An undeclared war in cyberspace
By Gideon Rachman
In recent months, senior western officials have become discernibly more relaxed about the Iranian nuclear programme. It is not that they suddenly welcome the prospect of an Iranian bomb. It is just that, as one official put it recently: “We’re having quite a lot of success, disrupting what they are doing.”
I thought of that comment last week, when reading the reports of a computer virus that has been playing havoc with industrial systems in Iran. The Iranian government complains that it has been hit by “electronic warfare” complains in the form of the Stuxnet virus that has infected more than 30,000 computers in their country.
The impact of the virus on Iran’s nuclear programme remains obscure. But computer experts seem pretty sure that something as complex as Stuxnet could only have been designed by a state. Early speculation centred around Israel. But, in truth, there are several intelligence agencies that have the capacity and motive to make life difficult for Iran’s nuclear scientists. This year, the US set up a Cyber Command to defend its networks and to plan attacks.
For advanced industrial nations, cyber-warfare is simultaneously a huge opportunity and a huge threat. Targeted cyber-attacks, such as those aimed at Iran, offer the chance to disrupt an enemy’s industrial and military capacities. But western officials are also having nightmares about the vulnerabilities of their own societies.
Until the Stuxnet attack on Iran, the most famous episode of cyber-warfare was an attack on Estonia in 2007. In the midst of an emotional row with Russia, the Estonians suddenly found their access to the internet seriously disrupted by a mass “denial of service” attack. In 2003, the Pentagon also registered a series of attacks on US government sites that were labelled “Titan Rain” and blamed on China.
The Estonian, Chinese and Iranian episodes are mild compared with what some western analysts fear may be coming. Richard Clarke, who once ran the White House’s counter-terrorism operations and famously sounded the alarm about al-Qaeda before 9-11, is now issuing dire warnings about cyber-warfare. He has envisaged a co-ordinated attack that, within 15 minutes, brings down the electrical grid on the east coast of America, scrambles e-mails, shuts down air-traffic control, causes rail accidents and closes banks and electronic payment systems.
Alarmed by threats such as these, military experts are talking about the need for new international agreements to regulate cyberspace. Comparisons have been made with the early years after the discovery of nuclear weapons, before the establishment of arms-control treaties. The threat of cyber-warfare is so new that there is, as yet, no consensus on how to define a cyber-attack, or what would constitute a “proportionate response”.
But the comparison with the nuclear arms race is, if anything, a little too comforting. Nuclear weapons are still the preserve of established states and have not been used since 1945. By contrast, anyone can play at cyber-warfare. The tools can be bought on a local high street and the command-and-control bunker can be a spare bedroom.
Over the past year, the case of Gary McKinnon, a mildly autistic Briton who broke into the Pentagon’s computers while conducting personal research into UFOs, has greatly exercised the UK press. The consensus view seems to be that the Americans are being humourless and vindictive in their remorseless efforts to extradite and prosecute Mr McKinnon. But the McKinnons of this world represent the US military’s worst nightmare: the threat that their high-tech systems could be vulnerable to lone eccentrics – let alone a foreign intelligence service.
In a recent talk Nigel Inkster, of the International Institute for Strategic Studies, pointed to another case that has spooked western intelligence agencies. (Mr Inkster was a senior British spy for many years.) A man styling himself as Irhabi-007 was posting al-Qaeda videos on the web and disseminating instruction manuals for terrorists. He turned out to be a 22-year-old student, operating from a bed-sit in west London. When police broke into his flat, they found him working on a website with the chillingly direct title – Youbombit.
Is the answer to all these concerns more international co-operation and regulation? In recent years, the government of Russia has been among the most vocal advocates of new international agreements to regulate cyberspace. China too has spoken up in favour.
By contrast, the big western powers have been relatively reticent. This may indicate a suspicion of Russian motives, or scepticism about the possibility of effective regulation. Perhaps it also reflects confidence that America remains well ahead of the game in cyberspace, with the most sophisticated research and security capacities. The fact that even Chinese government systems often run off pirated software makes them particularly vulnerable.
For the moment, the western powers probably do still have the upper hand in cyberspace. But one day, the tables may turn. The first we may know of it is when our cashpoints refuse to co-operate, our traffic lights go on the blink and our computers shut down.