11-2: Stuxnet and the New Cyber

In Thresholds for Cyberwar, James A. Lewis outlines a framework to asses the effects and consequences of cyber attacks and to define the threshold between a cyber event against a nation and an act of war. The author dissects the issue of cyber warfare by analyzing two components of an attack: its potential physical damage and tactical and strategic applications. On the former issue, Lewis argues that “cyber attacks are not very destructive” (3), as strikes against physical targets are usually not intended to directly inflict casualties, but rather to cripple a country’s infrastructure. The recent development of the Stuxnet virus, however, diverges from Lewis’ assumptions. As discussed by Ralph Langner in his TED Talk Cracking Stuxnet, a 21st-century cyber weapon, the virus opens new horizons for the use of cyber attacks against physical targets. By manipulating digital safety systems that are critical for the proper functioning of delicate and highly unstable machines, viruses like Stuxnet have a significant destructive potential. Lewis’ assessment of the effects and consequences of cyber events, therefore, need to be revised to fit these current development in the field of cyber warfare.

In Lewis’s framework for understanding cyber attacks, Stuxnet would certainly qualify as an act of war, but the virus goes beyond the author’s assessment of the destructive potential of a cyber attack. Lewis defines cyber war as “the use of force to cause damage, destruction, or casualties for political effect by states or political groups” (1). In this definition, acts of war are separated from other cyber events such as disruptions of service and data due to their limited damage and minimal or absent use of force. Lewis draws a clear relationship between the physical aspect of an event and its classification as an act of war: “if the exploit does not inflict physical damage or destruction, it is not intimidation, nor the use of force, and not an attack” (1). Using this definition of cyber attacks as physically damaging events, the author then explores its possible uses in a conflict. His analysis, however, is based on the initial assumption that “cyber attacks are not very destructive” (3), and focuses only on their use against infrastructural targets and tactical and strategic applications as tools to assist military operations. Lewis’ arguments, however, are outdated, and Stuxnet goes beyond his assumptions, as a cyberweapon that can cause great physical damage by manipulating digital safety systems.

As presented by Ralph Langner in his TED Talk, Stuxnet was designed to stop the Iranian enrichment program by infiltrating the centrifuges’ digital safety systems, and the immense destructive potential of the virus lies on this unique feature of its code. After being introduced into the enrichment facility’s computers, Stuxnet’s purpose was to destabilize the centrifuges and cascade systems that are part of the enrichment process. The virus accomplished its design by manipulating the centrifuges’ output that was fed into the safety systems that controls the machines. These computer systems are designed to stop the centrifuges in case there was any danger of a possible disaster occurring, since they are too delicate and require too much precision to be calibrated by humans. Stuxnet destabilized the centrifuges by compromising their rotors and provided the program with data that indicated proper functioning, potentially causing the centrifuges to stop operations and even explode. Digital safety systems, however, are not just a feature of these enrichment facilities, but are present in other structures such as nuclear power plants. As Langner argues, a virus similar to Stuxnet could be used to tamper with other stable equipments that rely on these digital safety systems and lead to catastrophic outcomes.

But would a nation or political group use this sort of virus against a country like the U.S.? Although Lewis’ analysis for the effects of a cyber attack is outdated, the author provides some interesting insights about the possibility of a cyber attack being launched by different actors. The author highlights the possibility of retaliation and an escalation of the conflict as deterrents to attacks against civilian targets in the U.S. Lewis, however, considers the possibility of hostile actions by countries like North Korea and Iran in light of their past actions and threats. And if the U.S. engages in some military action against them, cyber weapons could certainly present a new front in the conflict. Small political groups would also have incentives to use such viruses due to today’s “inadequate cyber defenses” (7), but would also be subject to significant backlash and may not be able to accomplish such a complex strike due to the amount of reconnaissance of the facilities that is required.

Lewis’ concerns of a possible cyber attack are in fact not far from today’s reality, and seem to be attracting attention of policy makers as well. As reported by Carl Frazen, cyber threats were presented to to the House Intelligence Committee as a top threat to U.S. security. The questions of whether other countries or political groups have the resources and are willing to launch such an attack, however, still remains. So should we prepare for a cyber attack? Do you think other countries like Iran and North Korea have the capabilities and knowhow to create a weapon like Stuxnet? And if so, would they use it against a major target in the U.S.? — Fabrizio