Cyber-Weapons 3
In the previous post of this sequence, several arguments in favor of greater use and development of offensive cybercapabilities are offered. I’ll discuss each of them in turn.
1. The development of cyberweapons allows us greater insight into the weaknesses present in our own security systems.
I would argue that this is for the most part untrue; the systematic discovery and exploitation of security flaws in other systems has very little to do with understanding our own. Indeed, attempting to overcome our own defenses is a valid way to uncover its weaknesses, but this process has nothing to do with our offensive capabilities. In fact, the defensive structures of any target are likely to be so different that any flaw we exploit in a terrorist organization or other government’s security is highly unlikely to reveal anything of significance in our own system. Granted, I am not an expert on the subject, but my understanding is that given the vast differences between defensive systems created by two different organizations, I don’t think it is reasonable to expect that we would learn anything of significance about our own weaknesses through the development of offensive capabilities.
2. Other nations, including our enemies, are already developing and using cyberweapons.
Although this is true, for the most part they have been minor. In fact, under the current United States interpretation of international conflict law, if we were to establish culpability for some cyber-attack on the United States which effected direct harm, we consider ourselves fully justified to retaliate through both cyber and kinetic means. Harold Ko said at the USCYBERCOM Inter-Agency Legal Conference, “There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.”1 The biggest difficulties, for now, in reacting to the use of cyberweapons against the United States, is not a question of whether or not we can respond, but a question of whom to respond against; it is a question which arises in all realms of cyberspace law, the question of attribution. As far as this goes, the existence of cyberweapons in the hands of other forces in today’s world does not constitute a necessity for the United States to have the same. We are fully capable of deterring and responding to cyber-attacks through conventional means – our focus needs to be on the attribution of attacks, again something that comes from our defensive capabilities, not on increasing the breadth of our means of response.
3. There are special cases in which cyber-attacks can be more effective/precise than conventional methods.
It is, of course, impossible to comprehensively argue that there are absolutely zero cases in which conventional methods suffice and cyber-methods are unnecessary. But I think the example given is worth examining more closely. It is curious that the example given, Stuxnet, is precisely a case of the United States wishing to avoid attribution for its (supposed) attack on the Iranian nuclear power plant. And yet Stuxnet has been attributed to the US, and the US has at this point more or less admitted it is the source of Stuxnet. Furthermore, we have little reason to believe that significant damage to the Iranian nuclear program was significantly hampered or impeded.2 As such, I don’t see Stuxnet as an example of a successful cyber-attack where conventional methods have failed – neither of the two goals, to stifle the Iranian nuclear program while keeping the origin of the attack hidden, has been successful.
1International Law in Cyberspacehttp://www.state.gov/s/l/releases/remarks/197924.htm
2Report: Iran’s nuclear capacity unharmed, contrary to U.S. assessmenthttp://www.haaretz.com/news/world/report-iran-s-nuclear-capacity-unharmed-contrary-to-u-s-assessment-1.338522