Five Questions: Stuxnet, the U.S. and Cybersecurity

Ronald Deibert is Professor of Political Science and Director of the Canada Centre for Global Security Studies and the Citizen Lab and the University of Toronto.  He is a cofounder and a principal investigator of the OpenNet Initiative and Information Warfare Monitor.  He is author of the Great Decisions 2012 article Cybersecurity: the new frontier.  He spoke with Yekaterina Fomitcheva about recent revelations of cyberwarfare, and more.

1.  According to the National Preparedness Report, cyber attacks in the U.S. have increased 650 percent since 2006. As cyber attacks become more prevalent and sophisticated, how prepared is the United States’ response system?
The figure that’s given and the characterization of them being attacks is something that we should unpack a little bit and try to determine what’s being measured in the first place, because there is a problem right now in terms of basic statistics and data. A lot of the warnings come from security companies that may have a vested interest in inflating the threats. Furthermore, what constitutes an “attack” is not clear. It could range from a defacement of a website, which is not very serious, all the way to something like the Stuxnet virus, which is extraordinarily serious and could lead to potential loss of life if it was undertaken against something like a nuclear power plant or a hydroelectric facility here in this part of the world.

That said, it’s clear that there is a growing problem and I think generally speaking, we as a society have gravitated so fast to embracing these technologies and using new media like mobile phones, cloud computing, and social networking that we’ve not been able to develop very careful security protocols to go along with them. That’s something we need to address as a society, again without “throwing the baby out with the bath water.”

In 2012, the Great Decisions television series featured an episode on Cybersecurity

2. Recently David Sanger reported in The New York Times about how president Obama has stepped up America's use of cyberweapons, in particular, in its targeting of Iran.  Did this operation work as intended?  Should the release of Stuxnet code be a concern to the public?

I don’t think it was much of a surprise that the United States and Israel were behind the Stuxnet virus. What was surprising was that it was apparently leaked to The New York Times. I don’t think we would have seen such a detailed story had there not been some deliberate admission made by someone quite senior in the administration.

There have been quite a few incidences of cyberespionage that point back to countries as being responsible in some manner or another, but this will be the first time that a country has, more or less, taken responsibility for what is in effect an act of war carried out through cyberspace. This sets a dangerous precedent internationally because we are not sure how other countries will react, and they’ll probably not react in the same playbook as we have. The U.S., Canada, and other industrialized countries are potentially a lot more vulnerable to this sort of attack than are countries like Iran, Syria, and China who are less dependent on communication and information technologies as part of their critical infrastructure.

There were a couple of comments made in the media how this might be a new form of civilized or clean warfare. I don’t think there is such a thing. Warfare is warfare regardless of how it is carried out. This will be interpreted as an act of war, and we will wait to see Iran’s response.

3. Does the U.S. face a greater threat from state-sponsored hackers or Anonymous and other “hacktivist” organizations?

The bigger concern for the U.S., Canada, and other liberal democratic countries is with the overall militarization of cyberspace, which is largely a function of growing assertions of state power in this domain. Twenty years ago most governments hadn’t even thought about internet policies or regulations, and if they did, it was largely on the basis of laissez-faire, hands off approaches. Today just about every country in the world is developing a very ambitious cybersecurity strategy.

Many countries are standing up within their armed forces capabilities to fight and win wars. We now have the revelation that the U.S. and Israel were behind the cyberattack that brought about degradation of a nuclear enrichment facility. A cyber arms race has begun, and there is a major cybersecurity industrial complex that services that arms race including enormous new market opportunity and a bewildering array of companies selling computer network exploitation and surveillance capacities.

The activities of groups like Anonymous and hacktivists, which typically turn out to be misguided youths, pale in comparison. In fact, you can argue that Anonymous and others like them are doing a public good. You may not agree with their methods, but they’ve certainly brought about greater awareness of the insecurities of the data systems that we rely on and take for granted. That’s not to say that we should support them necessarily. That’s just to say that what they are doing is nowhere near comparable to the threats that an arms race in cyberspace presents.

Other Great Decisions Experts on Cybersecurity

4. We’ve heard about the number of cyber attacks directed from outside the United States, particularly from China and Russia.  Are these countries merely testing their cyber capabilities or are they trying to harm U.S. interests through cyber warfare?

It is a strange question to ask in light of current events where you have the major news item being the revelation that the U.S. and Israel were behind attacks on Iran rather than the other way around. This is a much more momentous issue.

That is not to minimize the “threats” that those countries represent. I think they represent very serious threats not only to the U.S. national security but to the security of human rights organizations and to private sector actors whose intellectual property has been pilloried by espionage networks emanating from China.

In the case of Iran, Russia, and China, they’re all very different circumstances, and the reasons that a lot of malicious activity online connects back to them are different in each case. We have to understand the nuances of those differences.

In China, there is a cultivation of a world of cybercrime seemingly for industrial and strategic intelligence benefit. That’s going to be a problem that I believe will hurt China in the long run.  

In the Iranian case, the Iranian government has been developing offensive information operations capabilities for quite some time, mostly in response to the ways in which dissident groups and pro-democracy activists are using the technology to mobilize. With the Stuxnet revelation however, I think they are going to amplify they’re capabilities.
In other words, we’re seeing a classic security dilemma type situation in the international system with respect to Iran.

5.  Eugene Kapersky, founder of some of Europe’s largest antivirus companies, said that the only way to eliminate the destructive capabilities of viruses is to have an international pact banning militaries from developing them. 

First of all, we should step back and ask what is implied in Kaspersky’s assertion. Without casting aspersion on Kaspersky himself, it is important to understand the context behind the fact that Kaspersky’s company [Kapersky Lab] is a Russian company closely aligned to the Russian government on cybersecurity matters, and that many of Kaspersky’s positions mesh with the Russian government’s interest.

There is a concerted movement by Russia, China and some other countries to subject cyberspace to greater international controls. On the face of it that may sound like something worthwhile, and that’s certainly the way that Kaspersky presents it. However, what many fear is that having greater international control of cyberspace will legitimize state-based controls and undermine the multi-stakeholder distributed manner in which the internet and cyberspace is governed today, possibly undermining basic rights and freedoms online in the process. I think we have to be very careful about how we react to the very serious problems that people like Kaspersky and others agree deserve some kind of response. We don’t want to “throw the baby out with the bathwater” and overreact to those problems. In other words, do away with the very thing that we’re trying to protect in the first place by overreacting to it.

Other Great Decisions Experts on Protection From Cyberthreats

Read More