Tyler Cowen asks on his blog today:
By the way, didn’t it just come out in The Washington Post that the United States helped attack Iran with Flame, Stuxnet and related programs? If they did this to us, wouldn’t we consider it an act of war? Didn’t we just take a major step toward militarizing the internet? Doesn’t it seem plausible to you that the cyber-assault is not yet over and thus we face immediate questions looking forward? Won’t somebody fairly soon try to do it to us? Won’t it encourage substitution into more dangerous biological weapons?
Those are good questions. Let’s take them in turn.
If they did it to us, would we consider it an act of war? I tend to agree with Franz-Stefan Gady’s perspective that Stuxnet should not be considered an act of war. One of the most overlooked aspects of the great reporting done by the NYT and WaPo uncovering the details of Stuxnet is that the U.S. did not “hack in” to Iran’s nuclear facilities from thousands of miles away. Instead it had to rely on Israel’s extensive intelligence apparatus to not only understand the target, but to deliver the worm as well. That is, humans had to physically infiltrate Iran’s operations to engage in the spying and then the sabotage.
Espionage is not an act of war under international law. Nations expect and tolerate espionage as an inevitable political practice. Spies are sometimes prosecuted criminally when caught, sometimes traded for other spies, and often simply expelled from the country. Sabotage I’m less certain about, but I think it inhabits a similar space as espionage: frowned up, prosecuted criminally, but not an act of war per se. (I’ve been trying to find the answer to that question in vein, so if any international law experts would like to send me the answer, I’d appreciate it.)
So what do we have with Flame? It’s essentially spying, albeit in a frighteningly efficient manner. But, it’s not act of war. Stuxnet is similarly not an act of war if we assume sabotage is not. There’s little difference between Stuxnet and a spy infiltrating Natanz and throwing a wrench into the works. Stuxnet is just the wrench. Now, it’s key to point out what makes Stuxnet political sabotage and not terrorism, and that is that there were no deaths, much less civilian deaths.
Did we take a big step in militarizing the Internet? Won’t somebody fairly soon try to do it to us? Well, it’s already happening and it’s been happening for years. U.S. government networks are very often the subject of espionage—and maybe even sabotage—by foreign states. If something feels new about Stuxnet, it’s that for the first time we have definitive attribution to a state. As a result, the U.S. loses moral high ground when it comes to cybersecurity, and if someone doing it to the U.S. gets caught, they will be able to say, “You started it.” But they’re already doing it. Not that it’s necessarily a good thing, but the militarization of cyberspace is not just inevitable, it’s been well underway for some time.
Finally, Tyler asks, Won’t it encourage substitution into more dangerous biological weapons? The answer to that, I think, is a definitive no. “Cyber weapons” are completely different from biological weapons and even chemical or conventional, and certainly nuclear. For one thing, they are nowhere near as dangerous. No one has ever died from a cyber attack. Again, short of already being in a shooting war, these capabilities won’t be employed beyond espionage and surgical sabotage like Stuxnet.
That raises the question, however, if we’re in a shooting war with a Lybia or a Syria, say, will they resort to cyber? Perhaps, but as Thomas Rid has pointed out, the more destructive a “cyber weapon” the more difficult and costly it is to employ. Massively so. This is why it’s probably only the U.S. at this point who has the capability to pull off an operation as difficult as Stuxnet, and then only with the assistance of Israel’s existing traditional intelligence operation. Neither al Qaeda, nor Anonymous, nor even Iran will be able to carry out an operation on the same level as Stuxnet any time soon.
So, Tyler, you can sleep well. For now at least. ;o) Yes, we should have a national discussion about what sorts of weapons we want our government employing, and what sort of authorization and oversight should be required, but we should not panic or think we’re a few keystrokes away from Armageddon. The more important question to me is, why does one keeps $2.85 million in bitcoin?