Special Report: Stuxnet may be the Hiroshima of our time

Is using preemptive cyberwarfare good national security policy?
Written by David Gewirtz, Senior Contributing Editor

The New York Times Sunday published an important and informative analysis of the Stuxnet malware and its attack on Iranian nuclear centrifuges.

As a cyberwarfare adviser to national security and counter-terrorism agencies and professionals, I've studiously avoided writing about Stuxnet in the past for reasons I'm not at liberty to discuss. I also won't comment on the specifics mentioned in the New York Times article.

That said, I do think it's important to look at the strategic question of whether using preemptive cyberwarfare is ultimately good policy or not.

The issue can be oversimplified to two questions: (1) is a preemptive attack of any form necessary for national security, and (2) can that attack be more effective or save more lives using virtual weapons?

Preemptive attack

Question (1) is easily answered. Is a preemptive attack of any form necessary for national security? The answer is, "Sure, but very rarely."

Key to any government's successful operation on a world stage is the need to be aware of other actors' intents towards your nation. That's why all nations have their own spy agencies.

A combination of humint -- human intelligence, or feet on the ground -- and elint (electronic intelligence) can help a nation build a rough picture of impending threats or opportunities.

We can all imagine the worst case of impending threats. Terrorists could have an NBC (nuclear, biological, or chemical weapon) and be poised to release it. In that situation, preemptive attack is almost certainly justified. That, of course, is assuming the intelligence is correct -- which is not always evident.

The issue of righteousness or even strategic validity of a preemptive attack becomes more blurry when the attack is to prevent a possible behavior by another sovereign nation that may or may not pose a direct threat to the preemptively attacking nation.

This, of course, was the question with Saddam Hussein's supposed weapons of mass destruction, and is likely to be the question with Iran's nuclear activities.

In these cases, the justifications are more murky. As we all know, the attack on Saddam substantially destabilized the region, drew the United States into an unending war, cost us thousands of lives and billions of dollars, and hasn't resulted in a net positive benefit to American security.

But that's because Saddam apparently didn't have WMDs. If he did, we still don't know if he'd have actually used them, paraded them around as a point of pride, or simply stockpiled them.

In Saddam's case, as in the case of Mahmoud Ahmadinejad, the direct threat to mainland American soil is vanishingly low. However, the threat from both these nations against Israel is far more than a rounding error and so, from Israel's national perspective, WMD programs in these nations are considered serious threats.

There's a lot of debate about whether or not it's in America's best interests to help fight Israel's battles. But the point here is that a nation such as Israel, operating under constant impending and declared threat of nuclear attack, might well find a preemptive attack to be justified.

Next: Virtual weapons »

« Previous: Preemptive strikes

Virtual weapons

This brings us to the second part of our strategic question: can the use of virtual weapons such as the malware popularly known as "Stuxnet" be justified?

This must be answered in two parts. Can it be justified the first time such a weapon is used, and can it be justified after that cherry has been broken?

Here's the thing. According to The New York Times article, Stuxnet was used, and it was successful. The Times reports that nuclear machinery was brought offline because Stuxnet destabilized them, physically damaging the mechanisms.

I can't fully state whether or not Stuxnet was the first use of attack software to successfully damage machinery, but it certainly provides public proof-of-concept.

There's the rub, though. Now that proof-of-concept has been shown, the genie is out of the bottle, and other nations and actors will be aware of the strategic potential of this new form of easily deployable weapon.

When the Little Boy and Fat Man nukes were dropped on Hiroshima and Nagasaki, the U.S. accomplished a strategic goal. But it also telegraphed to the entire world that nuclear weapons were viable systems, ushering in the unfortunate reality of the potential for mutually assured destruction.

Virtual weapons arms race

Stuxnet is effectively the Little Boy and Fat Man of the digital age. Unfortunately, like the nuclear arms race, the Stuxnet virus will likely launch a virtual weapons arms race among nations.

Let me be clear here. I'm not saying Stuxnet and its ilk are capable of blowing up cities and towns. Rather, the launch of Stuxnet is a watershed event in weaponization, ushering in a new era and type of weapon that will have a profound effect on the theater of war and that is particularly suited to the realities of our digital age.

Unfortunately, virtual weaponry is vastly easier to create and deploy than nuclear weapons. Because the cost of digital weapons development is almost insanely inexpensive, the barrier of entry to this new form of destruction is paper-thin.

While there are only eight nations known to be in the nuclear club, almost any nation, interest group, terrorist group, or teenager living at home can develop and deploy virtual weapons systems.

This ubiquity poses the greatest threat. While Stuxnet was arguably deployed for a justifiable reason and may have saved lives over an otherwise almost-certain Israeli conventional weapons attack, virtual weapons can be aimed by our enemies at our interests as well.

If Stuxnet could target specific network configurations and devices in Iran, so could another attacker aim at critical infrastructure elements belonging to the United States or our allies.

Defending against attack

As any network engineer who's been at the business end of a DDoS (distributed denial of service attack) can attest to, fighting cyberattacks is a huge challenge and the potential for asymmetric advantage on the part of the attacker is disturbingly strong.

Therefore, if Stuxnet is ushering in a new age of modern warfare, we must invest even more in a new age of modern digital defense.

It's one thing to be able to attack a network of a specific enemy. It's entirely another to be able to defend our networks against any and all possible attacks by any and all possible enemies.

We clearly have our work cut out for ourselves. Fortunately, America is full of highly innovative professionals and we're certainly up to the challenge.

I don't look forward to the day when we're on the defending end of an attack like Stuxnet, but I do expect that day to come.

It's our job to make sure we're prepared. It's also important for any attackers to think twice before attacking. Like the nuclear race before it, virtual attacks are also subject to a form of MAD (mutually assured destruction). If you attack us, we will attack you back and you will be badly hurt.

Perhaps if all nations and all actors keep MAD in mind, Stuxnet will be a one-time event and we'll be writing about it in the history books like we now write about Hiroshima and Nagasaki.

Editorial standards