“When you shut down a country’s power grid, it doesn’t just pop back up. It’s more like humpty dumpty. And if all the king’s men can’t turn the lights back on, or filter the water for weeks, then lots of people die[…] and something we do to others, they can do to us, too,” an anonymous NSA worker once said.
Imagine a world where your lights don’t turn on; a world where you can’t drink water because it hasn’t been properly filtered; a world where hospitals can’t properly run medical tests. That world seems far away, but it’s actually near. In fact, its predecessor has arrived and has been quiet for years: STUXnet — a cyber-weapon capable of wreaking havoc on centrifuges in Iran’s nuclear facilities while intelligently hiding and spreading itself.
STUXnet is what the nuke was in the 1940’s: a dangerous weapon that cannot be contained once used. However, the danger of STUXnet is not the capabilities, but the fact it’s an alarm to other countries — China, Iran, Russia — to construct and develop their own cyber weapons that rival nuclear capabilities. In order to ensure the world doesn’t see another cyber-weapon that is comparable to nukes, countries — especially world powers — must cooperate and design laws and resolutions vis-a-vis cyber-warfare. Militarily, the U.S. must bolster defenses at home and abroad to ensure a cyber version of Hiroshima doesn’t occur.
The Beginning: Operation Olympic Games
On March, 2003, President George W. Bush unknowingly addresses the nation’s tale of the beginning of the end.
Two years later, the CIA concludes its report of not finding any weapons of mass destruction in Iraq. The American public begins to become highly skeptical at this point. But on the horizon is a new emerging threat: Iran.
In 2006, Iran resumes enriching uranium for nuclear weapons. The United States and Israel become increasingly concerned. But the problem was how to deal with Iran without invasion — especially since the U.S. had gotten an immense backlash for mishaps in Iraq. In 2006 to 2009, there were accounts that U.S. military officials proposed a covert operation with the Israeli’s to stop Iran: STUXnet — a cyber-weapon that targeted Iranian centrifuges at their nuclear facility, Natanz. This joint cyber operation, which the U.S. does not officially acknowledge, is known as “Olympic Games.”
Former head of the Cybersecurity Center at the Department of Homeland Security, Sean McGurk, said that STUXnet was an unbelievably large and complex threat that has never before been seen. STUXnet not only scared Mr. McGurk, it also frightened Russia, the United Kingdom, and Iran who launched into the development of their own cyber capabilities.
Russia created their own cyber-weapon: TRITON. TRITON, developed after STUXnet was discovered, focused on ravaging industrial controls, similar to STUXnet. And we have seen the capabilities of Russia’s cyber warfare when shutting Ukraine’s electrical grids down.
The U.K. also responded to STUXnet. 650 million pounds was given to fund cyber-defenses and bolster their security. While the U.K. is an ally, the fact they began to further fund cyber-capabilities is dangerous. Such an action will prompt allies and enemies to divert funding to their own cyber capabilities, creating endless cycles of deterrence. We thus find our allies and ourselves entangled in the never-ending web of the security dilemma.
In a more extreme response, Iran upped their cyber capabilities by 1,200%. If STUXnet had such a profound effect on Iran, what kind of effect did it have on other nation-states unfriendly to the United States, such as China or North Korea? These aforementioned countries’ response to STUXnet is unknown, so all we can do is speculate it did have an effect, and this speculation is where the dangers of miscommunication are born.
Where do we go from here?
There are no definite solutions vis-a-vis STUXnet and other cyberweapons. Moving forward, there is only compromise and preparation. The first set of compromise entails cooperative efforts within diplomacy, primarily through multilateral institutions. In preparation, this entails a defined creation of military offensive and defensive capabilities.
Compromise: Diplomacy by defining the problem in the UN to create international resolutions
Currently, the international community has no regulations regarding cyber security. This is extremely risky, as STUXnet and its other variants of cyber-weapons can rival that of nuclear weapons. The current UN Secretary-General, Antonio Guterres further emphasizes this risk.
What needs to happen now clear boundaries and definitions on what a cyber-weapon constitutes, akin to nuclear regulations. As of now, as Secretary-General Guterres notes, there are no clear definitions of cyber-weapons, cyberwarfare, or any other variant of the name.
This is because cyber weapons and warfare hold limitless possibilities — denial of service attacks, or perhaps critical infrastructure shutdowns — and as such, definitions of cyber-weapons and warfare can vary. Furthermore, part of a definition requires a categorization of actors involved, and boundaries set need to have clear punishments. However, unlike nukes — which requires large material demands only attainable by nation-states — cyber-weapons only require a computer and a coder who can identify exploits in programs and networks. As such, cyber-weapons can be used by nation-states, hacktivists or cyber-robbers, making punishment for actors involved difficult because perpetrators can vary.
For example, what happens if the attacker is a hacktivist who forwards their country’s national objectives without authorization? Do you punish the hacktivist, the country, or both? If we can’t define what cyber-weapons are, what cyberwarfare is, and who’s involved, then we cannot establish clear boundaries in cyberwarfare, and we certainly cannot punish anyone if there are no boundaries established.
A second issue that arises is the fact that cyber-weapons, such as denial of service attacks, has not initiated any sort of real-life armed conflict, and therefore, international regulations of cyber-warfare are not fully considered. Given the immense threat that STUXnet brought, this lack of consideration is unbelievable.
It is essential that the UN convene on the matter of cyber warfare and truly consider its implications. First, the UN must recognize that cyber-warfare can lead to real world conflict. Second, the UN must understand that various actors, to include both state and non-state actors, can use cyber-weapons. Third, the UN must create a fluid definition of what constitutes cyber-warfare to therefore establish real punishments, such as sanctions.
Compromise: Diplomacy by bolstering our diplomatic treaties
STUXnet was created to halt the development of nuclear weapons in Iran. However, the Joint Comprehensive Plan of Action by the Obama administration did an incredible job in slowing down the procedures necessary to develop a nuke. These diplomatic efforts must resume. Once the U.S. and other countries get back on diplomatic channels, clear goals and definitions can be established, as opposed to everyone relying on cyber-weapons to “save the day.”
However, the United States is losing its influence in the diplomatic world, evident by pulling out of the Paris Agreement. In order to counter an ever-building escalation of cyber weapons, the United States must resume its diplomatic channels and continue our commitments. The JCPOA and Paris Agreement are just some examples of agreements we need to come back to. The more the United States falters out of agreements, then other nation-states will see no reason to follow through with other diplomatic channels, and if that happens, miscommunication will occur, possibly leading to wars that include cyber warfare.
Within the spectrum of diplomacy, we also need to continue back-channel communications. Often times, diplomatic channels are open to the public, and some things cannot be said. Back-channel communications allow for more secretive discussions to take place, and while some may think that is completely contrary to stopping another STUXnet, it actually works in our favor. Through back-channel communications, something a country might not say in official diplomatic channels, can be said in private back-channel communications; ergo, there will be less miscommunication and a lesser risk of developing cyber weapons to attack one another.
Preparation: Military Capabilities
While STUXnet was indeed a dangerous cyber-weapon that was caught early on, it was only the beginning. There was an even more dangerous cyber-weapon in the works: Nitro Zeus.
However, the development of Nitro Zeus was not irrational. If we base our logic on realism, we understand the world is anarchic, and nation-states act in their own sense of security. We see this play out in the context of STUXnet: Russia launches TRITON; the U.K. gets more funding for cyber-warfare; Iran ramps its cyber capabilities by 1,200%. If all of these nation-states — even the ones we don’t know are building cyber weapons — are building their capabilities, then we, too, must prepare. That is not to say diplomacy is useless. But in the case diplomacy fails, which is a real possibility, the United States must have their own strategic options of deterrence available. The solution of having our own cyber-weapons is not ideal — but it is the most realistic to keep the U.S. safe, given that the UN hasn’t created any international laws regarding cyber weapons.
The Takeaway?
STUXnet was just the beginning that alarmed the entire world. The international community must come together and decide how to move forward in this dangerous cyber-realm. While building our own cyber capabilities is a way to deter the enormous threat of cyber-weapons that other nation-states are building, it is not ideal. The UN must quickly establish cyber regulations for the international community, while continuing back-channel avenues with countries that we perceive might be a threat in the cyber world.