Defense Secretary Leon Panetta made his first major speech about U.S. cyber-war policy to a business roundtable group this week. He invoked 9/11 and Pearl Harbor in warning of the danger of a cyber-attack on the U.S:
[He] spoke in … stark language about potential military responses to cyber-attacks that threaten national security.
The United States is now in a “pre-9/11 moment,” Panetta said, at risk of crippling online attacks against public utilities, trains, or chemical factories…. [Such] attacks … could spark the “cyber Pearl Harbor” that the defense secretary has often referred to.
“An aggressor nation or extremist group could use these kinds of cyber tools to … derail passenger trains, or even more dangerous, trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
The most damaging attacks could combine a multi-pronged attack: knocking civil and military computer systems offline, with a physical attack on the country.
The defense secretary said the U.S. has, in response, developed the capability to trace such assaults back to their source and even preempt such attacks: “Conventional wisdom about cyberspace right now is that it’s impossible to attribute attacks to any specific individual or nation-state, [but] we have invested a lot in the [Defense] Department in developing that capability. And it has improved tremendously.”
These are extraordinary claims, which, if true, mark new developments in the field of cyber-war. Like many such official claims, they may be overstated in order to deter would-be enemies or to justify even larger budget allocations from Congress. Such claims will need to be tested in the real world before we can determine how much is bluster and how much truth.
One of the most troubling aspects of Panetta’s statement was his total amnesia when it comes to the role of our own country in this field. It’s one of the world’s worst-kept secrets (in fact, the Obama administration itself couldn’t leak fast enough in boasting of its involvement) that the U.S. and Israel together jointly developed the Stuxnet and Flame computer viruses in a program code-named Olympic Games. It attacked Iran’s nuclear facilities, destroyed 20% of their uranium-enrichment capability, and penetrated the computer systems of Iran’s military and political leadership.
We did this before Iran waged any sort of cyber-attack on us. We did this knowing it would induce Iran to develop its own capabilities and strike back. It’s the ultimate hypocrisy for us to shake our fist at any potential attackers and threaten them with massive retaliation when we ourselves have done far worse.
No one has ever given the U.S. high marks when it comes to sensitivity concerning the ways in which it wields power in the world. This is yet another example of how we arrogate to ourselves ultimate power and the right to make life-and-death decisions over our enemies, while we deny them the right to do precisely the same thing to us.
As one U.S. government cyber security consultant told The New York Times: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”
Further proof of our hypocrisy is the U.S. announcement over the past days that Iran is suspected in a series of cyber-attacks on major U.S. banks, which brought down their computer systems over the course of several days. In addition, oil facilities and infrastructure in Saudi Arabia and other Gulf States were attacked. It appears that Panetta’s speech is a response to such news and a tacit warning to the Iranians that they’re playing with fire, though likening attacks on a Saudi oil company and bringing down the websites of a few banks to a “cyber 9/11” seems far-fetched in the extreme.
What the U.S. media has failed to note is that Iran recently conceded that its own maritime facilities and oil industry had come under cyber-assault that could easily have been the work of U.S. cyber-warriors. The electrical power lines to Iran’s Fordow uranium-enrichment plant were bombed as well, in an attack a high-level Israeli source told me originated with the Mossad and its Mujahedeen e-Khalq (MEK) accomplices.
What’s especially troubling is that we will try to use Iran’s alleged efforts to sabotage our economy as proof that it is a rogue nation worthy of ostracism, while we deserve no less opprobrium for our own policies and behavior. This is nothing less than the equivalent of the victor’s justice that governed the Nuremberg trials. Somehow our enemies become moral pariahs while the depravity of our own misdeeds (Hiroshima, Nagasaki, Dresden, Tokyo) is excused as morally just or expedient.
So, for example, the defense secretary’s reassurance that we accept the rule of international law over the use of cyber-weapons does nothing to reassure. After all, this is the same administration that prepares terror kill lists and somehow finds that targeted killing falls within the bounds of international law. This is little different than the old Bush-era debates over torture, a policy against which candidate Barack Obama railed.
Now that he sits in the Oval Office, the view from there (to paraphrase Ariel Sharon) persuades Obama that targeted killing, drones massacring civilians, and cyber-attacks are kosher, but Iran’s response is somehow depraved and indifferent.
You’ll recall the high moral dudgeon into which we flew in this country after a so-called Iranian plot to assassinate the Saudi ambassador to the U.S. was exposed. The notion that Iranian agents might export their grudges here and spill blood on American soil seemed especially outrageous. We conveniently forgot that Israel’s Mossad and its MEK accomplices had assassinated the cream of the Iranian nuclear scientist corps. While the U.S. may not have directly participated, Sy Hersh showed that U.S. special forces had trained the MEK in covert ops at a secret Nevada training facility as late as 2007.
The Pentagon has backed up Panetta’s threats against our cyber-enemies by making cyber weapons and technology one of the few growth industries inside the military-industrial complex. Recently, DARPA, the Pentagon’s research agency, circulated a request for proposals to the defense industry notifying it that the military was willing to spend hundreds of millions on new technology in this field. The new program has been dubbed Plan X.
The only way to truly exert control over cyber-weapons is to negotiate an international treaty that governs their use. We have the Non-Proliferation Treaty, which, with a few exceptions, has been fairly successful at moderating the impetus toward nuclearization. If there are no clear international guidelines to follow, then every nation can choose to define its capabilities and actions as falling within international law. The Obama administration, along with the Bush administration that preceded it, has excellent lawyers who can find ways to turn pork kosher. An internationally negotiated treaty is a much sturdier document that gives every individual nation a benchmark against which it must measure its behavior.
Daryl Kimball, the executive director of the Arms Control Association, noted the danger of the U.S. government’s headlong flight toward cyber-war with this warning: “It makes it sound like the U.S. is preparing to be able to wage a full-out cyber-war. Those kinds of statements could come back to haunt the U.S. down the road.”
On a related note, Kaspersky Labs recently announced that it has discovered a new cyber-virus it’s calling mini-Flame, which is used to hack computer systems in the Middle East. The code, a variant of the Flame and Stuxnet computer worms, which have previously been attributed to joint Israeli and U.S. development, penetrated computers in Lebanon, Sudan, Iran, Saudi Arabia, and Palestine. It appears, from the precision of the attack and the small number of victims, that those who created it did so as part of a comprehensive cyber-espionage program. With Stuxnet they cast their net as wide as possible, seeking massive amounts of data from a wide number of computers. They then harvested the data and honed the code so that it went after a smaller but much higher-value set of targets.
Among other things mini-Flame does is to take a “screenshot” of the computers it infects. It sends this image back to the home servers where the hackers can then explore the harvested data.
The list of targeted nations immediately calls Israel to mind as the likely author of the code. It already has a massive covert-ops program in place against Iran. Lebanon and Sudan are natural targets because Hezbollah is an Iranian ally and Hamas has reportedly imported arms from Iran via Sudan. Israel has also used its drones to attack reputed Iranian arms convoys headed for Gaza through Sudan.