Libicki: Stuxnet isn’t all it’s cracked up to be — but then neither is cyberwar, really
"Cyber security has become Washington’s new growth industry," two of my CNAS colleagues, Kristin Lord and Travis Sharp, commented the other day. They warn especially against billion dollar solutions to million dollar problems. They’re right. Everyone’s hyperventilating about cyber-this and cyber-that, so we dispatched one of our cyber-reporters, Zach Keck (real name) across the real ...
"Cyber security has become Washington’s new growth industry," two of my CNAS colleagues, Kristin Lord and Travis Sharp, commented the other day. They warn especially against billion dollar solutions to million dollar problems. They’re right. Everyone’s hyperventilating about cyber-this and cyber-that, so we dispatched one of our cyber-reporters, Zach Keck (real name) across the real river to see what up.
By Zach Keck
Best Defense cyberwar bureau
The Stuxnet virus isn’t as big a deal as people think and only worked because the Iranians weren’t practicing safe computing, Martin Libicki of the Rand Corporation said at his packed briefing on "Cyber-security and Cyber-deterrence," in Pentagon City the other night.
Dr. Libicki began the night by noting that his definition of cyber-warfare only considers conflict between states. More specifically, he defined cyberwar as one state using information to attack another state’s information by attacking the other’s information system. This definition excludes many of the closely related concepts such as cyber-espionage, electronic warfare, or even attacking prominent public websites. Still, this somewhat limited definition proved robust enough to facilitate some interesting discussion, particularly with regard to Stuxnet and for the purposes cyber-warfare best lent itself too.
The presentation challenged the conventional wisdom on the significance of Stuxnet. To begin with, the virus was only effective because the Iranian regime disregarded some commonsense safeguards that would have immediately alerted them that their systems had been corrupted. Moreover, another crucial aspect to Stuxnet‘s success was Iranian inexperience with spinning centrifuges as any mature nuclear state, even if it too disregarded these simple safeguards, would have been able to quickly recognize that system was not running properly.
Libicki used Stuxnet to illustrate an important insight into the nature of cyberwar in general. In direct contrast to senior advisor for cyber-security in the Department of Energy Bill Hunteman, who has predicted that Stuxnet will set off a chain of copycats, Dr. Libicki argued that we were unlikely to see a sequel to Stuxnet. Cyber attacks exploit a hole in the program which, consequentially, brings the glitch to the attention of the victim government and others monitoring the situation, who will then patch it up rendering that particular cyber capability useless.
This point had interesting implications when the subject turned to the ends that cyber attacks were best suited towards. Specifically, he argued that cyber attacks were unlikely to be effective for coercive purposes. Libicki noted that attacking a country simultaneously produces feelings of anger, for being attacked in the first place, as well as fear of being attacked again. Since a second cyber- attack will not be nearly as effective as the first one, however, a country’s anger will likely overpower the fear making the victim country prone to retaliate.
Nonetheless, cyber-war tactics may be useful when integrated with other military capabilities. The example Libicki used to demonstrate this point to the audience if China, while still much weaker militarily than the United States, decided to take Taiwan by force. In such a scenario, China could launch a cyber attack on the U.S. Navy’s 7th Fleet, which, if the attack were successful, could render the fleet incapable of responding for up to 48 hours. At this point, however, China may already control the island, and the United States would have to consider acquiescing to this reality. While I tend to doubt the likelihood of the United States doing this, it could be a powerful argument that could be used by the hardliners in China to convince their country to take action against Taiwan. In this sense at least, cyber-warfare capabilities may increase the probability of war by miscalculation.
The briefing stood on less solid ground when turning to the topic of cyber-deterrence. After noting the important, if somewhat apparent problems of recognizing the system had been infiltrated, and attributing the source of the attack, the briefing discussed problems related to whether the country would want to respond to the attack, and even whether the government would want to make it publicly known that it had been attacked at all. It wasn’t clear to me, however, whether these points were made to convey the sense that deterrence, at least as the concept is commonly used with regard to nuclear weapons, wouldn’t work in cyberspace because countries wouldn’t fear retaliation; or, alternatively, if the briefing were using deterrence in the sense of responding in ways that will deter future attacks.
This point got murkier when the first person during Q&A reasonably asked: "why would the victim of a cyber attack have to respond in kind?" Dr. Libicki at first fumbled around with this question, by discussing the uses of sanctions and that of armed force, before finally acknowledging that the state could respond in whichever manner it chose. "This becomes a strategic question" Libicki noted, before moving on to the new question.
To me, this point is worth dwelling on as it potentially has significant strategic importance for U.S. cyber-strategy moving forward. For instance, it suggests that even though the United States will probably develop the capabilities to institute a "Flexible Response" strategy in the mold of JFK, it would be prudent to follow the precedent of President Eisenhower’s "New Look" by reserving to itself the right to respond asymmetrically to cyber attacks. Although we may rely more heavily on the internet and related infrastructure than some of our potential adversaries such as Venezuela or Iran, we also maintain a military that can destroy the very things that these regimes hold dear. This would seem to be the best way to establish an effective cyber-deterrent, at least against weak non-nuclear states. On the other hand, because of the inherent plausible deniability of cyber attacks, limited uses of them may come to be an important aspect of conflict between nuclear armed adversaries, much as the use of terrorism and proxies was during the Cold War, and continues to be in the Indo-Pakistani conflict.