Cyber Conflict After Stuxnet

The Cyber Conflict Studies Association (CCSA) recently published Cyber Conflict After Stuxnet: Essays from the Other Bank of the Rubicon. Stuxnet, of course, was the name given to the malware that was designed to damage the centrifuges at Natanz and thus slow down Iran’s nuclear program. The ability of digital code to produce physical effect had long been predicted and had been produced under controlled circumstances.With Stuxnet, it had happened “in the wild.” The Rubicon in the subtitle is a reference to a quote from General Michael Hayden, former director of the NSA and CIA, on the new era of international relations and national security that was emerging after the attack became publicly known:

Somebody has crossed the Rubicon. We’ve got a legion on the other side of the river now. I don’t want to pretend it’s the same effect, but in one sense at least, it’s August 1945.

In the book, Merritt Baer, Chris Demchak, Catherine Lotrionte, Tim Maurer, P.W. Singer, Timothy Thomas and several other cyber and regional specialists describe what this new territory might look like. Essays explore how Stuxnet has shaped domestic and international law; influenced the debate over Internet governance and confidence building measures; and provoked strategic responses from U.S. friends and allies as well as potential adversaries.

While fully acknowledging the technical sophistication of Stuxnet, my introduction struggles with how radically different the other bank of the Rubicon is. Perhaps the most widespread but difficult to quantify impact of Stuxnet is the expansion of the “art of the possible.” While many would have speculated that a successful attack on industrial control systems was possible before Stuxnet, the digital assault on Natanz involved the creative and ambitious use of zero-days and new techniques in eye-opening and imagination-expanding ways. With creativity and enough resources, anything looks possible.

But what are the long term implications for international relations? At the national level, countries have been turning their attention to the development of doctrine, policies, and institutions necessary for cyber offensive operations. They have also continued the process of deterring, defending, and recovering from attacks. At the international level, discussions about norms and rules of the road are occurring at numerous multilateral, regional, and bilateral venues. I wonder, however, how much of this activity is motivated by Stuxnet and how much of it is a reaction to the unrelenting pace of all types of cyberattacks in general and the Edward Snowden revelations, in particular? It is not that Stuxnet is not important, it is just not singular.

I hope you have a chance to pick up the book, and you’ll let the CCSA and me know what you think of it.