Re: June 24, 2012
A recent article in The New York Times examined the implications of the U.S. deployment of computer viruses to slow the Iranian nuclear enrichment program. The article, “A Weapon We Can’t Control” by Misha Glenny, begins, “The decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet.” She notes the lack of any neo-institutionalist framework or international treaty regulating the use of malware as a tool of interstate conflict while explaining the reasons that the U.S. should think twice before crossing the supposed line of using computer code as weaponry.
I think it is probably easiest to start where Ms. Glenny is correct. It is true that the United States’ economy is the largest in the world and that it depends crucially on the Internet to function. By that logic, the U.S. has more to lose than any other nation in the event that the Internet becomes a tool for the intentional disruption of state infrastructure, so if we assume (incorrectly, in my view) that the actions of the U.S. will act as a catalyst, spawning a new age of digital destruction, then Washington will have unnecessarily put the U.S. in a perilous position – one in which there is no “moral” ground to oppose the use of these tools against America.
Glenny’s mistake, however, is based on a lack of awareness of the recent history of cyber warfare. U.S. defense systems, corporations, and infrastructure were already the target of cyber-attacks — long before Stuxnet came to light. Implying that America started something is a little like implying that the U.S. was the cause of World War II. And moral opposition, even if devoid of hypocrisy, is a quaint idea but not a medium that seems to get a lot of traction in international relations these days.
The only reason I can imagine that Glenny would believe that the U.S. had crossed a line is that Stuxnet was allegedly intentionally destructive to centrifuges, whereas most (but not
all) of the attacks against the United States are to steal information. But this is a very fuzzy and presumptuous line. Reasoning as Glenny does, we might say that Iran’s facilities were actually damaged by the Stuxnet attack, but in the case of China stealing, say, the plans for a stealth predator drone, nothing is actually damaged. In this case China just knows a little more than it did before. If that is as far as it goes, then it is possible to argue that the U.S. crossed an imaginary, poorly defined line. But if China at some point were to deploy a stealth predator drone against U.S. troops or civilians, or if China’s government becomes destabilized and the drones fall into the hands of a rogue state or terrorist organization, the theft of the information would be considerably more damaging.
And beyond the theft of information that undermines the ability of the U.S. to defend itself, it is worth considering that economic strength is easily translatable into military strength. It isn’t necessarily fair here to continue to focus only on China, but China is certainly a culprit. Anyone who believes that Chinese companies are paying for all of the licenses to the software and information they are using to build their economy should probably do a little investigating. It has been reported in various sources that Microsoft sells more licensed copies of software in the Netherlands than in China, even though China is now the world’s leading purchaser of computers and its population is over 75 times the population of the Netherlands. Other software and system manufacturers haven’t fared much better. There are thousands of documented cases of license, patent, and trademark infringement and most informed observers have some sense of the Chinese attitude toward stealing these kinds of items from the U.S. Receipts from falsely labeled textiles and pirated movies and music alone are likely more than the yearly gross of many large U.S. companies. If large Chinese corporations run on pirated network, design, and logistics software, and if they are manufacturing goods from pirated plans, then it would be difficult to calculate or overestimate the costs of the cybercrime.
And when dollars turn into yuan, and yuan turn into nuclear submarines, the potential consequences of network attacks become significantly more dangerous than those of centrifuges spinning out of control (which hurt no one, by the way.)
Glenny also doesn’t seem to have much of a handle on international politics and the reality that, in many cases, there are no good options. For better or worse, Israel is an ally of the U.S. Israel has argued (fairly) that Ahmadinejad has in the past advocated its destruction. Israelis have a legitimate reason to be concerned with the development of nuclear weapons in Iran. Whether it is reasonable for them to execute a preemptive bombing is debatable, but to be fair, if the entire U.S. could be destroyed in a day by the nuclear weapons of a close neighbor, I suspect Americans would react similarly. (See Cuban missile crisis — and consider the size of the U.S. versus Israel) So if Israel says to us, “we will not sit back and do nothing”, and the deployment of a computer virus delays or prevents their impulse to engage in full-scale war with Iran, then to me the virus seems a far better option.
Viewed in this way, the “line” the U.S. supposedly crossed seems more like a shift within a gradient shaded from light gray to dark. American defense facilities and corporations are attacked constantly by foreign actors. Cyber warfare is an inevitable reality. We probably need to square ourselves with that fact. And it is likely that we will be better off in the long run if we occasionally hit back and force ourselves to keep up with an evolving threat rather than pretend that if we do nothing, the whole problem will level off in severity or go away. So while Glenny is certainly free to speculate and philsophize and maybe install a moral firewall on her system, I would advocate proven defensive and offensive capacity over the notion that Iran or any other American antagonist, given the opportunity, would only launch a cyberattack against the U.S. in retaliation.