When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 3 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

A Spectrum of Opinions

A person’s reaction to the United States’ deployment of Stuxnet probably falls along a spectrum defined by the following endpoints and center:

Endpoint A: Stuxnet accomplished its goal in a limited way by slowing down the Iranian nuclear threat for a time. We should conduct actions like this whenever we can, building cyber-weapons when possible and defending ourselves from them.

Midpoint: Stuxnet opens a scary can of worms, but was probably justified in the face of the possible alternative of Iranian nuclear weapons. No one died, and this is probably preferable to a missile attack.

Endpoint B: State-sponsored actions like Stuxnet are never justified. Cyberspace is sacrosanct space. All national involvement in cyber-weapons are violations of international law and should be stopped.

Just What is “Cyberwar”?

Last week, I made the point that to sanctify its involvement in Stuxnet, the U.S. has to justify it as a largely defensive act in a larger conflict, or to downplay it as a moderate, targeted action that falls short of prompting Iran to invoke its Article 51 right of self-defense. The U.S. appears to want to do both: invoking the specter of cyberwar when it suits us to warn other nations not to attack U.S. systems and to excite the populace into supporting a broad cybersecurity-industrial complex, but at the same time creating a definition of cyber-attack which arguably excludes the Stuxnet action.

In an episode from the first season of Star Trek: The Original Series, the Enterprise goes to Emeniar-7, a planet which has been warring with a neighboring planet for over 500 years. Planetary officials inform Captain Kirk that an attack has been launched which has cost half a million lives. Confused, Kirk asks why he didn’t hear any explosions or see any rubble.  The official replies that a war with real devastation would be very uncivilized: on their planet, the attack’s success and the loss of human life are calculated by computer. The fatalities then have 24 hours to walk into the incinerator of their own volition. Kirk then stages a coup in which he forces the two planets to negotiate. In Kirk’s view, only the actuality of destructive war is sufficient motivation to compel warring parties to stop.[i]

Star Trek poses an interesting question: What is “cyberwar,” really? Is it real war, or is it a common delusion we share, like on the planet Emeniar-7?

One thing is certain: the term “cyberwar” is an emotionally charged word with a very imprecise meaning. Even an attempt to fix a definition is hotly debated. The debate corresponds roughly to the categories of force and armed attack discussed in Part 2: a more expansive view of force equates to a greater tendency to label the behavior cyberwar.

A number of scholars have advocated for a very precise definition of cyberwar. Hathaway et al., for example, define cyberwar as any act which has these three properties: (1) its objective must be to undermine a computer network, (2) for a national security or political purpose (must be performed by a state actor), and (3) with an effect equivalent to that of a conventional armed attack or occurring within the context of a larger armed conflict.[ii] It is immediately apparent that this excludes basic criminal activity conducted utilizing a computer, but also excludes acts of terrorism when those acts are not state-sponsored.

Thomas Rid, a well-known scholar of war at King’s College London, says pointedly: “Consider the definition of an act of war: It has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we’ve seen so far, from Estonia to the Stuxnet virus, simply don’t meet these criteria.”[iii] Others have outlined the position even more narrowly: They believe that the term cyberwar should only be utilized when it is part of actual warfare: “No bombs and bullets…no cyberwar.”[iv]


In contrast, it serves the purpose of many in the U.S. Congress, Executive branch, military, and the supporting cast of characters in the private security industry to see every attack on any national interest as a form of cyberwar.   Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, has asserted that “a cyber-attack could stop our society in its tracks,” and has often said that the world is more dangerous now than it was during the Cold War.  Michael McConnell, former Director of National Intelligence under George W. Bush and now V.P. of a private security consulting firm, opined in March 2010 that we are “fighting a cyber-war today, and we are losing. It’s that simple.” He called upon the U.S. to implement a comprehensive strategy utilizing the tactics of the Cold War, preemption and deterrence. Under his guidance, Bush secretly authorized billions of dollars so that the military could begin erecting cyber-defenses and creating cyber-weaponry. McConnell was widely ridiculed for the extremity of his position, and President Obama’s new Cyber Czar Howard Schmidt went so far as to say a few days later, “There is no cyberwar….I think that is a terrible metaphor and I think that is a terrible concept. There are no winners in that environment.”

Ironically, the United States’ own weapon, Stuxnet, itself has fueled much of the hype. Germany, whose secret service (according to some accounts) aided in getting the virus into Iran, used Stuxnet as an impetus to establish a national cyber defense center. Rhetoric is in some ways a luxury of those with clean hands, and since Stuxnet was pinned on the U.S., the rhetoric has died down somewhat.  However, in the background the beat goes on, with billions in funding and an expanding group of cybersecurity military contractors.

The Cybersecurity-Industrial Complex

In the U.S. dozens—if not hundreds—of contractors now participate in these efforts. Acting under a doctrine called “offense dominates defense,” the Defense Department has concluded that it is in our best interest to develop a range of offensive cyber-weapons. Builders of these weapons range from the usual players like Northrup Grumman, Raytheon, and General Dynamics to new ventures like Endgame and Immunity. Endgame builds (or buys from hackers in shadow markets) zero-day exploits and militarizes them for the Pentagon.  All of these players take a piece of an estimated $10.5 billion information security budget. Most are founded or operated by a dense network of Pentagon-national security insiders from current and former administrations, very much like the military-industrial complex many will recall from the Cold War.

Meanwhile, over 50 cybersecurity bills have been proposed in Congress.  One of the most widely supported was the Senate’s Cybersecurity Act of 2012, which had broad support from the Obama Administration and many Democrats.  The bill included expansive new penalties for hacking and gave broad powers and responsibilities to companies to monitor customer communications and send them to the government without a warrant. When the bill failed to gain the 60 votes needed for a full vote, likely killing the chance of any legislation for this session, the President indicated that he might issue an executive order authorizing the DHS to develop policies for collection and information sharing efforts.

There are a number of commentators and security experts who don’t even share the opinion that the risk of cyber-weapons is that great. Many believe that, in terms of cyber-weaponry causing real damage, Stuxnet was about as good as it can get, the peak of what is possible to pull off with regard to physical systems. It required stealth, deep knowledge of the penetrated system, and the ability to hide the subtle influence it was having with monitoring and feedback. All of these attributes increase the cost of malware greatly and decrease the widespread usefulness of the tool.[v] A bomb, on the other hand, can be used against an airport or an enrichment facility.  Another limitation of cyber-weapons, is that they are subject to defeat rapidly once they are discovered. These constraints mean cyber-weapons have limited utility and so, these experts conclude, we have less to fear than it seems.

How should we look at it?

It is my position that over-inflation of the potential for disaster from cyber-attacks itself poses the greatest threat. In other words, the most serious danger lies not in the damage we might suffer to our systems, but in the unintended consequences arising from extreme and knee-jerk attempts to protect ourselves and counter-attack. These consequences have a high social, economic, and liberty cost—possibly even higher than the risk from attack.

I’ll begin talking about some of those consequences next time. For now, let me be clear that I do not believe that defining cyberwar narrowly means that a broad range of cyber-attacks are thereby sanctified: state-sponsored attacks like Stuxnet are poor policy for a wide range of reasons, independently of whether they constitute an act of war. I remain skeptical of overly-constrained definitions that have the scent of realpolitik and rationalization, but over-exaggerations of the potential harm of cyber-weapons are the new aluminum tubes and yellowcake, and we all know how that turned out.

[i] Star Trek, The Original Series: A Taste of Armageddon (Feb. 23, 1967).

[ii] Oona A. Hathaway et al., The Law of Cyber-Attack, 100 CAL L. REV. 817, 833-37 (2012).

[iii] Thomas Rid, Think Again: Cyberwar, FOREIGN POLICY (March/April 2012),  http://www.foreignpolicy.com/articles/2012/02/27/cyberwar.

[iv] Krypt3ia, CYBERWAR! A Taxonomy, KRYPT2IA BLOG(Jan. 18, 2012),http://krypt3ia.wordpress.com/2012/01/18/cyberwar-a-taxonomy/.

[v] See, e.g., Rid; Sean Lawson, Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History (Mercatus Ctr. at George Mason Univ., Working Paper No. 11-01, 2011), available at http://mercatus.org/sites/default/files/publication/beyond-cyber-doom-cyber-attack-scenarios-evidence-history_1.pdf; Jerry Brito and Tate Watkins, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy (Mercatus Ctr. at George Mason Univ., Working Paper No. 11-24, 2011), available at http://mercatus.org/sites/default/files/WP1124_Loving_cyber_bomb.pdf


~ by K. Miller on October 9, 2012.

2 Responses to “When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 3 of 8)”

  1. Love the Star Trek reference! The use of the term “cyber warfare” has become very problematic. In the first instance, there is no good definition of it that is commonly accepted. Secondly, its use has become politicized in the same way “terrorism” has become politicized. Thus now, we have narco-terrorist, eco-terrorist, and so forth. We see prosecutors charging individuals with “using terrorist threats” when in fact, the parties were involved in a common garden variety dispute. The over use of such terminology waters down the significance and importance of the concept.

    To my way of thinking, legal scholars, lawyers and law makers are still struggling to understand what is being talked about. The idea that without bullets and bombs no cyber warfare can occur is certainly a failure to understand the ways in which cyber attacks could cripple a government or endanger a civilian population. For me, that is the crux of the matter. Are we thinking about civilian populations and the impact upon them. After all, that is what the rules of warfare regulate, how nations can fight each other and the restrictions on fighting in order to protect civilians. As the Star Trek reference shows, even though no civilians were killed as a result of the computer moves, civilian deaths still occurred.

  2. Offense only dominates defense in a game that leaves winners and losers. This is the problem with our world and country – us vs. them; we vs. they; good vs. evil. It is also the problem with having an industrial military complex dominating our political system. We are left with only two choices – win or lose. And when there are only two choices, the choice is obvious. But there is rarely only two choices and it is necessary that our elected officials speak more to this reality of grey than they do. The “axis of evil” mentality leads not just to the destruction of options for resolution, but also in how we define the ‘other’. Any definition that incorporates similarities reduces the black and white division and enters into the murky grey of uncertainty, questions, and awareness of hypocrisy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: