Marching off to cyberwar

Days before handing over the presidency to Barack Obama in 2008, George W. Bush invited the president-elect to the White House to talk about threats to America, and what the country was doing to confront them.

Obama, in many ways, had campaigned as the anti-Bush, especially when it came to war and international affairs. It was Bush who sent America to war in Iraq; and it was Bush who opened the Guantánamo Bay detention camp. Obama had promised to leave Iraq and shutter the prison. It wasn’t obvious he would take his predecessor’s advice.

Yet when Bush urged Obama to maintain two classified programs, Obama, according to an insightful new book, agreed. As journalist David Sanger’s Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power details, the first involved drone attacks on suspected terrorists in Pakistan. Not only did Obama keep the program, but he greatly expanded attacks.

The second, code-named “Operation Olympic Games,” was much more secretive and targeted a stronger and deadlier enemy: Iran. The U.S. and Israel had managed to insert a malicious computer program, a “worm,” into Iran’s nuclear facility at Natanz, believed to be the centre of Iran’s uranium enrichment program. Obama expanded this project, too. And despite stumbles—including the worm’s discovery when it escaped Natanz and spread globally—American-Israeli cyber-sabotage efforts struck a major blow against Iran’s nuclear program in 2010, when some 1,000 uranium-enriching centrifuges suddenly spun out of control and crashed. Iran’s nuclear ambitions were set back months, perhaps years.

The worm, popularly known as Stuxnet, signalled a remarkable escalation in cyber-warfare’s potential. A 2007 cyber-attack on Estonia—believed to have been Russian in origin—hit banks, newspapers and the country’s parliament, causing widespread inconvenience. Russia’s 2008 war with Georgia and Israel’s 2007 air raid on a Syrian nuclear reactor are also thought to have involved cyber-strikes.

But Stuxnet was different. A computer worm had physically wrecked closely guarded nuclear equipment buried under 22 m of earth—something that might otherwise have required bunker-busting bombs, or troops on the ground who could be captured or killed. “If this had been done with a commando operation or C-4 explosives, we’d all recognize it as a form of warfare,” says John Arquilla, chair of the department of defence analysis at the Naval Postgraduate School in Monterey, Calif. “The fact that it was done with brave zeroes and ones doesn’t change the fact that it was an act of war, and a highly effective one.”

Obama, according to Sanger, was deeply involved in planning U.S. cyber-attacks on Iran. He would meet in the Situation Room in the White House basement, picking targets and authorizing ever riskier assaults. Not since Lyndon Johnson, writes Sanger, “had a president been so intimately involved in the step-by-step escalation of an attack on a foreign nation’s infrastructure.”

Obama’s personal interest in cyber-warfare is mirrored by the country’s security establishment. United States Cyber Command, founded in 2009 and jointly run by the Pentagon and the National Security Agency, employs a staff of 13,000 and has a budget of US$182 million. The Pentagon itself spends $3.4 billion a year on its cyber-warfare capabilities. Last year, it declared that a foreign computer attack on the U.S. could be considered an act of war justifying a military response. The networked world, the Pentagon was suggesting, is simply another battle space, along with land, air and water.

And yet it is precisely because cyberwar is unlike conventional war that makes it so attractive. “It’s less expensive, produces fewer prisoners, is not necessarily as provocative, and under some circumstances has a great deal of deniability,” says Martin Libicki, an analyst at the RAND Corporation, a U.S. think tank, and author of 2009’s Cyberdeterrence and Cyberwar, prepared for the United States Air Force.

Cyber-attacks are also less likely to trigger a massive retaliation—last year’s Pentagon declaration notwithstanding. The victim may not know who was behind it. They may also choose to pretend it never happened, or downplay its impact, as Iran did following Stuxnet. “Because the rule of law or the international norms about these things are unknown, it’s unclear if the Iranians are going to respond, or if they feel we’ve crossed some line,” says Adam Segal, a senior fellow at the Council on Foreign Relations.

Iran has reportedly planned to assassinate American diplomats, as well as Saudi Arabia’s ambassador to the United States, possibly in response to cyber-attacks against it. But even these moves are more restrained than what we could expect if America or Israel had accomplished the same thing Stuxnet did, but by bombing Natanz.

It is this potential for surgical, bloodless strikes that may cause military planners to rely on cyber-attacks more than they should, says Arquilla, a pioneer in the study of cyber-warfare who has advised the Obama administration on the topic. He quotes Robert E. Lee, the Confederate general, who once said: “It is well that war is so terrible, lest we should grow too fond of it.” Cyber-battlefields are making war much less terrible.

Often, countries will choose diplomacy over battle to settle disputes; but the rise of cyberwar changes this equation. “We may be talking about a new age of intervention,” says Arquilla. The problem is that cyber-warfare’s usefulness as an isolated tactic is limited. Arquilla likens it to strategic bombing. Air power by itself has rarely won wars. It is effective only when backed by ground troops or other capabilities. Cyber-attacks, similarly, can produce the best results when used as part of a wider range of tactics. When it comes to Iran’s nuclear program, for example, cyber-attacks have delayed Iranian progress toward achieving nuclear weapons capabilities, but they haven’t ended the program, or changed the regime behind it.

Still, the United States and Israel continue to work on new cyber means to cripple Iran’s nuclear aspirations. There have been Stuxnet successors—part of a larger covert campaign involving espionage, assassinations and conventional sabotage. Each success buys a little time.

“It has probably been fairly effective in creating doubt among the Iranians about the safety of their systems and what they can rely on,” says Segal, speaking of the cyber-campaign against Iran. “But from what we can tell, if Iranians are intent on building a nuclear bomb, they’re probably going to get there in the end.”

Eventually, in other words, Obama may need to try something else. Arquilla believes a diplomatic solution is still possible. The alternative may be air strikes, likely launched by Israel. But in these, too, cyber-tactics may play a role.

Warfare, and especially covert warfare of the type waged between the United States, Israel and Iran, is changing. The roll played by cyber-tactics will expand. Those who best adapt to this new way of fighting will benefit most.

Stuxnet: How a super-virus works

For security reasons, Iran’s nuclear facility at Natanz is not digitally connected to the outside world. To get inside, Stuxnet needed to be physically inserted—by embedding the worm in thumb drives. These were carried by unknowing Iranian scientists, or technicians from the German electronics firm Siemens, which was maintaining the system.

Once the worm had entered Natanz’s controlling system, it recorded what the electronic signals from normal centrifuge operations looked like.

It played these back as it took control of the centrifuges, fooling operators into believing that nothing was amiss—even as it ordered the centrifuges to spin faster and faster, eventually destroying about 1,000 of them.