WHAT IS AN ACT OF CYBER WAR?
By Yvonne Headington
16 Jun 11. What is an act of cyber war? Media reports suggest we have an answer; the US has “concluded that computer sabotage coming from another country can constitute an act of war,” according to the Wall Street Journal (1st June 2011).
An unclassified version of the Pentagon’s cyber strategy, due to be made public this month, will seek to establish a formalised approach to the cyber threat and clarify the circumstances in which the US could respond using traditional military means. However the advent of cyber ‘attacks’ raises complex legal and political issues, as outlined by the author and consultant James Farwell on 15th June at the International Institute for Strategic Studies (IISS).
Farwell, who has advised the US Government on information operations and strategic communications, underlined the fact that international law and the rules of armed conflict have been “thought about more in terms of state to state engagements”. A chief characteristic of cyber attacks since 2005 is that they have involved non-state actors “whether that actor has been outsourced – a tasking – or whether they did it on their own as a patriotic actor”. According to Farwell, the evolution of computer warfare is being driven by developments in cyber crime. In other words “states outsource to criminal third parties rather than doing an act itself”.
The Stuxnet ‘worm’ is a well-documented illustration of how cyber attacks have impacted upon strategic considerations. Stuxnet, a “new generation of ‘fire-and-forget’ malware”, first emerged in 2009 and is believed to have been targeted primarily at Iran’s nuclear facilities. The worm infected over 60,000 computers; mostly in Iran but there was also wide collateral damage with systems in Australia, Azerbaijan, China, Finland, Germany, India, Indonesia, Malaysia, South Korea, the UK and the US also affected. Evidence of infection persists but there are now effective remedies and the worm itself has a shelf-life of 24 June 2012.
Stuxnet, however, is not as innovative or technically sophisticated as media reports might suggest. Air-gapped targets (i.e. systems not connected to the Internet) were infected with the worm through external devices such as memory sticks. Pentagon systems were similarly penetrated in 2008. There is also significant circumstantial evidence that suggests some linkage between the worm’s code and the Russian ‘grey market of code’ – an obscure, shadowy digital trail, but a trail nonetheless. Despite Stuxnet’s fuzzy origins Farwell is confident that the worm relied upon proven expertise. “Technology” according to Farwell “is changing the way that you have to think about these types of challenges”.
As for the impact of Stuxnet on Iran’s nuclear ambitions Farwell says that “nobody really knows the damage”. It has been estimated that some 20-23% of the centrifuges operating at the Natanz fuel-enrichment facilities were put out of action and that Iran would not now be able to produce a nuclear weapon (should it so wish) until 2015. It would seem that Stuxnet succeeded in retarding Iran’s nuclear capabilities. However, according to Iranian sources, the damage was temporary.
This leads on to questioning the utility of cyber warfare as opposed to the conventional use of force, since “there is no formula”. By way of example, an air strike against Iran’s facilities could succeed but with political and economic risks; such a kinetic attack would certainly produce physical damage and potential loss of life. Is this comparative to the possibly limited and repairable damage of a cyber attack? And what constitutes the ‘use of force’ (i.e. in terms of UN Article 2 (4) which prohibits “the threat or use of force against the territorial integrity or political independence of any state”)?
Farwell points out that both the UK and US have sustained cyber attacks but there is no indication from official sources “that anybody has eve