Operation Olympic Games, more commonly known as the Stuxnet worm, damaged Iran’s centrifuges and delayed its uranium enrichment efforts. As David Sanger reports in Confront and Conceal, President Obama expressed concern about collateral damage in the U.S.-Israeli cyber attack on Iran’s nuclear program. The president didn’t want to set a precedent that would enable other actors to justify similar cyber attacks. But he concluded that the need to delay Iran’s progress toward a nuclear-weapons capability was worth the risk in this instance, while his national-security team judged that it was too early to develop a conceptual framework for evaluating the use of cyber weapons.
Despite the administration’s decision to grapple with broader policy issues later, Stuxnet raises fundamental questions about cyber weapons. The United States authorized the operation in peacetime rather than in an armed conflict. Yet the operation fits the definition of a cyber attack, an attempt to destroy, degrade, or alter systems, typically to cause a secondary effect in the physical world. The United States manipulated Iranian computer systems to physically damage Iranian infrastructure. The operation was thus more than cyber exploitation, which covertly mines information from networks without authorization.
Many believe Iran is responsible for a wave of denial of service attacks on U.S. banks, though it is unclear if that was retaliation for Stuxnet, assassinations of Iranian scientists, other perceived offenses, or part of Iran’s consistently belligerent behavior. Setting aside the complexities of U.S.-Iranian relations, Sanger’s reporting illuminates dangers associated with cyber attacks that U.S. policy must address.
The physical effects of the operation were limited to covertly disabling Iranian centrifuges. U.S. and Israeli officials sought to slow down Iran’s enrichment program and confuse scientists without revealing that an attack was underway. They introduced variants of the worm into Iranian facilities over a period of several years, only after reconnaissance operations gathered intelligence about Iranian facilities, operations, and computer networks. Engineers then refined the worm by testing it on U.S. replicas of Iran’s Natanz enrichment facility. As an operation that was highly sophisticated, requiring large investments of time and resources, an emphasis on concealment, multiple strikes, and limited physical effects rather than large-scale destruction, Stuxnet was closer to sabotage than a full military attack.
That the United States and Israel executed this plan is astounding, though Stuxnet failed to satisfy its own standards of success in one regard: according to Sanger, the worm was never intended to travel outside Natanz’s isolated, air-gapped networks. But an error in the code caused the worm to replicate itself and spread when an Iranian technician connected an infected laptop computer to the internet. Fortunately, the worm did not cause widespread damage because it was engineered to affect Iranian enrichment facilities only; however, Stuxnet’s unauthorized globetrotting evokes several nightmare scenarios. Imagine if the Stuxnet worm caused far more destruction than expected. Would Iran have retaliated via terrorist attacks or conventional weapons? Would widespread damage to Iranian civilian infrastructure have weakened international support for sanctions? How would other countries have reacted if Stuxnet damaged their infrastructure, especially once they discovered who created the worm? Each of these outcomes would have undermined U.S. strategic objectives and triggered unforeseen problems.
Efforts to customize future attacks to specific targets and calibrate their precise effects might fail. Given these uncertainties, cyber weapons appear to be a niche capability. Their use may be justified in a handful of scenarios. In fact, Sanger reports that the United States moved forward with Stuxnet because it was a safer alternative to conventional strikes. Yet Stuxnet does not prove that cyber attacks are low-risk operations. Rather, it suggests that the effects, and thus the risks, of cyber attacks are unpredictable. Thus Stuxnet should instill caution in U.S. operations as much as it boosts confidence.
But U.S. policy for using cyber weapons is only part of the equation. How other countries wield cyber weapons will affect the United States as well. Vulnerable computer networks and systems support U.S. economic activities, military capabilities, and societal services such as critical infrastructure. Just as U.S. officials concluded the effects and risks of the Stuxnet operation were proportionate to the payoffs, other countries might reach similar conclusions about cyber attacks against the United States. Improving cyber defenses, attribution capabilities, and developing credible retaliatory options will play an important role in deterring and mitigating direct cyber attacks, but cascading viruses launched at other countries could eventually penetrate and damage U.S. networks.
The United States failed to prevent the Stuxnet worm from escaping an air-gapped system. What if countries, terrorist organizations, or even business competitors with less-discriminating cyber weapons, and perhaps less caution, start launching attacks or view cyber weapons as an acceptable tool for the day-to-day disagreements that dominate international politics? Defense and deterrence alone are insufficient for coping with the staggering number of actors and threats in cyberspace. The United States should work to influence how and how often other countries launch cyber attacks.
For now, greater transparency about U.S. policies governing the use of cyber weapons is a modest and practical approach to establishing international norms for cyber attacks. The United States could articulate a narrative about how it conducts cyber attacks, why, and against what types of countries and targets. U.S. officials must answer these questions to develop a doctrine for the effective use of cyber weapons in any case.
The United States could explain its criteria and process for evaluating a cyber attack’s risks of unintended and unanticipated damage. Is there a task force that provides an independent “red team” risk assessment of potential operations? Is there a higher threshold for attacks on targets connected to the internet? Is there a testing process for new cyber weapons? Do all cyber attacks require presidential authorization? Explaining how the United States applies the law of armed conflict to cyber attacks, rather than simply asserting that the law applies, would set a powerful example. Some countries might not care, but others might impose similarly strict standards on their own operations. At the very least, U.S. officials would have credibility when advocating for tacit or nonbinding standards of conduct in cyberspace.
Explaining the purposes for which the United States would use cyber weapons in peacetime is another challenge facing U.S. officials. For example, an alleged cyber attack unleashed a persistent virus that erased data on Iranian Oil Ministry hard disks. This attack employed a cyber weapon to hinder Iran’s oil exports, perhaps to pressure it into making concessions on its nuclear program. There is no evidence that the United States is responsible.
But it is unclear if U.S. policy considers this a legitimate use of cyber weapons, and many other questions remain. Is there a meaningful distinction between sabotaging WMD-related programs and attacking a country’s economic vitality to compel it to abandon those programs? Where might the United States show restraint? Are networks supporting critical civilian infrastructure (assuming Iran’s centrifuges are not for peaceful purposes) acceptable targets?
It might also be that peacetime attacks are reserved solely for countries with illicit military programs. For example, U.S. nuclear declaratory policy rules out the use of nuclear weapons against non-nuclear weapon states that are in compliance with their non-proliferation obligations. Perhaps the United States could pledge to refrain from Stuxnet-style attacks against countries that can verify that they will forgo nuclear, chemical and biological weapons programs.
If absolute prohibitions are too constraining, the United States could establish reciprocal limits on the use of cyber weapons on a country-by-country basis. In The Paradox of Power, David Gompert and Phillip Saunders analyze the prospects for a U.S.-China strategic restraint regime. Both countries would refrain from launching cyber attacks on each other’s economic and civilian networks. Because both countries depend on these vulnerable networks and are capable of retaliating, mutual deterrence in this specific context is feasible. Rather than foreswearing attacks on tactical military networks, U.S. and Chinese officials would acknowledge that such attacks carry unique risks of escalation and require authorization at the highest levels of the government. This is a promising approach to developing norms in a domain characterized by anonymity and unlimited actors. There is always emphasis on rogue actors beyond the control of states. But the United States, China, and other major powers can control their own use of destructive cyber weapons and have a shared interest in clarifying boundaries.
With so much uncertainty about how cyber weapons will evolve, U.S. officials might be tempted to hold off on public explanations of policy, deliberate in secret, and maintain flexibility. But if U.S. vulnerability in cyberspace persists, an international consensus on minimizing collateral damage, avoiding attacks on civilian targets and stigmatizing coercive peacetime attacks would serve the national interest. Establishing principles to guide U.S. use of cyber weapons and explaining them to the world is a prudent first step.