For years, the federal government has been telling us it needs broad, new powers in order to protect us from cybersecurity threats. Recent events, however, including the government’s response to the WikiLeaks challenge, suggest that among the serious cybersecurity threats we face may be retaliatory actions against private industry by the government itself.
In this new era of cyber warfare, sophisticated tools developed by governments to attack and disable adversaries’ nuclear and other military programs, can just as easily be turned against civilian, non-military business or economic targets within its own borders or elsewhere. And it is not clear whether the new, GOP-controlled Congress, loath to be blamed for placing limits on the government’s power to thwart what it sees as potential military threats, will step in and investigate this new phenomenon of cyber-retaliation.
In the national security arena, development of aggressive, cyber-security tools has led to at least one spectacular success – against Iran’s developing nuclear technology. Last summer, computer security analysts uncovered something called “Stuxnet,” a malware (malicious software) program widely believed to have originated in Israel, which targets very specific industrial computer systems. Reports indicate the worm was used successfully to attack computers located in at least two nuclear sites in Iran – a clear attempt to slow down, if not cripple Teheran’s atomic ambitions.
Despite earlier denials, Iranian President Mahmoud Ahmadinejad subsequently admitted Stuxnet indeed had created some problems for his country’s nuclear program. The United Nations confirmed that Iran temporarily halted enriching uranium. While the extent of the damage wrought by Stuxnet is unknown, Iran clearly appears to have been the first sovereign victim of nation-sanctioned cyber warfare.
Stuxnet, already recognized as a “game changer” by security officials, can, in the words of one expert, “automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product, and indicate to the operator and your anti-virus software that everything is functioning as expected.”
Kaspersky Lab, a Russian-based computer security company, told the media that because of the financial resources needed to develop such a sophisticated worm, it could only be carried out “with nation-state support.” The Russians also noted that this new, weaponized software “will lead to the creation of a new arms race in the world.”
Other national regimes posing real or suspected threats to international security obviously are or could become similar victims of Stuxnet. North Korea, which already has developed a rudimentary nuclear weapons and delivery system, is a clear target.
The technology reflected in Stuxnet, however, which should properly send chills down the spines not only of dictators in Pyongyang and national leaders elsewhere on the “outs” with Washington, also should worry lawful business and other internet-based operations such as WikiLeaks. In fact, WikiLeaks appears already to have been the target of just such action. As former CIA officer Philip Giradli reported recently in the American Conservative, the Pentagon – aided by Israel – hacked WikiLeaks’ servers to make the organization’s website “inoperable.” WikiLeaks’ sin? Not the development of a rogue nuclear weapons system or harboring terrorist cells; but merely the publication over the internet of official, US-government communications that have proved embarrassing to Washington.
Such actions ought to be the subject of oversight investigations by the Congress which, now under GOP leadership in the House, promises aggressive oversight of abuses of power by the executive branch. One goal of oversight hearings would be to consider and enact measures to ensure such powerful and easily abused capabilities are kept within legitimate, constitutional boundaries. Unfortunately, the new, 112th Congress thus far has indicated no interest in actually limiting government power; and may instead succumb to executive branch entreaties to expand its legal authority over the internet, and actually to make it more difficult to limit government-sanctioned cyber-retaliation.
- by Bob Barr, The Barr Code