The revelations on Stuxnet and Flame have increased discussions about the nature and meaning of cyber-war. I cannot refrain from a touch of self-promotion. An article I co-wrote with RPI’s new Computer Science Chair Jim Hendler called this one shot-by-shot.
There will and needs to be a long and complicated discussion on cyber-strategy. The discussion will combine elements of the discussions on nuclear strategy – but also with discussions (still loudly ongoing) about the proper responses to terrorism. In a rather profound sense, these discussions may be as significant as the discussions on nuclear strategy that began decades ago. While cyberstuff does not have the same sheer apocalyptic quality that nuclear issues do – it has quickly begun to pervade every corner of life in modern developed societies. There is some theoretical discussion of terrorist groups acquiring nuclear weapons. But terrorist groups face a number of issues acquiring and deploying nuclear weapons.
Everyone is playing in the cyber terrain. This is not to say that cyber-weapons are magic equalizer for terrorists and weaker states. Developing a cyber-weapon, while not cheap, is doable for terrorists and certainly for small nation-states. One estimate suggests that the cost of developing Stuxnet was about $1 million. Even if that figure is off by a factor of dozens, it is a level of resources that CAN be acquired by a non-state actor and any nation-state. It is tiny compared to the billions needed to develop even a modest nuclear program. However, the real cost of Stuxnet was the careful targeting and delivery. Reportedly Israeli intelligence built mock targets in order to make sure Stuxnet worked properly and then had to get the virus into an air-gapped network. This is the part that would be expensive. Malefactors may choose to attack less guarded systems (such as civilian infrastructure) but then there is the risk that the attack will not achieve much. Causing a blackout in part of a country – while a huge inconvenience – may not further the attackers strategic objectives.
Nonetheless, there are a number of offensive actions possible in cyber-space that have to be considered and managed. Vandalism, crime, and espionage all cross national borders quickly, are difficult to trace and could potentially be provocative. The need to establish rules of the road so that these issues do not spark wars is tremendous. At the same time, major initiatives need to be taken in order to limit these lower level cyber-issues. While they may not be immediate national security issues, they denigrate the utility of the Internet overall – and maintaining the security and viability of this now ubiquitous and ultimately beneficial system is a matter of global security.