By Micah J. Loudermilk, Center for Strategic Research
The past several weeks have witnessed an explosion of reports on the recently-discovered Stuxnet malware, referred to as the world’s first cyber super-weapon. Suspicions that the worm was custom-designed to target a nuclear facility in Iran – perhaps Bushehr or Natanz – have grown with the passage of time since Stuxnet infections appear heavily concentrated in Iran, perhaps reaching a breaking point since a text string was found deep inside Stuxnet’s code containing an allusion to the Biblical figure Esther, credited with saving the Jews from destruction by the Persians. As cyber experts worldwide race to decode and understand Stuxnet – numerous questions are arising regarding the incredible sophistication of the attacks, who is responsible for it, and what the end result will be when the worm finds its target. However, equally important and not yet analyzed are two important questions about the longer-term consequences of Stuxnet in the cyber sphere.
First, can cyber attacks be defended against? Troublingly, the short answer to that question appears to be “no” – at least not with any degree of consistency and reliability. Stuxnet opened the door on a whole new field of cyber warfare, previously considered impossible, and with it a slew of new possibilities for attacks. Operating without human guidance and capable of taking over industrial control systems, Stuxnet is a perfect example of how rapidly the cyber field is evolving, consistently leaving those seeking to defend against attacks playing catch-up.
On the surface, the superiority of offensive capabilities compared to their defensive counterparts is relatively simple: an offensive system is successful if it strikes once, but a defensive system has zero margin for error. This equation is magnified on the cyber front where new loopholes and critical vulnerabilities are found and exploited by attackers faster than they can be closed and protected. When coupled with the near-instantaneous speed at which networks operate, defense against attacks becomes infinitely more difficult.
Second, is the realm of cyber warfare officially open for business? Sure, for years the Chinese and other entities have been hacking DoD networks, the U.S. electrical grid, and other critical infrastructure, but the Stuxnet malware is potentially the first real-world case using a worm to destroy a physical target. While no mechanism exists by which to define at what point a cyber attack or infiltration becomes an act of war, it seems clear that there must be a line, but where should one draw it? Should Iran’s Bushehr or Natanz plant be destroyed by this cyber attack, is it necessarily any different from utilizing jet fighters or missiles to achieve the objective? These are all vital questions which must be addressed, not simply in the case of Stuxnet, but broadly speaking.
Notwithstanding of this episode’s outcome, the door into this terrifying world – where targets can be hit and critical infrastructure compromised without a nation or group taking any tangible action – is potentially open. The possibilities are immense, and the problems even greater – in large part due to the attribution problem. Regardless of whether or not the destruction of another nation’s nuclear plant crosses any arbitrary lines, absent knowledge of what country is responsible for unleashing it (without even addressing the possibility of rogue group actions), a concerted response is difficult. The danger here, and one already obvious from the cyber attacks directed daily at the U.S., is that countries can take actions against other states from the relative safety of anonymity, potentially giving rise to an increased use of cyber tactics as a means to asymmetrically attack one’s opponents.
Ultimately, it may never be known who perpetrated the Stuxnet worm or what, if any, the effects were on Iran’s nuclear program (assuming that is indeed the target). One can draw conclusions from delays to the launch of the Bushehr facility, but these delays have been persistent and Iran continues to deny that any of its nuclear facilities have been adversely affected (despite being infected). However, it is crucial to understand that cyber attacks of this type are now fully within the realm of possibility and, as ideas previously only imagined in science-fiction movies move ever closer to reality, the strategic calculus of U.S. policymakers must learn to adjust quickly and accordingly.