Secret Cyber Wars Are Here To Stay

0
711


Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.
This article is the first in a collaboration between the Harvard Political Review and the Harvard College Tech Review designed to jointly publish the best collegiate writing at the intersection of technology and politics. Visit the HCTR here.
The Duqu worm, recently discovered in Iran and reported to resemble last year’s Stuxnet attack, which exploded Iranian nuclear facilities, may be a brilliant tactical move by the United States and Israel that damages Iran’s nuclear program at low cost. At the same time, Duqu raises deeply troubling questions about the future of public control over foreign policy. As a recent article shows, ordinary citizens cannot even find the facts about ongoing cyber conflict in the pages of The New York Times. It seems plausible that the United States is connected to the worm, but no one can say so for certain.
David Sanger’s account in the Times avoids clearly stating the situation. It does not mention Duqu by name, and relies on information from an American official who denies American involvement in Stuxnet: “Some recently discovered new computer worms suggest that a new, improved Stuxnet 2.0 may be in the works for Iran. ‘There were a lot of mistakes made the first time,’ said an American official, avoiding any acknowledgment that the United States played a role in the cyber attack on Iran. ‘This was a first-generation product. Think of Edison’s initial light bulbs, or the Apple II.’” This coverage leaves readers guessing at the nature of the new worm and confused about their government’s foreign policy.
Duqu shares many lines of code with the earlier Stuxnet attack. The new worm, however, does not attack industrial equipment but instead spreads via Microsoft Word email attachments, and seems mainly aimed at data mining. Given Duqu’s sophistication and resemblance to Stuxnet, which is widely thought to have been written by the United States and Israel, some security experts have concluded that the American government is probably also behind the new worm.
In some ways, a computer worm is an ideal way to stymie the Iranian nuclear program. A conventional military attack might be disastrous, and the United States excels at cyber offense.
But Stuxnet and Duqu may usher in a new era of constant cyber conflict that could be devastating in the long term for the open and wired United States. America’s enemies may reverse engineer Stuxnet and create a weapon that could threaten the United States. The long-simmering struggle between the United States and Iran is intensifying, and cyber weapons could escalate the conflict. As Sanger writes, “Not surprisingly, the Iranians are refusing to sit back and take it — which is one reason many believe the long shadow war with Iran is about to ramp up dramatically.” The anonymous nature of the Internet and the supremacy of cyber offense over cyber defense make attacks more likely.
Though possibly brilliant as military strategy, Stuxnet and Duqu may threaten American democracy. Most Americans know nothing about cyber security, and their government, which refuses to acknowledge creating Stuxnet, is not teaching them anything. Ideally, foreign policy would be carried out with public oversight, but the new shadowy world of perpetual cyber conflict makes that impossible. Essentially, important battles are now being fought in secret.
A tour of the blogosphere reveals the problems cyber conflict poses for public dialogue. Through Google, one can find the opinions of numerous cyber security experts on Duqu. But for an ordinary citizen, it would hard to know whom to trust. Cyber security firms, many of which are little-known, offer readers analyses that are conflicting and speculative. Does Duqu resemble Stuxnet? Are the United States and Israel behind the attacks? Is the purpose of the worms to destroy the Iranian nuclear program? The answer to all three questions may be yes. But citizens will not easily find any certain truths on the web, or, as shown above, in the Times.
Americans should be both scared of what Stuxnet and Duqu may herald and grateful for the power of their government’s cyber offense. Concerned citizens ought to press the United States to become more transparent about its foreign policy choices, to ensure civilian control over cyber security, and to invest not only in cyber offense but also in cyber defense. If we prepare well enough, we may be able to stop the Iranian nuclear program while defending our own cyber infrastructure.