William Pons, CHHS Research Assistant
When people think about espionage, they think James Bond or shadowy figures conducting back alley business in a foreign language to gain access to nuclear launch codes. While the reality of espionage may have never been so glamorous, the recent discovery of high-tech computer worms—used to sabotage Iran—has signaled a significant paradigm shift in the conventional wisdom behind state-sponsored espionage and the capabilities of cyberweapons.
In June, the New York Times published an article detailing the use—by the Bush administration and Obama administration—of cyberweapons to physically damage the Iranian Natanz uranium enrichment facility. The article highlighted the creation and continuation of an NSA program dubbed “Olympic Games.” As stated in the article, Olympic Games uses computer code in conjunction with classic espionage techniques to prevent Iran from obtaining weapons grade uranium.
The accidental leak revealing Olympic Games’ existence a few years back led many people to speculate that the U.S., with the help of Israel, developed both the Stuxnet and Flame computer worms. Speculation stemmed from the fact that these computer worms were designed to specifically target Iran’s largest enrichment facility and were some of the most complex and advanced coding to date. Once inside the secure network of the facility, Flame would map the computer network, and Stuxnet would render inoperable the massive centrifuge used to enrich uranium.
Recently, a Washington Post article confirmed suspicions that the U.S. and Israel had developed both the Stuxnet and Flame computer worms. The confirmation highlighted the growing use of cyber warfare during peace time, and in turn garnered the attention of the United Nations Telecommunications Union. The Union warned in a statement that cyberattacks, which it considered Stuxnet and Flame to be, have the ability to spark a cyberwar between nations.
The U.S.’ use of cyber warfare during peacetime raises many potential dangers for U.S. national security. With the deployment of Stuxnet, the U.S. has distinguished between cyber espionage—computer programs used for information gathering—and cyberweapons—programs that cause damage.
The principal potential danger facing the U.S. is lack of international treaties and agreements regulating the use of cyberweapons by nation-states. The means that the continual use of cyberwarfare against another nation, which the U.S. is not at war with, could establish unregulated precedent regarding its use as a legitimate tool. This legitimacy could then be exploited by foreign powers, terrorist organizations, and hackers to rationalize and even justify cyberattacks against the U.S. Some may argue that other countries, notably China, have already brought legitimacy to cyberwarfare through their attempts to obtain top secret information from the Department of Defense. However, these cyberattacks have been limited to information gathering, and a recent report by the Northrop Grumman Corp found that China lacked the ability to carry out cyberattacks that would physically damage sites in the United States.
Additionally, there is a real danger that cyberweapons—once deployed—will be beyond the control of its creators and attack or damage real world sites that were not the intended target. This potential fear has been buttressed by the fact that the Stuxnet worm “escaped” from the Iranian enrichment facility and infected computers worldwide due to a coding error. Although the escape of the Stuxnet worm has not damaged other sites outside of Iran, who is to say that the next escape will be so harmless.
Although many may think that a cyberattack’s damage is virtual, this is not so. In the New York Times article cited above, the real world destructive nature of a cyberweapon was clearly demonstrated—to the Bush Administration—when the Stuxnet computer worm caused a centrifuge to self-destruct during U.S. tests. A virtual weapon’s ability to severely impact the real world could have disastrous effects on a nation’s energy grids or nuclear power plants. If a terrorist organization uploaded a Stuxnet-style worm into a U.S. nuclear power plant’s computer network, the effect could be the same as a nuclear bomb exploding.
In 2010, a FEMA report found that state and local agencies have made little progress in terms of preparedness for cyberattacks. This lack of preparedness is in stark contrast to a 650% jump in cyberattacks from 2006-2010. Former Department of Homeland Security Secretary Michael Chertoff echoed concerns about the United States’ ability to handle sophisticated cyberattacks. In a May 2012 interview, he stated that cyberattacks are the largest threat currently facing this country. Furthermore, the ever-growing reliance on electronic integration and automation places the U.S. at a much higher risk of a cyberattack causing significant harm.
In the end, the U.S. needs to be wary about the use and perceived over-use of cyberwarfare. It may provide short-term gains—such as providing information or hindering the Iranian uranium enrichment program—but it also has a high likelihood of being wielded as an extremely destructive weapon by enemies of the U.S. It would be wise to heed the warning provided by Aesop, the famous Greek story teller who said: “We often give our enemies the means to our own destruction.”