Atlantic Council

From R. Scott Kemp, the Bulletin of the Atomic Scientists:  While digital spying has taken place for decades, the era of computer-mediated destruction has only recently begun. Early this month The New York Times published an investigative feature that explored Olympic Games, a cyberweapons program designed to sabotage an element of another country's infrastructure. Started during the Bush administration, this is the first known program of its kind. In embarking on Olympic Games, the United States and Israel stepped boldly, but naively, into uncharted territory.

The first battle of Olympic Games reached the public eye in July 2010, when news broke of Stuxnet, a creative worm designed to cause Iran's uranium-enrichment centrifuges to explode by changing, with software, their operating parameters. On its heels were Duqu, Wiper, and Flame, a set of multipurpose tools that collected intelligence, identified vulnerabilities, and sabotaged information systems. . . .

[I]f the measure of Iran's progress toward a nuclear weapon is its inventory of enriched uranium, then Iran came out ahead. IAEA data indicates that Iran was able to boost output enough to reverse all Stuxnet-induced production losses by March 2010, about eight months after the attack first began to have an effect. After the successful eradication of Stuxnet in the summer of 2010, Iran sustained its heightened level of production, expanding its low-enriched uranium stockpile at rates exceeding the pre-Stuxnet trend. If, without Stuxnet, Iran would have expanded production according to its historical trajectory, then one would conclude that the cyberattack wound up enhancing Iran's ability to make nuclear weapons instead of setting the program back.

What went wrong? Stuxnet was designed to operate on an ongoing basis without being detected: a strategy of steady attrition in the pursuit of time. The worm was not supposed to leave Iran or be discovered -- but it soon spread beyond the confines of Iran's nuclear facilities until, ultimately, members of the computer-security community identified it. Stuxnet both failed to operate according to plan and failed to have a long-term benefit. Perhaps, then, the lesson for the authors of future cyberweapons is to recognize the short-lived and unpredictable nature of cyberattacks and aim for more acute, immediate destruction, rather than persistent manipulation of another nation's assets -- a worrisome conclusion suggesting that cyberweapons may be better suited for terror than for strategic affairs. . . .

In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations -- or sub-national actors -- looking for ideas. Stuxnet revealed numerous clever solutions that are now part of a standard playbook. A Stuxnet-like attack can now be replicated by merely competent programmers, instead of requiring innovative hacker elites. It is as if with every bomb dropped, the blueprints for how to make it immediately follow. In time, the strategic advantage will slowly fade and once-esoteric cyber weapons will slowly become weapons of the weak.

Whatever the greater nature of cyberwarfare, it is clear that individual cyberweapons are inherently fragile. They work because they exploit previously unknown vulnerabilities. Stuxnet, for example, exploited four "zero day" vulnerabilities in the Windows operating system. As soon as Stuxnet made them public, they were patched and thus no longer available vectors for future attacks or intelligence gathering. Such vulnerabilities are also closed through routine software updates and patches. Powerful hacker entities like the US National Security Agency must continue to discover new weaknesses in an attempt to stay ahead, and probably maintain a sizable list of unpublished vulnerabilities for future exploitation -- but to what end? These security gaps apply to all computer systems of a specific type regardless of national borders. Every vulnerability kept secret for the purpose of enabling a future cyberattack is also a decision to let that vulnerability remain open in one's own national infrastructure, allowing it to be exploited by an enemy state or even a terrorist hacker. This raises a basic philosophical question about how states should approach the question of cyberwarfare: Should countries try to accrue offensive capabilities in what amounts to a secret arms race and, in doing so, hold their own publics at risk? Or should states take a different tack, releasing knowledge about vulnerabilities in a controlled way to create patches to shore up their own digital frontiers?

R. Scott Kemp is an associate research scholar with the Program on Science and Global Security at the Woodrow Wilson School for Public and International Affairs at Princeton University.  (graphic: Matt Murphy/Economist)