does not eliminate any threats. As David Sanger wisely asks, what is the difference between a nuclear-capable Iran that aspires and is close to being a nuclear power, and an Iran that is a nuclear power? Both versions of Iran are hostile to the United States. Although I don’t know the answer to this question, I think that eliminating secrecy through UN measures of accountability (much like the IAEA keeps—although I am not necessarily against these) is not necessarily the answer. After all, Iran’s tight spot when it came to responding to Stuxnet was that much of its technologies were secret in the first place. — Adriana

7 thoughts on “4-2: On Cyberwarfare

  1. Although it can be argued that secrecy has brought about an “era of stability,” I think that this peace has
    been maintained by chance. In the second chapter of “The Offense: Missiles and War Games,” Hafemeister notes that nuclear conflict will most likely occur as a result of false information. When a country does not know the capabilities of another or doubts their intentions, it may tailor its action to conform to a worst case scenario. Hafemeister uses both a scare in the US concerning the Soviet Union and one in Russia concerning Norway. Fortunately in both cases, the Presidents of the US and Russia decided not to act hastily. However, these
    two misunderstandings could have easily led to nuclear war. Secrecy may be used strategically, but it also has great potential to create an undesirable chain of events.
    In terms of cyber warfare, I agree that viruses should be modified to attack locations dealing with nuclear
    weapons and war information while leaving hospitals and schools unscathed. This criteria transforms cyber warfare into a new military technique as opposed to an uncontrolled force that directly harms innocent civilians.

  2. While I agree that perhaps we have entered into an “era of stability,” stability built on secrecy is precarious at best. I think that cwilbur brings up an excellent point that potential overreaction to an imagined worst-case scenario is as undesirable as the worst-case scenario itself, especially in the context of nuclear war. Furthermore, inserting a new variable into the mix via cyberwarfare could serve merely to amplify the uncertainty for both parties. Clearly, Stuxnet proliferated in unanticipated ways, and if there is anything we have learned from social studies of technology, it is that this unforeseen proliferation often, if not always, accompanies the introduction of new technologies into new contexts. It is difficult to know where the code might end up, or what it might morph into, especially if it falls into the wrong hands. In short, uncertainty breeds fear breeds more uncertainty — not a pretty picture.
    On the other hand, I agree that the configuration of the US and Israel as anti-nuclear-Iran states was particularly fortuitous. Where Israel had the ability to execute the more “conventional” tactics, the US could continue covert monitoring while maintaining a rather more amicable face when in official contact with Iran. Stuxnet allowed the US to stay in this role and portray this image whilst making a direct, deliberate effort to slow the Iranian nuclear program, which must have put American and Israeli officials more at ease. In other words, while it definitely brought on a whole host of new uncertainties into the project, Stuxnet also managed to give the US and Israel some relief in that they were in control (at least in part) of the enrichment centrifuges. Thus, I think that Adriana’s point — that we need to think through the different conditions and the different stakes of cyberwarfare, and develop norms about it — is spot on.

  3. Adriana raises a lot of very salient points about cyber warfare. One of the unique features of cyber warfare, especially how it is shaping up between the US and China, is the fact that it is happening largely outside of public perception. The media cannot immediately see a cyberattack and often the damage is not “visible” enough to merit significant reporting.

    While these cyber attacks still receive proportional responses, they are not perceived as explicit acts of warfare. If China were to bomb a server farm, we would have a much different issue on our hands than if China were to hack a server farm, strip it of its data, and incur damaging hardware malfunctions. In both cases we have no loss of life, potentially millions of dollars of damage, and a loss of data, but the explosion matches conventional notions of warfare and would therefore be treated differently. This brings to the forefront the issue of creating new norms and rules for cyber attacks; without norms and rules, the only appropriate way to respond to a cyber attack is with a highly damaging cyber counterattack.

    Sanger notes that Tom Donilon and John Kerry are to hold conversations in China where they are expected to argue that Chinese attacks are eroding support. These “threats” are another method that the US is using to try to stop China’s cyber attacks, but they are likely not to work, since the US and China are essentially playing chicken with one another. As an undefined form of attack, it is unclear if the international community would agree that economic sanctions are an appropriate response to cyber attacks. Some could argue that such a response is disproportional and insist the US is unjustified. But until this escalation occurs, it is not clear that the US has the capacity to stop China’s attacks from not only continuing, but from growing in “sheer size and sophistication” as Sanger says. Unless the global community agrees on norms for cyber warfare, the political consequences of responding with anything but more covert cyber counterstrikes may be too high.

  4. I agree with much of Adriana’s views. Cyber warfare definitely creates a new aspect to conventional warfare.

    I think one question to note how is whether current standards of warfare ought to apply to cyber warfare. Many nations that engage in cyber warfare outsource these attacks to covert third parties whereas the United States’ laws prevent such actions. Are we to apply the same rules and values to an underground organization as we would a nation? If so, do we inadvertently give equal credibility to that party?

    Additionally, we should question the effectiveness of cyber warfare. It could be argued that the Stuxnet attack only re-doubled Iranian efforts to develop a bomb. Also the full extent of the attacks is unknown given that neutral nations also claim consequences from the attack? Should the United States be held responsible for this attack? Most likely, the United States would apologize for the attack (assuming they admit to it), but no consequences would be noticed. If this is the case then we have a double standard inherently in place and cannot hope to fairly judge others using the same standards.

    It will be interesting to see what Sanger has on these views and what specific guidelines he would recommend to govern cyber warfare.

  5. Adriana raises the interesting point that cyber attacks targeting Iran’s nuclear facilities do not permanently remove the threat. It is true that both versions of Iran are hostile to the United States. However, I do not believe that this can be considered a flaw of cyber attacks. Cyber attacks alone cannot be expect to fundamentally alter relations between states with conflicting strategic interests. As Sanger notes, one of the main strengths of cyber attacks, is the ability to “buy time”. By slowing Iran’s progress, cyber attacks make other options more feasible. In a sense cyber
    warfare creates the conditions for indirect methods; sanctions, engagement and other covert operations, to take effect and succeed. Cyber attacks can never be assessed in a vacuum. We must always be cognizant of how cyber
    attacks interact with the larger ‘theatre’ of tactics. They can interact with other initiatives like diplomacy and financial sanctions to achieve a desired political goal. To this end, I think it is also important to note how a cyber attack capacity has many applications and can be an effective tool in both “kinetic” attacks as well as a way to communicate effectively with a population, for instance by providing better access to information that might otherwise be blocked, which could ultimately alter attitudes towards a regime.

    A second issue raised was the challenge of defining a proportional response. This is a difficult question to answer, especially since the cyber attack on Iran would invariably be considered an attack on critical infrastructure. As Sanger, notes this begs that questions of how United States can now criticize China for its cyber espionage program. It will be a useful exercise to see if one really can differentiate between what the U.S. has done to Iran and what we condemn China for doing.

  6. You note that “There is one critical issue with subtle warfare like cyber warfare, which is that it does not eliminate any threats.” And yet Stuxnet was able to disable 984 centrifuges, one-fifth of the machinery in Natanz. While the lasting effect this single attack had is debatable, it should be remembered that this was the first attempt by the US to utilize cyberwarfare. A worm that was developed while the NSA and the Defense Department were fighting over turf and a new President was taking power, and that was developed by two separate countries, was able to destroy nearly 1000 machines without the US having to put a single pair of boots on the ground. In my opinion, I think this is a very potent new battlefield, especially when you consider how much technology today is dependent upon computer control. This is obviously a new territory with new rules, but I think that Stuxnet showed the world that cyber attacks are a very real form of aggression that can move well beyond information theft. If we can gain control of their centrifuges by worm, what’s to say we can’t gain control of their silos? More terrifying, what’s to say they can’t gain control of ours?

  7. The part of the blog post that struck me most was related to codes of war: when discussing Stuxnet and cyberwarfare in earlier weeks, one of the benefits of cyberwarfare mentioned was that cyberwarfare does not lead to as much or as severe collateral damage. Unlike air strikes or other conventional military operations that are meant to target nuclear facilities, innocent civilians living nearby are not placed at bodily risk. However, as American policy considerations leading up to the attack demonstrate, a virus attack on hospitals or schools or places other than the centrifuges could also lead to collateral damage in a sense, which was something I hadn’t really considered before. Especially with medical records increasingly placed online nowadays, even temporary disruptions to patients’ medical files would cause a great deal of havoc and perhaps even be fatal for certain patients.

Leave a Reply