Stuxnet and Collateral Damage
Stuxnet and blowback.
When I first heard of the Stuxnet worm disrupting Iran's nuclear infrastructure I thought it was rather clever: why bomb their sites, with all the attendant risks and geopolitical fallout, when you can foul it up in cyberspace (also assuming that either Israel or the U.S. or a similarly concerned party was the culprit). It seemed like a relatively clean operation with little collateral damage. But NPR's Tom Gjelten quotes cyber-security analyst Stephen Spoonamore to the contrary:
The Stuxnet story raises the question of what the consequences of using a cyberweapon might be. Maybe Pandora's box has been opened — this weapon, or one modeled after it, could soon come back in even more dangerous form. Security experts call this "blowback."
Some experts are convinced the Israeli government developed and used the Stuxnet worm as a weapon, to disable a nuclear plant in Iran.
After all, hitting the nuclear plant with a 500-pound bomb would have produced far more collateral damage than attacking it with a cyberweapon, right?
Spoonamore is not so sure. "Compared to releasing code that controls most of the world's hydroelectric dams or many of the world's nuclear plants or many of the world's electrical switching stations? I can think of very few stupider blowback decisions," he says.
In this light, Philip Maxon at Arms Control Wonk offers related questions:
In moving forward with discussions on the Iranian nuclear program, the Stuxnet virus may provide analysts another variable in calculating possible deterrence and containment with Iran. If it is a cyber attack weapon, what are its implication on military strategy? On diplomatic strategy? Is an attack fully untraceable, or can Iran attribute an attacker? How would Iran respond to a cyber attack on its nuclear facilities? Would Iran immediately assume Israel or the U.S. launched an attack even if both did not launch the virus? All are interesting questions looking forward.
Indeed. At a minimum, it seems to me that any nation that engages in offensive cyber warfare should be equally diligent about preparing for payback in kind.