Stuxnet: It’s a real threat, but not something we should shovel money at

By "a Naval Officer Specializing in Information Ops"
Best Defense guest cyber columnist

Recently, cyber experts and journalists have taken a sensible step back from the heated passions that surrounded cyber security in the aftermath of Stuxnet, the world’s first cyber weapon. Many well-informed individuals (including this correspondent) were initially swept up in the drama centered on the Iranian enrichment centrifuges, and were quick to herald the coming cyber wars. Others, less innocently, looked at cyber war as a new growth industry and contributed to the hype, sometimes promoting inefficient or unnecessary defensive policies. But now that clearer heads are prevailing, we must not discount the real and credible cyber threats that face the United States and other western powers. It is important that we do not under-react to Stuxnet, and dismiss valid cyber security concerns as an artificial product of media sensationalism or alarmist defense contractors (or both).

Of immediate concern is critical infrastructure, including both power grids and artificial constructs, such as the stock market. Both private researchers and the Government Accountability Office (GAO) have warned that the adoption of smart grid technology has been progressing forward with inadequate emphasis on cyber security. Similarly, NASDAQ systems have been recently compromised, reigniting the congressional debate over the merits of new cyber security legislation. Nothing about these two areas of vulnerability is frivolous or "hyped"; it is well within the realm of possibility that a state actor (or a well funded private entity) could utilize cyber threats against these areas as leverage in conventional warfare or trade disputes. Moreover, these are areas of general consensus among cyber security experts, and should be addressed immediately. 

That said, not all advice from leading experts should be followed, especially from ones that are trying to drum up business for their consulting firms. For example, former Director of National Intelligence, Adm. Michael McConnell (ret.) (who is now an executive vice-president at Booz Allen Hamilton), proposed the complete redesign of the internet – a task that could possibly be contracted out to his firm — in a Washington Post op-ed.

"More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable."  

This tasking, while accurately addressing the fundamental limitations of cyber war, would be an expensive exercise in futility. While the proposal would undoubtedly be confronted with privacy roadblocks in the United States, the larger problem would be convincing other countries to regulate their networks and to implement similar systems. Without unanimous international agreement, unmonitored darknets would exist that make "attribution, geolocation, intelligence analysis and impact assessment" just as difficult as it is now. For example, it’s highly doubtful that Chinese telecom companies (which provide connectivity all over the world) would welcome McConnell’s proposal with open arms. Likely dissidents would be China, North Korea, Russia, and much of Eastern Europe. The point is that while attribution is a tough and critical issue to resolve, his proposal is frighteningly unrealistic and sensational.

In fairness, McConnell does touch on many very valid, and perhaps less dramatic, cyber security concerns in his op-ed, which he has also repeated before Congress. In many ways, his credibility has brought critical attention to the issue of cyber security. But his private sector status also causes reason for doubt, and in some cases — as evidenced above – it seems justified. Experts like Dr. Martin Libicki of the RAND Corporation, as Best Defense previously reported, have been right to caution us to take a step back from the brink of cyber war alarmism.  

The correct response to Stuxnet is to acknowledge the risks of cyber war, but be discerning in our reaction. We must separate the sensational from the legitimate, and only invest in valid and practical strategies. Only some projects and policies deserve American tax dollars. But we should also be weary of under-reacting, and chalking up the notion of cyber war as nothing but profit-driven hype. It would not be in our nation’s best interest to put our head back in the sand and ignore the real and tactile threats that could heavily damage our country.