11-2: Stuxnet and the New Cyber

In Thresholds for Cyberwar, James A. Lewis outlines a framework to asses the effects and consequences of cyber attacks and to define the threshold between a cyber event against a nation and an act of war. The author dissects the issue of cyber warfare by analyzing two components of an attack: its potential physical damage and tactical and strategic applications. On the former issue, Lewis argues that “cyber attacks are not very destructive” (3), as strikes against physical targets are usually not intended to directly inflict casualties, but rather to cripple a country’s infrastructure. The recent development of the Stuxnet virus, however, diverges from Lewis’ assumptions. As discussed by Ralph Langner in his TED Talk Cracking Stuxnet, a 21st-century cyber weapon, the virus opens new horizons for the use of cyber attacks against physical targets. By manipulating digital safety systems that are critical for the proper functioning of delicate and highly unstable machines, viruses like Stuxnet have a significant destructive potential. Lewis’ assessment of the effects and consequences of cyber events, therefore, need to be revised to fit these current development in the field of cyber warfare.

In Lewis’s framework for understanding cyber attacks, Stuxnet would certainly qualify as an act of war, but the virus goes beyond the author’s assessment of the destructive potential of a cyber attack. Lewis defines cyber war as “the use of force to cause damage, destruction, or casualties for political effect by states or political groups” (1). In this definition, acts of war are separated from other cyber events such as disruptions of service and data due to their limited damage and minimal or absent use of force. Lewis draws a clear relationship between the physical aspect of an event and its classification as an act of war: “if the exploit does not inflict physical damage or destruction, it is not intimidation, nor the use of force, and not an attack” (1). Using this definition of cyber attacks as physically damaging events, the author then explores its possible uses in a conflict. His analysis, however, is based on the initial assumption that “cyber attacks are not very destructive” (3), and focuses only on their use against infrastructural targets and tactical and strategic applications as tools to assist military operations. Lewis’ arguments, however, are outdated, and Stuxnet goes beyond his assumptions, as a cyberweapon that can cause great physical damage by manipulating digital safety systems.

As presented by Ralph Langner in his TED Talk, Stuxnet was designed to stop the Iranian enrichment program by infiltrating the centrifuges’ digital safety systems, and the immense destructive potential of the virus lies on this unique feature of its code. After being introduced into the enrichment facility’s computers, Stuxnet’s purpose was to destabilize the centrifuges and cascade systems that are part of the enrichment process. The virus accomplished its design by manipulating the centrifuges’ output that was fed into the safety systems that controls the machines. These computer systems are designed to stop the centrifuges in case there was any danger of a possible disaster occurring, since they are too delicate and require too much precision to be calibrated by humans. Stuxnet destabilized the centrifuges by compromising their rotors and provided the program with data that indicated proper functioning, potentially causing the centrifuges to stop operations and even explode. Digital safety systems, however, are not just a feature of these enrichment facilities, but are present in other structures such as nuclear power plants. As Langner argues, a virus similar to Stuxnet could be used to tamper with other stable equipments that rely on these digital safety systems and lead to catastrophic outcomes.

But would a nation or political group use this sort of virus against a country like the U.S.? Although Lewis’ analysis for the effects of a cyber attack is outdated, the author provides some interesting insights about the possibility of a cyber attack being launched by different actors. The author highlights the possibility of retaliation and an escalation of the conflict as deterrents to attacks against civilian targets in the U.S. Lewis, however, considers the possibility of hostile actions by countries like North Korea and Iran in light of their past actions and threats. And if the U.S. engages in some military action against them, cyber weapons could certainly present a new front in the conflict. Small political groups would also have incentives to use such viruses due to today’s “inadequate cyber defenses” (7), but would also be subject to significant backlash and may not be able to accomplish such a complex strike due to the amount of reconnaissance of the facilities that is required.

Lewis’ concerns of a possible cyber attack are in fact not far from today’s reality, and seem to be attracting attention of policy makers as well. As reported by Carl Frazen, cyber threats were presented to to the House Intelligence Committee as a top threat to U.S. security. The questions of whether other countries or political groups have the resources and are willing to launch such an attack, however, still remains. So should we prepare for a cyber attack? Do you think other countries like Iran and North Korea have the capabilities and knowhow to create a weapon like Stuxnet? And if so, would they use it against a major target in the U.S.? — Fabrizio

3 thoughts on “11-2: Stuxnet and the New Cyber

  1. The U.S. should definitely prepare for a cyber attack and develop its own capabilities in that realm, considering that an increasing number of people have the capability and willingness to launch cyber attacks on businesses and infrastructure. The readings cite the usage of cyber attacks in a war against larger opponents such as Russia or China as a possibility, which are conflicts that could definitely materialize (see below for links on China). However, even if the U.S. and other states, including states like Iran and North Korea, refrain from launching cyber attacks on one another, there is still a definite threat from non-state actors. Unlike conventional military units and weapons of mass destruction (such as nuclear weapons, possibly not bioweapons), it is relatively easy for resourceful non-state actors working alone or as a group to launch cyber attacks on the U.S.–its government, military, companies, electric grid, and more. This proliferation of abilities alone should prompt the U.S. (and other) government to invest in more government employees and bureaus dedicated to preventing and responding to any cyber attacks.

    Some coverage:
    http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks

    http://www.economist.com/news/special-report/21574636-chinas-state-sponsored-hackers-are-ubiquitousand-totally-unabashed-masters

  2. I completely agree that cyber attacks are a very real threat to the U.S. and should not be overlooked in national defense policies. In these readings as well as these blog posts, there have been a lot of discussion about what defines a cyber attack and the conditions under which such attacks may be considered acts of war. I think that an additional area of interest when discussing cyber attacks in particular is that of anonymity. The amount of global connectivity that exists in today’s world means that a cyber attack that seems to be originating from North Korea for example, could actually be from China or even from an unknown source. While veiled attacks and misdirection have always been prevalent, the advent of cyber warfare seems to have increased the ability of the attackers to hide. Thus, whatever policy is developed to respond to cyber attacks should take into special consideration these possibilities specific to cyber warfare.

  3. Interestingly, NATO commissioned a report by the “NATO Cyber Defence Centre of Excellence” which suggested some surprising recommendations. In the report, they say that cyber attacks which cause “physical damage, injury or death” constitute a ‘use of force’, and thus can be retaliated to with real physical weapons. This seems to put cyberwarfare as tantamount to conventional aggressive action. But, this seems to deal with originators of cyber-attacks as state actors. As we’ve discussed, it is probable that the “attack” will originate from a non-state actor. Also, what constitutes an attack may be specious. Is what happened to the NYT a cyberattack? Obviously China (or Chinese hacker syndicates) wasn’t attempting to destroy US infrastructure, but it was theft of US IP, perhaps for the purposes of state espionage (to identify who revealed ‘state secrets’ to the US press). Could we imprison the hackers the same we might imprison spies? What if they were stealing Intel’s plans for a new computer chip? Would the US government retaliate, then? Or would we allow Intel to retaliate as it sees fit? These are harder questions, I think, that address the more imminent threat of cyber-weapons.

Leave a Reply