On Iran and Pre-Emptive Cyber Attacks

irancyberEarly in February of 2013, many news outlets came out with articles about the US Government having a ‘secret legal review‘ on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to ‘legitimately’ having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack.  As many nations are developing their own Cyber program, and some nations are very actively using cyber attacks to get a definite leg up, nobody really expected any other outcome. A very damning report by Mandiant on “APT1” recently emphasised yet again how professional and broad-scoped China’s cyber espionage apparatus has become, and the United States finds itself a major target in these operations. Even though this same report is heavily criticized by experts for having critical analytical faults, it is hard to deny that Cyber is still increasing in overall popularity on the world’s geopolitical stage.

Some say that this ‘right to strike pre-emptively’ is a warning shot across the bow of China, but it cannot be said that it is a timely revelation in any respect. After all, not having formally asserted this right to strike pre-emptively did not deter the cyber attack against Iran’s nuclear enrichment facilities in Natanz, which was devised during the Bush Jr. administration but was executed under Obama. A cynical view might take that to mean that not one, but two separate administrations had already asserted that right years before. Also, even though it was never confirmed officially, the Washington Post published an article in 2012 that claimed Flame, a piece of malware dubbed the successor to Stuxnet, was also developed by the US government years before, and launched against Iran in roughly the same period of time, also with the intent of slowing down Iran’s nuclear enrichment program.

What makes this all especially interesting is the recent publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, as commissioned by NATO’s Cooperative Cyber Defence Center of Excellence in Estonia. It’s lead author, Michael D. Schmitt, is also a professor of international law at the US Naval War College in Newport. In a recent interview with the Washington Times professor Schmitt revealed that the collective of authors who worked on the Tallinn Manual were of the opinion that the Stuxnet attack was indeed an Act of Force. These are “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force”. This is significant because it means that by the opinion of the worlds leading legal minds on Cyber Law (lead by an American, no less), Iran has a legitimate legal reason to declare war against the United States. I should point out that the reverse is not the case, even ifIran is actively seeking nuclear weapons (which does seem likely, seeing as how it would level the geopolitical playing field for them).

Given the already volatile nature of the Middle East as a whole, you’d have to wonder if cyber weapons are a blessing or a curse. The threshold to their use seems to be significantly lower than kinetic means, but this –in turn- may quickly give legitimate claim to escalate matters into the kinetic spectrum. Whatever else may happen, on this front it will be a most interesting decade.

“Threat of cyber war is overhyped” – Bruce Schneier

Bruce SchneierThis month’s Ostrich Award would have to go to Bruce Schneier for his opinion piece on CNN.com. In it, he states that he’s seeing  a power struggle in the US government about who’s in charge of Cyber Security. In a surprizingly anti-establishment departure from his normally so levelheaded approach, he surmises that there’s some kind of goldrush going on that the Military is winning. By continuously beating the war drums, says Schneier, the Internet may become militarized and we can infer by this rhetoric that “citizens lose” when that happens. However: what he’s really seeing is the various branches of the armed forces rushing to finally defend the networks they were already supposed to be defending.

His article quotes people like Richard Clarke, General Keith Alexander and NSA Director Mike McConnell whom, according to Schneier, have all been actively hyping the dangers of cyber war just to get a leg up for their respective agencies. In a dangerous demonstration of sticking one’s head firmly in the sand, he goes on to point out that what we’ve seen so far is nothing but a little cyber espionage and little kids playing ‘hackerz’ on the internet. Sadly, by doing so he is dismissing the overwhelming evidence out there of the state-level involvement by multiple countries with the planting of logic bombs in national power grids (not just in the US) to what is seen by the military as ‘preparing the battlefield’. He also essentially dismisses cyber espionage being an act of war because we can’t properly attribute it, even though we’re seeing a massive exfiltration of data in virtually all fields (military, commercial and political). No reasonable person would consider it a minor infraction if this had been done by spies in the field – attributed or not. Apparently, the fact that its ‘only digital’ espionage makes it harmless.

Schneier concludes that this whole beating of the war drums reinforces the notion that we’re vulnerable. Well Yes Bruce, have you considered that this might be that its because you are? Really, you should do a little more research about discovered breaches into armed forces networks (SIPRNET et al) and critical infrastructure networks before writing this stuff. There are tons of articles out there that would further discredit your opinion piece on CNN. You could also go ahead and pick up a few books like Richard Stiennon’s Surviving Cyber War or Jeffrey Carr’s Inside Cyber Warfare. Hell, even Richard Clarke’s Cyber War contains some interesting stuff that you can actually go out and validate yourself.

If nothing else, you could go by the notion that if something is possible, you can bet that someone is doing it.