The covert operation set back Tehran's nuclear program several years -- but may have put America's own infrastructure at risk.
After years of downplaying offensive U.S. cyber capabilities and fretting about Chinese cyber weapons, a major assumption has been turned on its head: America has now conceded that it conducted the most sophisticated state-sponsored cyber attack in the history of civilization.
This history-making development was reported by the Times' David Sanger in his new book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. We now know that the United States has spent billions, hidden in non-public budgets, to develop a capacity to attack the infrastructure of Iran.
This has gone on even as the State Department and the White House have been desperately seeking a series of treaties and agreements to regulate and reign in such activities by others. When President Obama declared, on May 29, 2009, that America's "digital infrastructure" was a "national strategic asset" and would be protected as such, he defined what was largely seen as a defensive policy on cyber attack: We won't do anything to you unless you do something to us.
America's attack -- which, Sanger reports, the government nicknamed "Olympic Games" -- is probably the most significant covert manipulation of the electromagnetic spectrum since World War II, when cryptanalysts broke the Enigma cipher that allowed access to Nazi codes. Many historians believe that the U.S./U.K. code-breaking efforts shortened that war by several years, helped stop the Japanese at Midway, facilitated the death of Admiral Tojo, and immeasurably helped the Soviets hold out in Stalingrad.
Olympic Games seems to have set back the Iranian nuclear program by several years. The U.S.-Israeli intelligence cooperative that collaborated on the cyber weapon may one day be credited with preventing a wider war in the Middle East. Most notably, the United States and Israel delayed Iran's nuclear development without resorting to the use of nuclear weapons. There may be no better contemporary example of how covert action and intelligence can provide policymakers with their most precious resource: more time.
But now that the secret is out, the calculus changes. Sanger and his sources have been flayed by some critics for betraying a precious national security equity. The coding for Olympic Games became public (albeit with its code-writers unknown) a few years ago, when it was leaked to the outside world under the name Stuxnet. Most analysts fingered the U.S. and Israel, with different theories as to who had taken the lead. The governments of China and Russia, two major investors in cyber weapons, probably based their own calculations on the idea that the U.S. authored Stuxnet.
But there is a difference between assuming something and knowing it. Privately, U.S. officials insist that China has been aggressively attacking U.S. systems for years. But China's penetrations have been almost all passive -- whatever bots the Chinese are able to plant inside American computer networks seem to be just sitting there, collecting data (maybe) or waiting until they are given a signal to do whatever they are supposed to do. In short, China is gathering intelligence, not waging warfare. Although it is extremely difficult to create analogies between the cyber domain and the world of bombs and bullets, there is a self-evident line between a computer program that sits and does nothing and one that actively disrupts another country's strategic assets.
Further, attempts to draw boundaries around the global cyber commons may become next to impossible. That is not to say that there won't be cooperation. There are more than a dozen international organizations that already, in a way, regulate, parts of the Internet. Countries actively cooperate on cyber crime -- even the U.S. and China quietly partner to deter copyright violators.
But from the standpoint of each country's political economy, there is little incentive to participate in treaties that constrain action if the prime mover of those treaties may already have violated the sovereignty of another country. (International laws, both formal and customarily, obviously allow a country to protect itself using its military, but there is a real argument about whether it allows preemptive attacks.)
Both China and Russia have gone on the record saying that they would view an operation like Olympic Games--a military-led cyber attack against another country--as an aggressive act. (The National Security Agency is a defense intelligence agency; the Central Intelligence Agency, which is not, almost certainly played a role in introducing the weapon into the Iranian centrifuge processing system.)
What complicates the issue is that almost every major IT company in the world is owned by United States citizens or is based in the U.S. This is an accident of history; the U.S., for the most part, built the world's telephone, fiber, and satellite grids. And these companies have a complex relationship with the U.S. government. There is no coordinated way for the government and the private sector to share information about cyber threats. There are almost no standards, even for critical infrastructure, with which companies must comply. Most companies manage the financial consequences of cyber risk by downplaying the threat rather than by adapting to it.
The notion that the United States is wide open to attack has been a key argument advanced by senior U.S. intelligence and technology officials when they call for laws that would give the government more control over the dot.com domain. The legitimate concerns about how this protection scheme would work, or whether it would stifle innovation or compromise civil liberties, now must be paired with a fact: For every public expression of law, we can assume there's is a covert purpose also being served.
In the end, the U.S. officials who approved Olympic Games decided that America's national security interests demanded an action that, if revealed, might hinder its long-term interests. Our enemies in the cybersphere will help determine whether it was worth it.