Key points are not available for this paper at this time.
Abstract Stuxnet, the computer worm which disrupted Iranian nuclear enrichment in 2010, is the first instance of a computer network attack known to cause physical damage across international boundaries. Some have described Stuxnet as the harbinger of a new form of warfare that threatens even the strongest military powers. The influential but largely untested Cyber Revolution thesis holds that the internet gives militarily weaker actors asymmetric advantages, that offense is becoming easier while defense is growing harder, and that the attacker's anonymity undermines deterrence. However, the empirical facts of Stuxnet support an opposite interpretation; cyber capabilities can marginally enhance the power of stronger over weaker actors, the complexity of weaponization makes cyber offense less easy and defense more feasible than generally appreciated, and cyber options are most attractive when deterrence is intact. Stuxnet suggests that considerable social and technical uncertainties associated with cyber operations may significantly blunt their revolutionary potential. This article is part of the following collections: A Decade of Nuclear Scholarship in Security Studies Acknowledgments Jon R. Lindsay is an assistant research scientist with the University of California Institute on Global Conflict and Cooperation (igcc), located at uc San Diego. He holds a PhD in political science from the Massachusetts Institute of Technology, an ms in computer science from Stanford University, and he has served as an officer in the us Navy. He would like to thank Erik Gartzke, Robert Giesler, Brendan Green, Tim Junio, Sean Lawson, Carrie Lee Lindsay, Charles Perrow, Joshua Rovner, and the editors and anonymous reviewers at Security Studies for their valuable comments and advice on previous drafts. Notes The original announcement of “Rootkit. TmpHider” was posted by Sergey Ulasen of VirusBlokAda on an information security forum on 12 July 2010, http: //www. anti-virus. by/en/tempo. shtml. For an accessible account of Stuxnet's discovery see Kim Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History, ” Wired Threat Level Blog, 11 July 2011, http: //www. wired. com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet. Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, “Stuxnet under the Microscope, ” eset, white paper, 20 January 2011. The dubious honor of “most sophisticated malware” has perhaps passed to a Stuxnet relative named Duqu or to the Flame spyware (which is twenty times the file size of Stuxnet). Mark Clayton, “Stuxnet Malware Is ‘Weapon’ Out to Destroy … Iran's Bushehr Nuclear Plant? ” Christian Science Monitor, 21 September 2010. David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran, ” New York Times, 1 June 2012. William J. Broad, John Markoff, and David E. Sanger, “Israel Tests on Worm Called Crucial in Iran Nuclear Delay, ” New York Times, 15 January 2011. Mark Clayton, “The New Cyber Arms Race, ” Christian Science Monitor, 7 March 2011, (“cyber equivalent”). In the vein of “a new era of warfare, ” the cover of the 3 July 2010 edition of The Economist depicted a digitized mushroom cloud. “Stuxnet: Computer Worm Opens New Era of Warfare, ” Transcript, 60 Minutes, CBS News, 4 March 2012. “Russia Says Stuxnet Could Have Caused New Chernobyl, ” Reuters, 26 January 2011. Sanger, “Obama Order. ” Arguments for the Cyber Revolution thesis by former senior us officials include Mike McConnell, “Cyberwar is the New Atomic Age, ” New Perspectives Quarterly 26, no. 3 (Summer 2009): 72–77; Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York: Harpercollins, 2010) ; Joel Brenner, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (New York: Penguin Press, 2011). On Stuxnet as an rma, see James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War, ” Survival 53, no. 1 (February-March 2011): 23–40; Joseph S. Nye Jr. , “Nuclear Lessons for Cyber Security? ” Strategic Studies Quarterly 5, no. 4 (Winter 2011) ; Paulo Shakarian, “Stuxnet: Cyberwar Revolution in Military Affairs, ” Small Wars Journal (April 2011) ; Sean Collins and Stephen McCombie, “Stuxnet: The Emergence of a New Cyber Weapon and Its Implications, ” Journal of Policing, Intelligence and Counter Terrorism 7, no. 1 (2012): 80–91. Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, us Dept. of Defense, New York City, 11 October 2012, http: //www. defense. gov/transcripts/transcript. aspx? transcriptid=5136. Barack Obama, “Taking the Cyberattack Threat Seriously, ” Wall Street Journal, 19 July 2012. “Senate Select Intelligence Committee Holds Hearing on Worldwide Threats, ” Defense Intelligence Agency, 31 January 2012, http: //www. dia. mil/public-affairs/testimonies/2012-01-31. html. Adm. Mike Mullen, quoted in Marcus Weisgerber, “DoD to Release Public Version of Cyber Strategy, ” Defense News, 8 July 2011. This is an astonishing claim coming from a man well familiar with the world's nuclear arsenals. James A. Lewis and Katrina Timlin, Cybersecurity and Cyberwarfare: Preliminary Assessment of National Doctrine and Organization (Washington, dc: Center for Strategic and International Studies, United Nations Institute of Disarmament Research, 2011). See inter alia, Nicholas Burns and Jonathon Price, Securing Cyberspace: A New Domain for National Security (Aspen, co: Aspen Institute, 2012) ; Kristin M. Lord and Travis Sharp, America's Cyber Future: Security and Prosperity in the Information Age (Washington dc: Center for a New American Security, 2011) ; David J. Betz and Timothy C. Stevens, “Cyberspace and the State: Toward a Strategy for Cyber-Power, ” International Institute for Strategic Studies (IISS) Adelphi Paper, no. 424 (2011) ; Paul Cornish, David Livingstone, Dave Clemente, and Claire Yorke, “On Cyber Warfare, ” Royal Institute of International Affairs, Chatham House Report (November 2010) ; Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz, eds. , Cyberpower and National Security (Washington, dc: National Defense University Press, 2009). Adam P. Liff, “Cyberwar: A New ‘Absolute Weapon’? The Proliferation of Cyberwarfare Capabilities and Interstate War, ” Journal of Strategic Studies 35, no. 3 (June 2012) ; Thomas Rid, “Cyber War Will Not Take Place, ” Journal of Strategic Studies 35, no. 1 (February 2011): 5–32; Martin C. Libicki, Cyberdeterrence and Cyberwar (Santa Monica, ca: rand, 2009) ; Evgeny Morozov, “Cyber-Scare: The Exaggerated Fears over Digital Warfare, ” Boston Review (July/August 2009) ; Myriam Dunn Cavelty, “Cyber-Terror: Looming Threat or Phantom Menace? The Framing of the us Cyber-Threat Debate, ” Journal of Information Technology Martin C. Libicki, Conquest in Cyberspace: National Security and Information Warfare (Cambridge University Press, 2007) ; Gregory J. Rattray, Strategic Warfare in Cyberspace (Cambridge, ma: Massachusetts Institute of Technology (mit) Press, 2001) ; Bradley A. Thayer, “The Political Effects of Information Warfare: Why New Military Capabilities Cause Old Political Dangers, ” Security Studies 10, no. 1 (Autumn 2000): 43–85; Peter D. Feaver, “Blowback: Information Warfare and the Dynamics of Coercion, ” Security Studies 7, no. 4 (Summer 1998): 88–120. On the direct technical effects of Stuxnet on Iranian computer systems, I draw on forensic investigation by computer security firms Symantec, eset, and Langner Communications; Nicolas Falliere, Liam O Murchu, and Eric Chien, “W32. Stuxnet Dossier, version 1. 4, ” Symantec, 4 February 2011, http: //www. symantec. com/content/en/us/enterprise/media/securityᵣesponse/whitepapers/w32ₛtuxnetdossier. pdf; Aleksandr Matrosov, Eugene Rodionov, David Harley, and Juraj Malcho, “Stuxnet under the Microscope, version 1. 31, ” white paper, eset, 20 January 2011, http: //go. eset. com/us/resources/white-papers/StuxnetUnderₜheMicroscope. pdf; Ralph Langner, “Stuxnet Attack Code Deep Dive” (presentation at Digital Bond scada Security Scientific Symposium (S4) in Miami, fl, 18–19 January 2012), http: //www. digitalbond. com/2012/01/31/langners-stuxnet-deep-dive-s4-video; a synthesis of technical details accessible to lay readers and a detailed interactive timeline can be found in Zetter, “How Digital Detectives Deciphered Stuxnet. ” To assess Stuxnet's indirect strategic effects on Natanz, I rely on International Atomic Energy Agency (iaea) inspection reports (http: //www. iaea. org/newscenter/focus/iaeairan/iaeaᵣeports. shtml) and Institute for Science and International Security (isis) analyses of Iranian enrichment operations (http: //isisnucleariran. org/). I supplement these with contemporary press reporting, particularly the New York Times’ David E. Sanger's path-breaking investigation of Olympic Games. For a detailed history of computerization in the American private and public sector, see James W. Cortada, The Digital Hand, 3 vols. (New York: Oxford University Press, 2004–2008). The “productivity paradox” debate over the relationship between IT inputs and firm performance has been resolved following clarification of the critical role of organizational structure and process; Erik Brynjolfsson, Lorin M. Hitt, and Shinkyu Yang, “Intangible Assets: Computers and Organizational Capital, ” Brookings Papers on Economic Activity no. 1 (2002): 137–81. For a textbook introduction to technical cybersecurity, see Ross J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. (Indianapolis, in: Wiley Publishing, 2008). For a good introduction to offensive cyber operations, including attack/disruption and exploitation/theft, see William A. Owens, Kenneth W. Dam, and Herbert S. Lin, eds. , Technology, Policy, Law, and Ethics Regarding u. s. Acquisition and Use of Cyberattack Capabilities (Washington, dc: National Academies Press, 2009). Ross Anderson, Chris Barton, Rainer Bohm, Richard Clayton, Michel J. G. Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, “Measuring the Cost of Cybercrime, ” Proceedings of the Workshop on the Economics of Information Security (June 2012) ; Kirill Levchenko et. al, “Click Trajectories: End-To-End Analysis of the Spam Value Chain, ” Proceedings of the IEEE Symposium and Security and Privacy (May 2011): 431–46; Misha Glenny, DarkMarket: How Hackers Became the New Mafia (New York: Vintage, 2011) ; Cormac Herley and Dinei Florêncio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy, ” Economics of Information Security and Privacy (2010): 33–53. Bryan Krekel, Patton Adams, and George Bakos, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, ” prepared for the us-China Economic and Security Review Commission by Northrop Grumman, 7 March 2012; Office of the National Counterintelligence Executive, “Foreign Spies Stealing us Economic Secrets in Cyberspace, ” report to Congress on Foreign Economic Collection and Industrial Espionage 2009–2011, October 2011; Shadows in the Cloud: An Investigation into Cyber Espionage 2. 0, joint report of the Information Warfare Monitor and Shadowserver Foundation, 6 April 2010, http: //shadows-in-the-cloud. net; “Gauss: Abnormal Distribution, ” Kaspersky Lab Global Research and Analysis Team Report, August 2012, http: //www. securelist. com/en/analysis/204792238/GaussAbnormalDistribution. Christian Czosseck, Rain Ottis, and Anna-Maria Talihärm, “Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security, ” Journal of Cyber Warfare and Terrorism 1, no. 1 (2011) ; John Bumgarner and Scott Borg, “Overview By the us-ccu of the Cyber Campaign Against Georgia in August of 2008, ” us Cyber Consequences Unit Report, August 2009; Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain, eds. , Access Contested: Security, Identity, and Resistance in Asian Cyberspace (Cambridge, ma: mit Press, 2011) ; Evgeny Morozov, The Net Delusion: The Dark Side of Internet Freedom (New York: PublicAffairs, 2011). Military doctrine has not stabilized for cyber concepts yet, and debate continues on the distinctions between cyber warfare, computer network operations, information operations, electronic warfare, etc. In this paper I focus on the use of computer hacking to cause mechanical damage in the service of strategic objectives. Cyber warfare clearly encompasses the tactical modalities of cyber attack (degredation of normal hardware or software functionality), exploitation (covert theft or use of data or computational resources), and defense (efforts to prevent adversarial attack or exploitation) ; my emphasis in this paper is on the primary aggressive move of attack. David A. Fulghum, “Why Syria's Air Defenses Failed to Detect Israelis, ” Aviation Week, Ares Blog, 3 October 2007. Some sources dispute whether the Israelis used cyber attack or more traditional forms of electronic jamming; Ellen Nakashima, “u. s. Accelerating Cyberweapon Research, ” Washington Post, 18 March 2012. Raphael Satter, “us General: We Hacked the Enemy in Afghanistan, ” Associated Press, 24 August 2012. Martin Libicki, Cyberdeterrence and Cyberwar (Santa Monica, ca: rand, 2009) distinguishes “operational cyberwar—cyberattacks to support warfighting” from “strategic cyberwar, cyberattacks to affect state policy”; see Libicki, Cyberdeterrence, 6. The Cyber Revolution thesis treated in this paper emphasizes the latter threat, particularly via ics attack. ics are the industrial plant equivalent of military command and control (C4ISR) systems; they include the embedded controllers that drive machines like generators, valves, production lines, etc. ; embedded sensors that monitor their performance; Supervisory Control and Data Acquisition (scada) systems that allow human operators to visualize and manage the process; and the network architecture that connects it all together. For a primer on ics security, see Joseph Weiss, Protecting Industrial Control Systems from Electronic Threats (New York: Momentum Press, 2010). Anna Mulrine, “cia Chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack, ” Christian Science Monitor, 9 June 2011. According to Scott Berinato, “The Future of Security, ” Computerworld, 30 December 2003, the first use of the phrase “digital Pearl Harbor” was in 1991 by then rsa Data Security president D. James Bidzos. rma discourse since the 1990s has focused on the impact of networks on military operational efficiency, but it also has always included a strain of futurism about information warfare as a substitute for traditional operations altogether, e. g. , James Adams, The Next World War: The Weapons and Warriors of the New Battlefields of Cyberspace (London: Arrow, 1998) ; John Arquilla and David F. Ronfeldt, Networks and Netwars: The Future of Terror, Crime, and Militancy (Santa Monica, ca: rand, 2001). Widely cited as an example of supply-chain sabotage is an elaborate 1982 counterintelligence operation in which the cia allegedly tampered with Canadian software that the Soviets planned to steal. Once the Soviets installed it in controllers on the Trans-Siberian oil pipeline, this Trojan horse caused “the most monumental non-nuclear explosion and fire ever seen from space” and “significant damage to the Soviet economy, ” according to Thomas C. Reed, At the Abyss: An Insider's History of the Cold War (New York: Random House, 2004), 268–69. However, Rid, “Cyber War Will Not Take Place, ” finds little corroborating evidence for Reed's story, which should have had eyewitnesses aplenty; Electrical blackouts in Brazil in 2007 and 2009 have been blamed on hackers, but no supporting evidence has emerged while simpler explanations have been offered in each case: Marcelo Soares, “Brazilian Blackout Traced to Sooty Insulators, Not Hackers, ” Wired Threat Level Blog, 9 November 2009, http: //www. wired. com/threatlevel/2009/11/brazilblackout; also, a Wikileaks cable from the American Embassy in Brasilia dated 1 December 2009, 11: 27 a. m. gmt, discounts the possibility of a cyber attack in the 2009 blackout. Other examples of physical damage include malicious experiments likely created for hacker bragging rights, like the 1999 Chernobyl or Spacefiller virus, which could overwrite Basic Input Output System (bios) data and effectively turn a computer into a useless brick. On the INL Aurora demonstration, see Jeanne Meserve, “Staged Cyber Attack Reveals Vulnerability in Power Grid, ” CNN, 26 September 2007. On the historical absence of cyberwar, see Sean Lawson, “Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats, ” Journal of Information Technology Michael Stohl, “Cyber Terrorism: A Clear and Present Danger, the Sum of All Fears, Breaking Point or Patriot Games? ” Crime, Law and Social Change 46, nos. 4–5 (December 2006): 223–38. Bill Gertz, “Computer-Based Attacks Emerge As Threat of Future, General Says, ” Washington Times, 13 September 2011. Alexander also cited “the August 2003 electrical power outage in the u. s. that was caused by a power Electrical software that the of to of and all power William J. a New The Foreign no. at Obama, “Taking the Cyberattack Threat and to for cyber attack are described in Kenneth J. and William R. Information Systems Clayton, “The New Cyber Arms On see Scott Borg, IEEE Security and Privacy no. 6 (December A example of is a attack in which the an than the for it by the has to the of the the for the control which to be but can be that of physical than most the to can information from the physical of a as by even the systems can and social as that human for A Price for March 2012, For a of the cyber offense see Kenneth and Peter W. and Brookings February 2012, the of and a has been between offense and defense is in the use on of a phrase known as a to from the can new while the has a more have this not but to to a See Kirill Chris M. and Stefan Savage, from an Economic Proceedings of the Security August 2010. “Senate Select Intelligence Committee Holds Hearing on Worldwide Threats, ” Defense Intelligence Agency, 31 January 2012, http: //www. dia. mil/public-affairs/testimonies/2012-01-31. html. Ross and Tyler Moore, “The Economics of Information Security, ” Science no. 2006): August and Security and Science no. 11 (November 2006): M. and Michel J. G. Van Eeten, and no. and on Power Control 21 and IEEE on Power 26, no. 1 2011): 31 January 2012. On the complexity of see David D. and Proceedings of a Workshop on ed. National Research (Washington, dc: National Academies Press, For of the of cyber cyber or the of cyber attack to See National Research Proceedings of a General Martin at the of July 2012, I to Erik for the between the of and the of in cyber warfare see Gartzke, “The of Cyber War: War on the Internet to at the International Studies San April of the and of Security and in the of Iran, ” 18 February 2010. and Assessing Capabilities to Destroy Iranian Nuclear International Security no. 4 Office of the of National Nuclear and November The is described in of the and in David and “The Iranian at from Institute for Science and International Security, March which it from the to in a enrichment plant for and a enrichment plant for industrial have enrichment over at the the has of 20 for and Iran to a to for a a it would have to use the enrichment plant at See David Paul and Iran from Nuclear Its Future Nuclear Institute for Science and International Security, March 2012. The of networks has not been to but can into the from for ics security and of the of by Stuxnet, as in Eric and Joel “How Stuxnet A of in Security white paper, February 2011. The significantly from but the operational of this are as it may have more to or it may have According to the of the would have been the which most of the and that was the “the ics the computer in the control systems and data to in the on the network would have been to by that they from with and to for This network may have had physical from the networks to ics to and not have been an would have of to The network systems, and may have been for each of the in the production of these included the control network that human for the and systems as well as the control network that the the controllers and industrial David Paul and “Stuxnet Malware and of December 2010 Institute for Science and International Security, 15 February 2011, has not the of these data from Stuxnet as it from computer to each instance a of all the machines by the of in or of the worm in the a to internet the of which have not been of these was on was and had at an drive was for a of known are known of Stuxnet, but on inspection data the first version to have damage at The of Stuxnet in June and July 2009, March 2010, and April and 2010. The that about in January 2010, as but in the under when the and and to have had no as the of to after August 2010. of the first Stuxnet's damage from each in a in The between and could have been to the of and the worm to the human would the or to the as I that the that into the on at the is The attack as the associated with a are across the and The between and was the was over and the was twenty have been attractive as as they could have the at or also to in the control while in the network and Stuxnet's could have to with that would and the See “How Stuxnet A of has been to a in that a to as as the is This for the first in the version of Stuxnet, on 1 March 2010. As I most of the damage to Stuxnet to March it not have been the that the that the at The first version of Stuxnet used a less sophisticated to via Falliere, “W32. Stuxnet Sanger, “Obama Order. ” William Says It Computer Worm New York Times, October 2010. Iran was likely
Jon R. Lindsay (Mon,) studied this question.