Mr. Joe Costa of the Cohen Group, Dr. James Lewis of the Center for Strategic and International Studies(CSIS),and Dr. Martin Libicki of the RAND Corporation debate how the United States should operate within the cyber domain.
Debate: How Should the United States Operate in the Cyber Domain?
The United States has incorporated cyber security into its foreign policy, using the Stuxnet worm to destroy nearly 1,000 Iranian centrifuges in June 2012. Countries such as Iran are also using cyber technologies to cause disruptions such as the October 2012 cyberattacks on U.S. banks. With the growing threat of cyber attacks, how should the U.S. operate in this arena? Has cyber warfare made the United States more or less safe?
Mr. Joe Costa of the Cohen Group, Dr. James Lewis of the Center for Strategic and International Studies (CSIS),and Dr. Martin Libicki of the RAND Corporation debate how the United States should operate within the cyber domain.
Mr. Joe Costa, The Cohen Group
The consequences of a nuclear-armed Iran to international peace and security are so severe that any responsible country must exhaust all options short of war to prevent that outcome. The narrow and direct use of cyberweapons against Tehran is an additional policy tool to resolve the Iranian nuclear challenge diplomatically. To mitigate the long-term dangers created by cyberattacks, the United States has taken important first steps, and must continue to advance an international conversation that will place appropriate constraints on offensive cyberspace operations.
By the time President Obama assumed office in January 2009, Iran had amassed nearly a bomb’s worth of low-enriched uranium. It had the technical capability to turn this material into weapons-usable fuel if a decision was made to do so. Negotiations with Tehran had failed on multiple occasions over the previous six years. The United States had intelligence that Iran was developing a second covert enrichment plant with no civilian application under the hardened mountains of Qom. Israel was sending a clear and direct message that there was limited time remaining before it may launch a military strike.
The President was approaching a choice between two worst-case scenarios: the possibility that a nuclear-armed Iran could emerge under his watch; or, that a military conflict in the Middle East would occur to prevent that outcome. Both would have catastrophic consequences for global stability.
It was under these circumstances that a malicious worm reportedly developed by the United States and Israel infiltrated Iran’s computer network at the Natanz enrichment plant and disrupted 20% of its operating centrifuges. Nearly a year later, a separate virus collected information from the personal computers of senior Iranian officials. A third wiped out data at Iran’s Oil Ministry, forcing the government to temporarily disconnect some of its oil terminals from the Internet.
These cyberattacks served several useful purposes. The so-called Stuxnet virus that struck Iran’s spinning centrifuges temporarily delayed the program and created a slightly longer window of time to assemble a diplomatic resolution to the crisis. More importantly, they demonstrated to Israel that there was credible determination to delay a nuclear-armed Iran and thereby contributed to holding off a potential military strike.
The Flame virus secretly gathered sensitive information from the personal computers of high-ranking Iranian officials. Acquiring real-time intelligence is critical in identifying potential threats before they evolve and demonstrating to the Iranian leadership that they are being watched 24-hours a day, seven days a week. The Supreme Leader is much less likely to pursue a nuclear weapon if he believes there is a high probability of getting caught.
These tangible benefits have come at a cost. Due to a programming glitch, the Stuxnet virus was released to the world. It is now accessible by states or individuals who do not have the U.S.’s best interest in mind.
In 2011, Iran’s military created a cyber unit that U.S. officials believe is behind recent cyberattacks that knocked some U.S. banks offline, and rendered useless 30,000 computers at Saudi Arabia’s state oil company, Aramco, in what Secretary of Defense Leon Panetta called, “The most destructive attack that the private sector has seen to date.” Soon after, a similar virus shut down the website and e-mail servers of Qatar’s national energy company, RasGas.
The danger of Iranian retaliation, however, is being managed. In an indirect warning to Tehran, Secretary Panetta declared, “If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.” Iran is not likely to test the credibility of that statement.
Looking to the risks of the future, the U.S. is seeking to constrain state behavior in cyberspace by applying established laws of war to this new domain. As State Department Legal Counsel Harold Hongju Koh recently said, “Cyberspace is not a ‘law-free’ zone where anyone can conduct hostile activities without rules or restraint.”
In the next four years, the Administration must continue to maintain its leadership position on this issue and drive a global dialogue that will create the international institutions and governing principles that will place appropriate boundaries around this emerging technology.
Dr. James Lewis, Center for Strategic and International Studies (CSIS)
Some say we have opened Pandora ’s Box and militarized cyberspace, unleashing an out of control cyber arms race. What anyone who says this has really unleashed is a herd of clichés. Nations have been exploiting computer networks since the 1980s. Cyber techniques provide powerful new tools for espionage, coercion, and attack. Since the line between espionage and “attack” is negligibly thin – once you are in, you can harvest information or, if you wish, do damage – any nation that can conduct espionage in cyberspace can also carry out an attack. No country will forsake espionage and in consequence, cyberattack is inescapably with us.
Cyber provides a new tool of coercion available to nations (and to some private actors). It is fast, covert and relatively cheap. Few defenses are in place against it. At least a dozen countries are developing offensive cyber capabilities, experimenting with its use and testing plans and doctrine. The U.S. is one of them, and so is Iran.
There has been a sporadic, largely covert conflict between the U.S. and Iran since 1979. Iran intervened in the Iraq war to attack U.S. troops. It plays a murky role in Afghanistan and a harmful, not-so-murky role in Lebanon and Syria. In turn, there are credible reports of U.S covert actions against Iran’s nuclear programs, in cooperation with several allies – televising the wreckage of a captured drone is a good indicator of American activity.
Covert action makes people uncomfortable, but the U.S. has used it in the past against hostile authoritarian regimes. If there is covert action against Iran, it is Iran’s unwillingness to comply with IAEA rules and give up its atomic bomb program that inspires it. In any case, Iran is no stranger itself to covert warfare and can hardly complain as it flies weapons to Assad.
Cyber espionage and attack now play a role in this covert engagement. Iran suspects that many nations exploit its networks for intelligence purposes. Recently, unknown hands used a cyberattack to interfere with Iran’s major oil terminal at Kharg Island. Iran has experienced at least one serious attack. Despite Iranian denials, the Stuxnet virus did real damage to the nuclear program. Stuxnet was precise. Although it spread to many networks, it damaged only one. There was no collateral damage and little political risk – much more attractive than an air strike or raid.
Iran has been developing cyber capabilities for about five years. The initial motive was political. Iran does not want its citizens to have untrammeled access to information and its rulers, after their bloody suppression of the 2009 election, out of fear that the power of social networks will unleash something like Arab Spring. Iran has developed an impressive array of institutions to manage its new cyber tools, with a “High Council of Cyberspace,” and a proxy “cyber army” controlled by intelligence agencies and the Iranian Revolutionary Guard. It is even trying to build its own national internet and national search engine (that would find only approved sites). Its programs resemble those of China, and Russia may also help.
Iran has limited technical capabilities for cyber attack, but it has shown it can use these in unexpected ways. Iran used its skills in August to erase data from 30,000 computers at Saudi Aramco, a major oil producer (probably in retaliation for Kharg) and in September against major U.S. banks (in relation for sanctions). The two attacks were probably tests – of a simple weapon in the case of Aramco and of the U.S. reaction in the case of the banks.
In response, Secretary of Defense Panetta announced a new doctrine that would allow Cyber Command to block attacks or preemptively disable an attacking computer in another country. In his speech, he mentioned only Russia, China – and Iran. Coincidently, Iranian action against the banks seems to have stopped after this, but they may have simply run their course.
The Gulf has become an active theater for cyberattack, with many nations engaged. This is uncertain terrain. The internet creates unknown political forces and offers new possibilities for disruption. There is little understanding among nations on how to manage the new arena for conflict. It is not a stable situation, but the source of instability is not cyber weapons but the tense relations between the two countries. Cyberattack is an effect, not the cause, another chapter in a thirty year dispute.
Dr. Martin Libicki, The RAND Corporation
A matter of degree: Who can authorize a cyberattack?
Understanding when the United States should engage in cyberwar and who should approve cyberattacks requires understanding that cyberwar has multiple personalities: operational, strategic, and that great gray area in-between.
Operational cyberwar, for instance, is the use of cyberattacks to support the use of traditional use of physical (aka kinetic) force. An example (if true) would be how cyberattacks on air-defense radar enabled Israeli jets to safely knock out a Syrian nuclear reactor in 2007. Operational cyberwar is no more problematic than the kinetic operation it would support. If lethal means are acceptable, non-lethal means cannot be a problem. Thus operational cyberwar decisions need not be made by the president, at least not once a precedent is set.
Strategic cyberwar, for its part, is the use of cyberattacks to punish, harass, or annoy the people of another country. The attack by Russians on Estonians in 2007 was an act of strategic cyberwar, albeit one that stayed comfortably within the zone of annoyance rather than anything worse. Once a country has carried out a strategic cyberwar campaign on another country, there is no hiding the fact that the attacker rejoices in the other’s discomfort. The decision to carry out a strategic cyberwar campaign has to be a decision made by a head of state – the president, in the case of America – and not by any military command or intelligence agency, just as the decision to blockade another country’s harbors cannot be made by the U.S. Navy acting on its own.
It’s that great gray area in between where the authority to carry out cyberattacks could profit from further definition. Take Stuxnet. Whoever carried it out is not at war with Iran (no one is), and the Natanz enrichment plant was not a military system in a war zone. So it wasn’t an operational cyberattack. However, the purpose of the attack did not appear aimed at making life miserable for the average Iranian; so it really could not be characterized as a strategic attack, either. Stuxnet was closer to an act of sabotage. Although sabotage is not an act of war, the difference between sabotage and a strategic bombing campaign is a matter of degree (and, invariably, casualties). At a lower level, the United Kingdom reportedly penetrated a jihadist web site and substituted a harmless article (on cupcake manufacturing) for a harmful one (bomb manufacturing); this may not have been the only interference with such web sites. A good rule of thumb is that if the results of the action are going to come to the president’s attention then the responsibility rests there as well. Whether repeat applications need specific authorization is a matter of details.
But the most difficult example is an action that (supposedly) has to take place faster than presidential authorization can be acquired. Let’s say there’s an incoming cyberattack, which as we all know takes place at the speed of light. All will be lost if no one can pre-empt or at least react to it at comparable speed. And so, a return cyberattack takes place, and the president is awakened to find that disaster has been averted. Hence, the case for pre-authorization of “active defense.” But is pre-authorization wise? If intelligence on the nature, potential, and source of an attack were perfect, the response precise, and the rationale unassailable, why not? Alas, not only do men fall short of gods, but cyberwar does not really work that way. Consider, again, Stuxnet. By the time it wormed its way into the right computers at Natanz, exactly which system it came out of is not only past but irrelevant; it’s gone. It worked for months before the Iranians caught on (perhaps only by reading the New York Times). The cyberespionage campaigns that suck intellectual property from U.S. corporations take place over months; indeed, such attacks typically go on for a year prior to discovery. The attacks on bank web sites that Secretary of Defense Panetta ascribed to the Iranians did not have a detonation point that had to be stopped within milliseconds. And even if one could imagine an attack in progress that has yet to reach an imminent detonation point, blocking the attack at its destination rather than source is technically easier and raises fewer issues.
And that takes us back to our first rule. If the president has to answer to it, the president has to authorize it. In cyberspace, as in physical space, the buck stops there.
About the Debaters:
Joe Costa is an Associate at The Cohen Group. Previously, Joe was a researcher at Harvard’s Belfer Center for Science and International Affairs, where his focus was Iran’s nuclear program. He was a member of Harvard’s Iran Nuclear Negotiations Working Group, and is the current Director of the Truman National Security Project’s Nuclear Nonproliferation Expert Group. Joe served as a Rosenthal Fellow on the Committee on Homeland Security in the U.S. House of Representatives and earned a Masters in Public Policy at the University of Chicago.
James Lewis is a senior fellow and director of the Technology and Public Policy Program at CSIS. Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service. Lewis’s recent work has focused on cybersecurity, including the groundbreaking report “Cybersecurity for the 44th Presidency,” space, and innovation. His current research examines the political effect of the Internet, strategic competition among nations, and technological innovation. Lewis received his Ph.D. from the University of Chicago.
Martin Libicki is a senior management scientist at the RAND Corporation. His research focuses on the impacts of information technology on domestic and national security. This work is documented in commercially published books—e.g., Conquest in Cyberspace: National Security and Information Warfare (Cambridge University Press, 2007) andInformation Technology Standards: Quest for the Common Byte (Digital Press, 1995)—as well as in numerous monographs, notably How Insurgencies End (with Ben Connable, 2010), Cyberdeterrence and Cyberwar (2009), How Terrorist Groups End: Lessons for Countering al Qa’ida (with Seth G. Jones, 2008), Exploring Terrorist Targeting Preferences (with Peter Chalk and Melanie W. Sisson, 2007), and Who Runs What in the Global Information Grid (2000). His most recent research involved organizing the U.S. Air Force for cyberwar, exploiting cell phones in counterinsurgency, developing a post-9/11 information technology strategy for the U.S. Department of Justice, using biometrics for identity management, assessing the Terrorist Information Awareness program of the Defense Advanced Research Project Agency, conducting information security analysis for the FBI, and evaluating In-Q-Tel. Prior to joining RAND, Libicki spent 12 years at the National Defense University, three years on the Navy staff as program sponsor for industrial preparedness, and three years as a policy analyst for the U.S. General Accounting Office’s Energy and Minerals Division. Libicki received his Ph.D. in economics from the University of California, Berkeley.
About Up for Debate:
In Up For Debate, FAS invites knowledgeable outside contributors to discuss science policy and security issues. This debate among experts is conducted via email and posted on FAS.org. FAS invites a demographically and ideologically diverse group to comment – a unique FAS feature that allows readers to reach conclusions based on both sides of an argument rather than just one point of view.
Please read the guidelines for the official debate and rebuttal policy for participants of FAS’s ‘Up For Debate.’ All participants are required to follow these rules. Each opinion must stay on topic and feature relevant content, or be a rebuttal. No ad hominem and personal attacks, name calling, libel, or defamation is allowed, and proper citations must be given.