The following editorial appeared in the Chicago Tribune:
On July 16, 1945, American scientists detonated the first nuclear bomb at a site nicknamed Trinity in the barren Jornada del Muerto desert of New Mexico. It was an enormous blast.
Today a new theater of war — this one in cyberspace, the digital realm of computer networks — has dawned quietly. Recently we’ve learned details of a major U.S. cyberattack on Iran’s outlaw nuclear program, apparently launched in 2008.
The weapon: an ingenious computer virus named Stuxnet. It infiltrated computers at a uranium enrichment facility in central Iran, causing scores of centrifuges to spin out of control and self-destruct — while engineers in the control booth detected nothing amiss.
The New York Times now reports that President Barack Obama secretly ordered that attack, part of a series of cyberassaults code-named Olympic Games:
Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber weapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.
“We discussed the irony, more than once,” one of his aides said. Another said that the administration was resistant to developing a “grand theory for a weapon whose possibilities they were still discovering.” Yet Mr. Obama concluded that when it came to stopping Iran, the United States had no other choice.
Obama made the right call. Conducting a successful cyberassault on Iran is preferable to sending bombers or cruise missiles. Evidently there have been other cyberassaults, including a campaign by the sophisticated virus nicknamed Flame. “The massive piece of malware secretly mapped and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyberwarfare campaign,” The Washington Post reports. Flame flickered into public view last month after Iran detected a barrage of assaults on its oil industry.
America is at war in cyberspace, with no boots on the ground or planes in the air. Just fingers on keyboards.
Last year, the Pentagon declared cyberspace “a domain of war,” just as vital to defend as land, sea, air and space. Defense officials are recruiting computer wizards from universities, and computer-gaming companies to develop cybertechnologies in a program dubbed, with appropriate spy-versus-spy panache, Plan X, the Post reports. Russia, China and other nations also are girding for cyberbattles.
Just about everything that relies on computer code and links to a network could be vulnerable to attack: communications systems, satellites, security systems, banking networks, trains, power plants, water systems and power grids.
Imagine the damage criminals do via computers, ransacking banks and credit agencies, exposing millions of credit card numbers, stealing medical files and Social Security numbers. Now ask: What could similarly talented computer hackers do if unleashed in a military operation to cause chaos in a U.S. city or network?
Salient points on the coming battles:
—Cyberwar is asymmetric; a lesser power can exact a terrible toll on a greater one. The huge U.S. lead in defense technology may or may not help here. A determined band of hackers anywhere in the world could mount an attack.
—Cyberattacks are unpredictable and difficult to trace. Deterrence and retaliation are tricky — good reasons to develop a strong defense and a powerful offense.
—After the U.S. unleashed the first nuclear bombs, other nations learned to build them. The same is true with cyberweapons, only at an accelerated rate. Each successful attack spawns new expertise, and it is not limited to sophisticated hackers in the U.S. Around the world, hackers have dissected the Stuxnet worm and have added its clever features to their own, writes R. Scott Kemp on The Bulletin of the Atomic Scientists website. They are “now part of a standard playbook” he says, so “a Stuxnet-like attack can now be replicated by merely competent programmers, instead of requiring innovative hacker elites. It is as if with every bomb dropped, the blueprints for how to make it immediately follow.”
Kemp, a global security specialist at Princeton’s Woodrow Wilson School for Public and International Affairs, argues that the U.S. should prepare to defend itself, but not to attack:
For states that have little to lose on the cyber front, an offensive approach may be interesting. But for the United States and other highly developed nations whose societies are critically and deeply reliant on computers, the safe approach is to direct cyber research at purely defensive applications. ... The alternative approach, to continue to launch ambitious cyber attacks, is to cross the Rubicon with an unpracticed weapon, naked to the attacks of enemies and terrorists alike.
We’d argue that cyberterrorists aren’t likely to play by those rules — or any rules. The U.S. has already crossed the Rubicon. There’s no retreat. America needs devastating cyberweapons and a strong defense for the battles to come.