Stuxnet and the Dangers of Cyberwar

The inadvertent spread of the Stuxnet worm shows the need for transparent norms of digital conflict.

The United States failed to prevent the Stuxnet worm from escaping an air-gapped system. What if countries, terrorist organizations, or even business competitors with less-discriminating cyber weapons, and perhaps less caution, start launching attacks or view cyber weapons as an acceptable tool for the day-to-day disagreements that dominate international politics? Defense and deterrence alone are insufficient for coping with the staggering number of actors and threats in cyberspace. The United States should work to influence how and how often other countries launch cyber attacks.

For now, greater transparency about U.S. policies governing the use of cyber weapons is a modest and practical approach to establishing international norms for cyber attacks. The United States could articulate a narrative about how it conducts cyber attacks, why, and against what types of countries and targets. U.S. officials must answer these questions to develop a doctrine for the effective use of cyber weapons in any case.

The United States could explain its criteria and process for evaluating a cyber attack’s risks of unintended and unanticipated damage. Is there a task force that provides an independent “red team” risk assessment of potential operations? Is there a higher threshold for attacks on targets connected to the internet? Is there a testing process for new cyber weapons? Do all cyber attacks require presidential authorization? Explaining how the United States applies the law of armed conflict to cyber attacks, rather than simply asserting that the law applies, would set a powerful example. Some countries might not care, but others might impose similarly strict standards on their own operations. At the very least, U.S. officials would have credibility when advocating for tacit or nonbinding standards of conduct in cyberspace.

Explaining the purposes for which the United States would use cyber weapons in peacetime is another challenge facing U.S. officials. For example, an alleged cyber attack unleashed a persistent virus that erased data on Iranian Oil Ministry hard disks. This attack employed a cyber weapon to hinder Iran’s oil exports, perhaps to pressure it into making concessions on its nuclear program. There is no evidence that the United States is responsible.

But it is unclear if U.S. policy considers this a legitimate use of cyber weapons, and many other questions remain. Is there a meaningful distinction between sabotaging WMD-related programs and attacking a country’s economic vitality to compel it to abandon those programs? Where might the United States show restraint? Are networks supporting critical civilian infrastructure (assuming Iran’s centrifuges are not for peaceful purposes) acceptable targets?

It might also be that peacetime attacks are reserved solely for countries with illicit military programs. For example, U.S. nuclear declaratory policy rules out the use of nuclear weapons against non-nuclear weapon states that are in compliance with their non-proliferation obligations. Perhaps the United States could pledge to refrain from Stuxnet-style attacks against countries that can verify that they will forgo nuclear, chemical and biological weapons programs.

If absolute prohibitions are too constraining, the United States could establish reciprocal limits on the use of cyber weapons on a country-by-country basis. In The Paradox of Power, David Gompert and Phillip Saunders analyze the prospects for a U.S.-China strategic restraint regime. Both countries would refrain from launching cyber attacks on each other’s economic and civilian networks. Because both countries depend on these vulnerable networks and are capable of retaliating, mutual deterrence in this specific context is feasible. Rather than foreswearing attacks on tactical military networks, U.S. and Chinese officials would acknowledge that such attacks carry unique risks of escalation and require authorization at the highest levels of the government. This is a promising approach to developing norms in a domain characterized by anonymity and unlimited actors. There is always emphasis on rogue actors beyond the control of states. But the United States, China, and other major powers can control their own use of destructive cyber weapons and have a shared interest in clarifying boundaries.

With so much uncertainty about how cyber weapons will evolve, U.S. officials might be tempted to hold off on public explanations of policy, deliberate in secret, and maintain flexibility. But if U.S. vulnerability in cyberspace persists, an international consensus on minimizing collateral damage, avoiding attacks on civilian targets and stigmatizing coercive peacetime attacks would serve the national interest. Establishing principles to guide U.S. use of cyber weapons and explaining them to the world is a prudent first step.

Official silence is not the same as saying nothing. Consider some of the headlines from the Washington Post: “Pentagon Ups Ante on Cyber Front;” “Cyberweapons on Pentagon Fast Track;” “U.S. Builds a Cyber Plan X.” These articles signal that the United States will have a first-rate suite of offensive cyber capabilities. It is time for Washington to show that it is also crafting a prudent doctrine to govern their use.

Vincent Manzo is a fellow in the Defense and National Security Group at the Center for Strategic and International Studies. The views expressed here are his own.

Image: Flickr/Robbert van der Steeg. CC BY-SA 2.0.