The Blog

Does Stuxnet Mean Cyberwar?

If so, are we ready?

5:30 PM, Oct 4, 2010 • By LEE SMITH
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

Not every nation with a cyberwar program is concerned with these same issues, and since there is as yet nothing like a Geneva conventions applicable to cyberspace, each country’s program will reflect the character of their intelligence services. A clandestine service that aggressively collects against its rivals, and friends, will also be aggressive in cyberwarfare. The Germans have advanced capacities, but very few cyber-security experts believe they could have had anything to do with Stuxnet — and not just because Siemens, which manufactured the SCADA systems the worm was designed to attack, is a German company. For obvious historical reasons, the Germans are relatively restrained in their clandestine work.

The Russians are famously not so restrained. Indeed, the Russians were responsible for what were, before Stuxnet, the two most famous CNAs, or Computer Network Attacks – first against Estonia in the spring of 2007 and, prior to that, during their short war against Georgia in the summer of 2008. The other most publicly aggressive cyberwar program is China’s, which has engineered some of the most daring acts of espionage or CNEs, Computer Network Exploitations that have proved embarrassing for their victims, like the penetration of the Pentagon in 2007.  

Despite Russia and China’s formidable resources, the U.S. is still at the top of the list in cyberspace, says Hayden. “Last year the D.C.-based think-tank Center for Strategic and International Studies asked a bunch of people from around the world, ‘who do you fear most in cyberspace?’ And the number one answer was the U.S. I surmise they recognize the United States has powerful intelligence agencies, including the NSA, the CIA and others.”

U.S. Cyber Command, based in Ft. Meade, Maryland, is a sub-command of U.S. Strategic Command and directed by Gen. Keith B. Alexander, former director of the National Security Agency. USCYBERCOM collates the efforts of the Army, Navy and Air Force, but a joint project like this might not be the best of ideas. The Air Force argues that they should control cyber because it’s part of the “air,” not as strange a rationale as it might seem at first. In fact, a useful analogy is to think of the intra-service fight over cyber as similar to the battle over air power more than a half a century ago. Before the creation of the Air Force, the existing service branches had their own air wings, all of which served different purposes. For the army, air power was primarily tactical – e.g., providing cover for infantry units; for the navy, it was more strategic, serving as another asset in a blue-water navy’s efforts to project power anywhere in the world. Whoever got to own air power got to define it, and the same holds for cyber – to unite these different services with their different needs and ideas under one command is like putting a tent over a steel-cage match, and an increasingly costly one at that.  

Some estimates suggest that the cost of cyberwar will eventually wind up somewhere close to 10 percent of the defense budget, a figure that might have seemed steep two weeks ago, but maybe less so after Stuxnet. We want to be able to defend our own systems against similar attacks, or even worse ones. “You hear people say, ‘no one would bring the financial system down,’” says Stewart Baker, George W. Bush’s former assistant secretary for policy at the Department Homeland Security, and author of Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism. “It’s wishful thinking to believe we all have an interest in the survival of the existing system. Obviously it’s not good for us if the system goes down, but maybe someone else sees it differently. Maybe the calculation is that while it hurts them, too, it will only hurt them for a year or so, while it sets us back a century. That’s a bargain some countries might be willing to make.” 

Recent Blog Posts