What Stuxnet means for online freedom of expression

Three weeks ago, David Sanger of the New York Times published an article on the role played by cyberweapons in the United States’ subversion of Iran’s nuclear program. Sanger’s reporting confirmed that Stuxnet, a sophisticated piece of industrial malware that was publicly identified in mid-2010, had been created and released as part of a joint US-Israeli cyber-operation against Iranian nuclear facilities, a program that began under President George W. Bush and was sustained by President Barack Obama.

Sanger’s piece has aroused a polarized debate over “cyberwarfare” as state policy. Some critics continue to dismiss as gross exaggeration the idea that the US is embroiled in a cyberwar, while others imagine that cyberspace will eventually become the predominant theater of war, thus minimizing the human costs of conflict. At the very least, however, observers agree that Stuxnet is a Pandora’s box; not only is Stuxnet a proof of concept that the sustained use of pure code can effect damage in the physical world, its provenance justifies the legitimacy of cyberattacks as policy tools for other actors.

What impact will Stuxnet (and the more recent Flame variant) have on freedom of expression? The Obama administration has consistently touted itself as a defender of the free and open internet, from Secretary of State Clinton’s characterization of internet freedom as a vital tool in “21st century statecraft” to President Obama’s stated vision for a “cyberspace that is open, interoperable, secure, and reliable,” governed by “the norms of responsible, just, and peaceful conduct among states and peoples.” Former State Department official Chris Bronk and journalist John Naughton have both suggested that the United States’ covert deployment of cyberweapons is an act of hypocrisy that has undermined the credibility of its internet freedom agenda.

Points of tension between freedom of expression and a cyberoffensive policy do exist, though for reasons more subtle than what has been suggested by Naughton and Bronk. Their stance is vulnerable to criticism on the grounds that just as military action against an oppressive regime may advance rather than contradict a world peace agenda, digital action against a state may be entirely consistent with a digital freedom agenda; some degree of policing, covert action, or coercion may be necessary to realize an end-goal of openness, freedom, and security. In discussing how a particular brand of espionage or sabotage may threaten freedoms, the impacts of malware use must be disentangled from the ramifications of violating Iranian sovereignty; only the former is at stake.

Regardless of whether the United States’ actions against Iran were justified, the United States’ deployment of cyberattacks allows “cybersecurity concerns” to be abused as pretense for countries to further regulate–or even close altogether–their civilian networks. Iran’s nationwide intranet project, which began in 2011 in part as a response to the “soft war” begat by the pernicious reach of “Western” ideas, can now be promoted as a defense strategy in the “hard war” waged by the West as well. Never mind that cyberaggression as statecraft has very little bearing on the civilian internet; Stuxnet, for example, infiltrated a closed Iranian government network via USB stick. The internet is a “cyberspace,” and Stuxnet is a “cyberweapon”– it will not be difficult for countries to propagate the misleading notion that a foreign state’s digital arsenal is closely coupled to the people’s internet. Cyberoffense thus represents a credible threat to the open Internet insofar as it aggravates an already-inflamed rhetorical space regarding regulation and control of the net; cyberattacks such as Stuxnet may be leveraged as justification for increasingly closed, filtered, and surveilled networks.

Perhaps the greatest threat to freedom of expression is the information economy that surrounds cyberaggression, rather than cyberaggression itself. As Glenn Greenwald has argued, Sanger’s coverage of Stuxnet is “pure access journalism,” wherein selective disclosures from government officials neuter the “adversarial watchdog” role that investigative journalism ought fulfill. When the sole source of information regarding Stuxnet’s deployment is the government itself, journalists can only exercise freedom of expression within the artificial space the state has granted them. Certainly, governments have always restricted public scrutiny of matters related to national security. But information regarding cyberaggression is particularly susceptible to strict control because a state’s digital maneuvers are much more “deniable” than its kinetic maneuvers; in comparison to physical actions, digital acts of aggression leave behind significantly less identifying evidence that is much more resilient to analysis. Ease of deniability thus allows the state to act as sole gatekeeper to all information and shape completely the public’s understanding of its actions.

As a single thread in a tangled political complex, cyberaggression threatens the free flow of information both online– by providing a pretense for more tightly controlled networks– and offline– by allowing the state a crucial information monopoly.