After last week, policymakers and analysts of cyberspace are hoping to catch their breath. On Monday, Russia-based antivirus firm Kaspersky Lab announced that it had discovered Flame, a sophisticated piece of spyware most likely designed by a state actor, that targeted computers in Iran and throughout the Middle East. A few days later, The Washington Post reported on the Defense Advanced Research Project Agency’s Plan X, which includes research programs to map cyberspace and others to develop operating systems that will allow for defense and counter attacks. And then to close an already eventful week, The New York Times reported that President Obama ordered joint U.S.-Israeli cyberattacks—code-named Olympic Games, but popularly known as Stuxnet—on Iran’s nuclear program.
Much remains uncertain. As is often the case after these types of announcements, there has been push back over how sophisticated or new Flame really is. Some have suggested that Kaspersky Lab, working with the ITU, has hyped the threat in order to push a cyber arms control treaty and to promote a more state-centric vision of Internet governance, one more aligned with Moscow’s (and Beijing’s) desire to shift management of cyberspace to the UN.
The political and strategic implications of Stuxnet’s public reveal are also unknown. Many have noted the potential for blowback. As the most vulnerable economy, the United States has the most to lose. Moreover, now that the genie is out of the bottle, other states can use the attacks on Iran to justify their own cyber operations. Or as RT put it: "Pioneering such operations would give other countries and power groups a justification to target America."
The risk of blowback, at least from state actors, is overstated. Long before Stuxnet, Chinese and Russian military analysts considered the vulnerability of and efficacy of computer network attacks on U.S. critical infrastructure. The U.S. is no more vulnerable now then it was before The New York Times article, and the Russian and Chinese political and strategic calculus of the risks and rewards of an attack are similarly unchanged.
No doubt that U.S. diplomats are going to have to grit their teeth for a while as they listen to lectures from their Chinese and Russian counterparts about the hypocrisy of calling for international norms of responsible behavior in cyberspace while unleashing the first documented case of cyberattack. But these same diplomats assumed they have been suspicious of that endeavor from the beginning. Last year, a Chinese official told me that the United States was promoting norms, instead of treaties, so as to maintain its freedom of maneuver and limit Beijing’s.
The fall-out is going to be much worse with India, Brazil, and South Africa. These democracies are uncomfortable with China’s model of Internet censorship but also suspicious of the U.S. preference for a multistakeholder model of Internet governance. After Stuxnet, the U.S. will have to work harder to convince these emerging Internet powers that their interests are served by the status quo.
While the risks of leaking the Stuxnet story have so far been overplayed, there is still little positive that comes from the article. There is a great risk in the lack of transparency surrounding cyber weapons—what are legitimate targets, who is responsible for an attack, when does an attack constitute a use of force? The article could create a public discussion of Stuxnet and force policymakers to address some of these questions. That discussion unfortunately appears unlikely to happen. The motivations for the leak seem less to bring clarity to an emerging area of conflict and more about domestic politics and the President’s stand on Iran.