Stuxnet and the Dangers of Cyberwar

The inadvertent spread of the Stuxnet worm shows the need for transparent norms of digital conflict.

Operation Olympic Games, more commonly known as the Stuxnet worm, damaged Iran’s centrifuges and delayed its uranium enrichment efforts. As David Sanger reports in Confront and Conceal, President Obama expressed concern about collateral damage in the U.S.-Israeli cyber attack on Iran’s nuclear program. The president didn’t want to set a precedent that would enable other actors to justify similar cyber attacks. But he concluded that the need to delay Iran’s progress toward a nuclear-weapons capability was worth the risk in this instance, while his national-security team judged that it was too early to develop a conceptual framework for evaluating the use of cyber weapons.

Despite the administration’s decision to grapple with broader policy issues later, Stuxnet raises fundamental questions about cyber weapons. The United States authorized the operation in peacetime rather than in an armed conflict. Yet the operation fits the definition of a cyber attack, an attempt to destroy, degrade, or alter systems, typically to cause a secondary effect in the physical world. The United States manipulated Iranian computer systems to physically damage Iranian infrastructure. The operation was thus more than cyber exploitation, which covertly mines information from networks without authorization.

Many believe Iran is responsible for a wave of denial of service attacks on U.S. banks, though it is unclear if that was retaliation for Stuxnet, assassinations of Iranian scientists, other perceived offenses, or part of Iran’s consistently belligerent behavior. Setting aside the complexities of U.S.-Iranian relations, Sanger’s reporting illuminates dangers associated with cyber attacks that U.S. policy must address.

The physical effects of the operation were limited to covertly disabling Iranian centrifuges. U.S. and Israeli officials sought to slow down Iran’s enrichment program and confuse scientists without revealing that an attack was underway. They introduced variants of the worm into Iranian facilities over a period of several years, only after reconnaissance operations gathered intelligence about Iranian facilities, operations, and computer networks. Engineers then refined the worm by testing it on U.S. replicas of Iran’s Natanz enrichment facility. As an operation that was highly sophisticated, requiring large investments of time and resources, an emphasis on concealment, multiple strikes, and limited physical effects rather than large-scale destruction, Stuxnet was closer to sabotage than a full military attack.

That the United States and Israel executed this plan is astounding, though Stuxnet failed to satisfy its own standards of success in one regard: according to Sanger, the worm was never intended to travel outside Natanz’s isolated, air-gapped networks. But an error in the code caused the worm to replicate itself and spread when an Iranian technician connected an infected laptop computer to the internet. Fortunately, the worm did not cause widespread damage because it was engineered to affect Iranian enrichment facilities only; however, Stuxnet’s unauthorized globetrotting evokes several nightmare scenarios. Imagine if the Stuxnet worm caused far more destruction than expected. Would Iran have retaliated via terrorist attacks or conventional weapons? Would widespread damage to Iranian civilian infrastructure have weakened international support for sanctions? How would other countries have reacted if Stuxnet damaged their infrastructure, especially once they discovered who created the worm? Each of these outcomes would have undermined U.S. strategic objectives and triggered unforeseen problems.

Efforts to customize future attacks to specific targets and calibrate their precise effects might fail. Given these uncertainties, cyber weapons appear to be a niche capability. Their use may be justified in a handful of scenarios. In fact, Sanger reports that the United States moved forward with Stuxnet because it was a safer alternative to conventional strikes. Yet Stuxnet does not prove that cyber attacks are low-risk operations. Rather, it suggests that the effects, and thus the risks, of cyber attacks are unpredictable. Thus Stuxnet should instill caution in U.S. operations as much as it boosts confidence.

But U.S. policy for using cyber weapons is only part of the equation. How other countries wield cyber weapons will affect the United States as well. Vulnerable computer networks and systems support U.S. economic activities, military capabilities, and societal services such as critical infrastructure. Just as U.S. officials concluded the effects and risks of the Stuxnet operation were proportionate to the payoffs, other countries might reach similar conclusions about cyber attacks against the United States. Improving cyber defenses, attribution capabilities, and developing credible retaliatory options will play an important role in deterring and mitigating direct cyber attacks, but cascading viruses launched at other countries could eventually penetrate and damage U.S. networks.

Pages