By now almost everyone has read David Sanger’s fascinating New York Times story relating the behind-the-scenes story of the development and deployment of the Stuxnet virus as part of a larger classified program known as “Olympic Game.” Others, including my colleagues Jack Goldsmith and Matt Waxman have already remarked on the seeming breach of classification. In this post, however, I want to look at the substance of the story and spend some time thinking about what it tells us about cyber capabilities and about the state of the law relating to the cyber domain.
To begin with, in drawing any conclusions, we have to start with the assumption that the story is accurate. That may, of course, not be the case – and certainly is less likely to be the case when the actors are speaking of their motivations and conclusions. But the article is an amazingly detailed and well-researched piece of journalism and, as to the factual matters it reports, I think it is safe to start from a presumption of accuracy (albeit recognizing the limits of that presumption). With that in mind here are a few thoughts prompted by the detailed Stuxnet revelations:
Reconnaissance and the Title 10/50 Question— My first impression is that the Olympic Games program looks remarkably like a kinetic world analog. The early stages of the program began with reconnaissance and surveillance – exactly as a military action might. It is essential to know how your target is defended and what the “geography” of the battle space is and by Sanger’s account that is precisely how the effort to penetrate Iranian cyber systems began. Indeed, though the connection was not made in the article, one has a sneaking suspicion that the newly discovered FLAME intrusion (which was, in essence, an information harvester) might well have been part of the precursor program to the Stuxnet intrusion.
Which raises a fascinating question – who conducted the reconnaissance program? The Times article makes clear that both Leon Panetta (the then-head of the CIA) and General James Cartwright (the then-Vice Chair of the JCS) were involved in Olympic Games. But which had the lead? In the kinetic world, some of the reconnaissance takes the form of espionage. In other cases it may be conducted by covert military units whose job it is to assess and prepare the battlefield. As Bobby Chesney has written the Title 10/Title 50 distinction makes a great deal of difference from a domestic perspective. He focused on whether FLAME (or whatever other Olympic Game program did the reconnaissance in this case) might be an intelligence collection action or a covert operation. For myself, I also want to know if it is a military operation or civilian. I would be absolutely fascinated to know how the Olympic Games program was structured? Was it called an intelligence program to avoid the covert action notification requirements? If it was covet and notification was provided, what was the Congressional reaction when notified? Or was it deemed a military operation that went through the chain of command at Cyber Command?
Armed Attacks – Then of course, there is Stuxnet itself. Was it an armed attack? One question I ask my students is to imagine themselves as the principal legal adviser to the Iranian government. What would be the answer if, I ask, you were asked by the Supreme Leader whether Iran could lawfully deem the Stuxnet intrusion a use of force that implicated Iran’s UN Charter rights of self-defense against armed attacks?
Given the new details in Sanger’s report it is increasingly difficult to argue that the intrusion was not a use of force. Sanger reports how the virus actual destroyed pieces of a centrifuge from the pseudo-Natanz test bed that were displayed in the situation room. Under any reasonable construction of international law, the use of weapons that are intended to have destructive kinetic effect are likely to constitute an armed attack. Of course the defending state does not have to respond (as the South Koreans did not when an artillery attack on one of their islands occurred), but I have to wonder what the international legal community’s reaction will be if Iran responds in kind with a virus intrusion of, say, the Dimona reactor in the Negev and invokes its right of self-defense as a justification.
Accuracy of Targeting – On an operational level one of the most striking things that comes out of the Times report is the remarkable accuracy of the targeting. Most of the commentary that has already been written has (and should) focus on the coding error (if it really was an error) that eventually released Stuxnet into the wild. But a closer reading suggests that the bigger story is about how precise the weaponry actually was. From the opposite perspective it is quite instructive how long that mistaken release took to occur and how little actual physical damage (as opposed to “mere” infection) resulted from the release. There was, it seems, very little collateral damage of non-combatant targets. Indeed, the Stuxnet story serves to confirm what some of the Cyber Command experts have been saying for a while – that very precise weapons can be developed, but that it takes time.
Necessary Sophistication – It is also striking, however, how deeply sophisticated the reported effort to attack the Iranian system was. It appears to have taken as many as 4 years to achieve and involved a number of intrinsically difficult steps – beginning with an understanding of the German SCADA operating system; then the installation of beaconing software to track the installation; next came a sophisticated reconnaissance program to collect information and develop an operational picture; yet another aspect of the program had to covertly exfiltrate the data from Iran without being detected; then the data had to be analyzed in a way that allowed the development of the attack virus; the virus had to be tested on a specially-constructed test bed and refined; after development an infiltration method had to be identified and, through covert espionage (we assume) an infected thumb drive had to be put in the hands of an appropriate set of Iranian engineers; and finally, of course, the virus had to work as designed and covertly destroy Iranian centrifuges.
This is not the work of an unsophisticated hacker. Nor, is it an effort that (at least today) is within the capability of a non-hierarchical group of hacktivists like Anonymous or LulzSec. It was (apparently) a 4-year challenge for a very sophisticated nation state. This is, it seems to me, a significant data point for policy makers because it suggests that on the current state of play a “cyber war” involving a real world attack on critical infrastructure (whether our own or that of our enemies) is difficult to accomplish and will almost certainly be the product of a peer nation state like China or Russia. The difficulty in developing Stuxnet argues, therefore, that cyber war with China – that is real cyber war with kinetic effects, not the massive cyber espionage intrusions that are occurring – is about as likely as a real kinetic war with China.
Regulation — Finally, I want to relate this to the discussion that I’ve been having with Jack Goldsmith about the need for and advisability of Congress authorizing a regulatory system for cybersecurity. Color me even more skeptical now. The principal ground for arguing in favor of greater government regulation has always been the vulnerability of our SCADA systems that control critical infrastructure to outside attack. Even granting the point, it now turns out that the first (worst?) offender in exploiting SCADA vulnerabilities is our own government. And yet, after creating the problem, it now turns around and argues for a regulatory role in fixing the problem. As Jay Healey of the Atlantic Council said in a different cyber forum: “The arsonist is arguing for better fire codes…”