Richard A. FALKENRATH The New York Times
STUXNET, the computer worm that last year disrupted many of the gas centrifuges central to Iran’s nuclear program, is a powerful weapon in the new age of global information warfare. A sophisticated half-megabyte of computer code apparently accomplished what a half-decade of United Nations Security Council resolutions could not.This new form of warfare has several implications that are only now becoming apparent, and that will define the shape of what will likely become the next global arms race — albeit one measured in computer code rather than firepower.
For one thing, the Stuxnet attack highlights the ambiguous boundaries of sovereignty in cyberspace. Promoting national security in the information age will, from time to time, cause unpredictable offense to the rights and interests of innocent people, companies and countries.
Stuxnet attacked the Iranian nuclear program, but it did so by maliciously manipulating commercial software products sold globally by major Western companies. Whoever launched the assault also infected thousands of computers in several countries, including Australia, Britain, Indonesia and the United States.
This kind of collateral damage to the global civilian realm is going to be the norm, not the exception, and advanced economies, which are more dependent on advanced information systems, will be at particular risk.
What’s more, offensive and defensive information warfare are tightly, insidiously coupled, which will significantly complicate military-industrial relations.
The expertise needed to defend against a cyberattack is essentially indistinguishable from that needed to make such an attack. The Stuxnet programmers are reported to have exploited proprietary information that had been voluntarily provided to the American government by Siemens, that German company that makes data-and-control programs used in nuclear power facilities — including Iran’s.
Siemens did this to help Washington build up its ability to fend off cyberattacks. Will Siemens and other companies think twice next time the American government calls? Probably. Whether it’s true or not, as far as the rest of the world is concerned, the United States is now in the business of offensive information warfare, along with China, Israel and Russia, among others.
It’s not hard to imagine, then, the splintering of the global information technology industry into multiple camps according to their willingness to cooperate with governments on security matters. We can already see this happening in the telecommunications industry, where companies promote their products’ resistance to government intrusion. At the same time, other companies might see an advantage to working closely with the government.
Stuxnet also raises sticky and perhaps irresolvable legal questions. At present there is no real legal framework for adjudicating international cyberattacks; even if victims could determine who was responsible, their governments have few options outside of diplomatic complaints and, perhaps, retaliation in kind. An international entity that could legislate or enforce an information warfare armistice does not exist, and is not really conceivable.
A similar question exists within the United States. Under American law the transmission of malicious code is in many cases a criminal offense. This makes sense, given the economy’s reliance on information networks, the sensitivity of stored electronic data and the ever-present risk of attack from viruses, worms and other varieties of malware.
But the president, as commander in chief, does have some authority to conduct offensive information warfare against foreign adversaries. However, as with many presidential powers to wage war and conduct espionage, the extent of his authority has never been enumerated.
This legal ambiguity is problematic because such warfare is far less controllable than traditional military and intelligence operations, and it raises much more complex issues of private property, personal privacy and commercial integrity.
Therefore, before our courts are forced to consider the issue and potentially limit executive powers, as they did after President Harry Truman tried to seize steel plants in the early 1950s, Congress should grant the White House broad authority to wage offensive information warfare.
By explicitly authorizing these offensive operations in appropriate, defined circumstances, a new statute would strengthen the president’s power to provide for the common defense in cyberspace. Doing so wouldn’t answer all the questions that this new era of warfare presents. But one thing is sure: as bad as this arms race will be, losing it would be even worse.
Richard A. Falkenrath, a principal of the Chertoff Group, an investment advisory firm, is a former deputy commissioner for counterterrorism for the New York Police Department and deputy homeland security adviser to President George W. Bush.