Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (58 page)

BECAUSE THE GOVERNMENT’S
cyber operations are so heavily classified, it’s not clear what kind of oversight—by the military or by lawmakers—currently occurs to prevent mishaps, or what kinds of investigations, if any, are conducted after mishaps occur.

Hayden says the oversight is extensive. “When I was in government, cyberweapons were so over-watched, it was my view it would be a miracle if we ever used one.… It was actually an impediment getting in the way of the appropriate and proper use of a new class of weapons, it was so hard to get consensus.”

But in 2009, long after Stuxnet had already been launched against systems in Iran, the National Academy of Sciences wrote that the “policy and legal framework for guiding and regulating US cyberattack capabilities was ill-formed, undeveloped, and highly uncertain.”
⁴⁸
Despite a decade of cyberoffensive planning and activity, little had been resolved regarding the rules of engagement for digital warfare since the first task force had been created in 1998.

The Pentagon and White House finally took steps to address this in 2011—more than three years after Stuxnet was first launched—when the Defense Department reportedly compiled a classified list of all the cyberweapons and tools at its disposal and began to establish a long-overdue framework for how and when they could be used.
⁴⁹
The military regularly
compiled a list of approved conventional weapons, but this was the first time cyberweapons were included on the list, a senior military official told the
Washington Post
, calling it the most significant development in military cyber doctrine in years.

Then in 2012, the president signed a secret directive establishing some policies for computer network attacks, the details of which we know about only because Edward Snowden leaked the classified document.
⁵⁰
Under the directive, the use of a cyberweapon outside a declaration of war requires presidential approval, but in times of war, military leaders have advance approval to take quick action at their discretion. Digital attacks have to be proportional to the threat, as well as limit collateral damage and avoid civilian casualties—parameters that still leave the military a lot of discretion.
⁵¹
Any digital operation that could disrupt, destroy, or manipulate computers or is “reasonably likely to result in significant consequences” also requires presidential approval. Significant consequences include loss of life, damage to property, and serious economic impact, as well as possible retaliation against the United States or adverse effects on foreign policy.

Presidential authorization is also required to plant a logic bomb in a foreign system or a beacon marking it for later attack. But is not needed for espionage operations that are conducted for the sake of simply collecting data or mapping a network, unless the operation involves a worm or other malware that could spread. Notably, before taking action, the military has to weigh the possible effects an operation might have on the stability and security of the internet, and whether it would establish unwelcome norms of international behavior. Though some might argue that Stuxnet and Flame had already violated this guideline and established unwelcome norms of behavior, Herbert Lin, a cybersecurity expert with the National
Research Council, points out that all the directive says is that military leaders have to ask questions about whether an operation might establish unwelcome norms, not that they can’t proceed with it anyway. “Establishing an undesirable norm may in fact have been a price they were willing to pay to set back the Iranian nuclear program,” he says of Stuxnet and Flame.
⁵²

The presidential directive addresses only the
military’s
use of digital operations, however. A list of exceptions in the document excludes intelligence agencies like the NSA and CIA from it, as well as law enforcement agencies like the FBI and Secret Service. And although it establishes broad ground rules for conducting offensive military cyber operations, it does not address questions that are raised when the United States is faced with responding to a digital attack. In 2011, Pentagon officials took at least one step in this direction when they announced that any digital attack against the United States that took out portions of the electric grid or resulted in casualties would be considered an act of war and receive the appropriate response—even a kinetic military response, if the situation called for it, using “all necessary means.”
⁵³
In other words, as one military official put it, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
⁵⁴
At least they didn’t assert, as the Joint Chiefs of Staff did in a statement of doctrine in 2004, that the United States reserved the right to respond to some cyberattacks with nuclear weapons. That wording has disappeared in subsequent statements of doctrine from the Joint Chiefs, Lin points out, but members of the Defense Science Board apparently hoped to revive it when they asserted in 2013 that the United States should not rule out a nuclear response. It’s probably a good thing that the Science Board is just an advisory group and has no say in policy.

Though the Snowden leak of the presidential directive hints at some of the questions the government has been asking internally about these issues, the public still has little understanding of what questions have been answered and which are still unresolved. Lin says that for the sake of transparency there are important conversations that could be made public without compromising classified operations. “We could in fact get into a discussion about what is possible without saying what the US is actually doing,” he says. It would also be possible for US Cyber Command and the NSA to provide examples of circumstances under which they would use cyberweapons, or explain the circumstances under which they hoard information about zero-day vulnerabilities versus when they might allow disclosure of information about a security hole to get it fixed. And it would be important to know, at the very least, where the government draws the line in compromising trusted systems that are critical to the integrity of the internet—if it draws a line at all.

“Senators and congressmen need to be educated about this,” Lin says, not to mention the public. “And there ought to be an accounting somewhere about all the cyberattacks that the US conducts for any purpose … that tells you what was attacked and under what circumstances.… It can be classified, but at least it would give the first step toward better understanding what the US is actually doing.” Lawmakers like Rep. Mike Rogers (R-MI) insist that Congress
has
held private discussions on the government’s cyber activities. But so far, Capitol Hill has shown little interest in holding even basic
public
discussions about the government’s offensive operations.

“I do believe without question there needs to be a full conversation about doctrine and there needs to be a full conversation about rules of engagement,” Air Force general Robert Kehler, the current head of US Strategic Command, said in 2011, before the presidential directive was signed. “I can’t say all of that needs to be in the public domain.”
⁵⁵

AS THE UNITED STATES
and other countries beat the drum of cyberwarfare, it’s not just policy questions that are still unanswered, however. Many of the legal questions around digital operations are still unresolved.

Some, like Kaspersky Lab founder Eugene Kaspersky, have called for a cyber arms treaty to control the proliferation of digital weapons and set norms for their use. But as noted previously, there are obvious problems with trying to control the stockpiling of nonphysical weapons. Governments can sign treaties to halt the proliferation of nuclear weapons and use satellite imagery and UN inspectors to track the movement of nuclear materials. But satellites can’t track the movement of illicit digital weapons, nor can custom inspections catch the smuggling of malicious code across borders. Nor can anyone monitor all of the rogue players who might emerge to exploit the vulnerabilities in critical infrastructure systems that Stuxnet exposed.

As for developing new laws to govern the use of cyberattacks by nations, the consensus among legal experts seems to be that existing laws of warfare will work just fine—it’s just that new interpretations of these laws need to be developed to address cyber.

In 2013, a group of twenty international legal experts convened by a NATO-related institute attempted to do just this. The result was the three-hundred-page
Tallinn Manual
, designed to help military legal advisers in NATO member states develop cyber doctrine for their armies.
⁵⁶
But despite the manual’s length, it left many questions unanswered. The experts found that while some attacks in cyberspace have clear parallels to conventional attacks in physical space, others are murkier.

Under the UN Charter’s Law of Armed Conflict, for example, they determined that hacking the control system of a dam to unleash water into a valley was the equivalent of breaching the dam with explosives.
And launching an attack from a proxy system located in a neutral country would be prohibited in the same way that an army couldn’t march through a neutral country’s territory to invade an enemy. They also determined that an attack had to cause physical or personal damage to qualify as an act of force—simply erasing hard drives, if it didn’t result in physical damage or injury, didn’t qualify. But what about an attack on Wall Street that damaged a nation’s economy or aimed to do so? Here they found the legal waters less clear. Some of the experts believed such an attack qualified, while others were less convinced.

The experts also made a distinction between an act of force and an armed attack. Though the latter is considered more serious, it’s not clearly defined. It’s generally interpreted to refer only to the gravest uses of force, which are judged by the effects the attack has. Under Article 24 of the UN Charter, nations can respond to an act of force only with nonforceful countermeasures—such as applying economic sanctions or cutting off diplomatic ties with the offending nation.

Under Article 51, however, every state has the right to defend itself with lethal force—individually, or collectively on behalf of allies—if it or an ally suffers an armed attack, as long as the response is necessary and proportional to the initial attack and occurs while the threat of the original attack is ongoing or there is a threat of a future attack. As for what
level
of damage qualifies as an armed attack, and therefore justifies a lethal response—it’s up to the victim to determine the threshold and defend its decision to the United Nations.
⁵⁷
But what about an attack that
is intended to cause great harm but fails to achieve it? A missile launched by one nation against another that gets diverted by a Patriot missile is still an attempted armed attack. Would the same hold true in the cyber realm? Catherine Lotrionte says no, since the effect of the attack is what matters, not the intent. But Gary Brown, senior legal adviser to the US Cyber Command from 2010 to 2012, says it likely
would
be considered an armed attack “if you can make an argument [with evidence] that it was going to have a kinetic effect.”
⁵⁸

And what about espionage? Under international law and US policy, espionage is not an act of war. But since espionage could be the prelude to a destructive attack, as it was with Stuxnet and the spy tools the attackers used to collect intelligence for that operation, could the discovery of spy tools on a system indicate an intention to conduct an armed attack? Under current doctrine, an armed attack has to be current or imminent to merit a lethal use of force in response, but what determines imminence? After 9/11, the United States asserted that the invasion of Afghanistan was an act of self-defense, under Article 51, since the country was housing al-Qaeda leaders who were believed to be planning additional strikes against the United States.

One thing the
Tallinn
experts did agree on unanimously was that Stuxnet was an act of force that likely violated international law. They were split, however, on whether it constituted an armed attack. As an
armed attack, Iran would have been within its rights to defend against the digital onslaught with a counterstrike—digital or kinetic—as long as it was proportional to the damage Stuxnet caused and occurred while the attack was ongoing. Once the attack subsided and there was no impending threat to the centrifuges or threat of another impending attack—that is, once the weapon was discovered and defused—the proper response was diplomacy or some other nonforceful measure.

It’s important to note that official US policy, unlike the interpretation of the
Tallinn
experts, doesn’t distinguish between an act of force and an armed attack—the two are considered the same. Under this interpretation, then, Stuxnet was an illegal armed attack, and Iran could have made a case for responding in self-defense. It also means, though, that if someone were to use a weapon like Stuxnet against the United States, the US government would consider it an armed attack, something Lotrionte says concerns her.
⁵⁹