What does Stuxnet tell us about the future of cyber-warfare?

Some readers may recall that I’ve been a skeptic about the whole "cyber-war" business, and suggested that it was an ideal policy arena in which to expect threat-inflation. To be clear, I did not argue that there was absolutely nothing to it, or even that we could afford to ignore the problem, but there’s no question that I’ve been less than fully persuaded by a lot of the hype.

It is therefore a fair question to ask whether the whole Stuxnet affair has altered my views on this matter. (For those of you just returning from a month wandering in the desert, I refer to the computer worm whose origins remain obscure but which has apparently affected a number of industrial control computers in Iran, presumably with the intent of disrupting their nuclear enrichment efforts).

So has the Stuxnet worm convinced me that the cyber-war/cyber-terror threat ought to be taken more seriously?

Yes and no.

On the one hand, this incident has provided a vivid demonstration of the potential impact that various cyber-weapons could have, and so it has led me to revise my concerns about the problem upward. But as noted above, I never said it should be ignored; only that we had to be careful not to over-hype it.

On the other hand, I think this incident also demonstrates why this whole problem is still so hard to evaluate, and why we really need greater information and assessment before we’ll know if we are over- or under-reacting. Although some people undoubtedly know who made the Stuxnet worm and how it got into Iran’s industrial control systems, it hasn’t been made public thus far. Indeed, private computer security experts are reportedly miffed that the U.S. government isn’t providing them with everything it may know about the Stuxnet problem. So it’s hard for us laypersons to judge just how broad or serious such a threat might be, or how easy it would be for others to do something like this to us. The apparent success of the Stuxnet attack may not tell us very much about the vulnerability of other systems (including military systems), especially when they are equipped with more sophisticated defenses.

The reports I’ve seen also suggest that the worm was almost certainly the product of a sophisticated programming team, and most analysts seem to think that a wealthy and/or advanced country had to be behind it. If so, then one might be justified in concluding that cyber-war in the future will be a lot like conventional war in the past: the richest and most advanced countries will be better at it, simply because they can devote more resources to the problem. Even if Stuxnet suggests that cyber-war has more potential than people like me had previously believed, it doesn’t herald some sort of revolutionary shift in the global balance of power, in which a handful of clever computer-wielding Davids suddenly strike down various lumbering, computer-dependent Goliaths.

In any case, the one thing I haven’t changed is my desire to see this problem analyzed in a more systematic and public fashion, and by a panel of experts with no particular professional or economic stake in the outcome. Ironically, in the aftermath of the Stuxnet attack, I’d like to see that even more.