Cuenta cómo fue utilizado el gusano "Stuxnet"en el ataque informático al programa nuclear iraní.
Stuxnet and Cyberpower in War
Operadores militares del NETWARCON |
Since Stuxnet was discovered, there has been much commentary about what it means for cyberwar, a term that has become part of the contemporary strategic lexicon. The problem is that "cyberwar" is both an inaccurate descriptor of what Stuxnet and other possible cyberweapons portend, and artificially differentiates cyberpower -- the ability to use cyberspace in peace and war in order to achieve political objectives -- from the other military instruments as a tool of national power. Cyberpower must be analyzed and considered within the context of 21st century war and peace, not as an isolated phenomenon. To that end, the term "cyberwar" does not promote sound strategic thinking. Instead, it is more useful to talk of cyberpower in war, or war by cyber means.
While the Stuxnet worm reveals a number of characteristics about war by cyber means, it also raises many questions about this kind of warfare that policymakers would do well to ponder. Only by examining both sets of issues is it possible to determine whether Stuxnet is in fact a game-changer in the evolution of the cyber domain and in warfare in general.
Stuxnet and the Evolving Character of War by Cyber Means
Cyberweapons are disruptive instruments. Stuxnet has shown that the strategic utility of cyberweapons is their ability to disrupt, deny and deceive an adversary's strategic intentions. Meir Dagan, the recently retired head of the Israeli intelligence service Mossad, has estimated that Stuxnet has delayed the Iranian nuclear program for at least three years. If so, that would not be too far off the delays that an air strike could conceivably achieve. However, it would appear that Iran has since replaced all of its damaged centrifuges and has resumed enriching uranium. And according to the Institute for Science and International Security (ISIS) (.pdf), while Stuxnet certainly damaged the Iranian program and confused its technicians, the attack's overall effect has been minimal. This is significant, as it suggests that cyberweapons such as Stuxnet are not the "silver bullet" replacement for more-traditional military instruments that they have been purported to be.
Logo del Comando para la Guerra Cibernética de los EEUU. |
John B. Sheldon | 19 Apr 2011
In June 2009, a
By themselves, cyberweapons are unlikely to be coercive. For all the apparent damage Stuxnet seems to have done to the Iranian nuclear program, it has not coerced the Iranian regime into abandoning that program. In fact, all of the known cyberattacks of the past several years, such as those against Estonia in 2007 and Georgia in 2008, had no coercive effect on their targets. Even if future cyberweapons prove more disruptive than Stuxnet appears to have been, they will lack a meaningful coercive ability, for the simple reason that the victim of a cyberattack can always escalate by resorting to more-traditional means of physical violence. However, cyberattacks carried out in conjunction with other military instruments -- or other national instruments of power, such as economic sanctions -- may cumulatively have a coercive effect.
Cyberweapons must be tailored to their intended targets. Stuxnet worked because the Iranians had to use a foreign-made operating system to control their centrifuge operation. That particular system was known to be made by Siemens of Germany, and according to the New York Times, Siemens cooperated with the Department of Energy's Idaho National Laboratory to test its operating system for vulnerabilities. Of course, Siemens is not the only company that manufactures operating systems for large-scale industrial processes, but it is reasonable to assume that intelligence agencies have uncovered the vulnerabilities of all the various makes, or are in the process of doing so. But if the Iranians had the resources, expertise and overall ability to design and manufacture their own operating system -- even one using open-source software -- tailoring a cyberweapon capable of producing a strategic effect similar to that of Stuxnet would have been much more difficult and much more dependent on having reliable human intelligence assets within the Iranian program.
Resiliency and redundancy are keys to withstanding cyberattacks. The Stuxnet attack reveals the importance of possessing resilient and redundant networks in the face of such offensive capabilities. Had the Iranians acquired back-up operating systems from a variety of manufacturers and had them in reserve, it is reasonable to speculate that Stuxnet's effect would have been significantly mitigated. This raises the prospect that in the future, countries like Iran will place a greater emphasis on resilience and redundancy, despite the delay and cost of doing so. Indeed, now that Iran and others are wise to the threat, they are already devising workarounds and defenses, putting the onus back on cyberattackers to circumvent these new countermeasures. This raises questions about offensive persistence (.pdf) in cyberattacks and the capacity on both sides for a conceivably rapid offense-defense cycle.
Effective cyberattacks require large, complex operations. If the New York Times account is true, it seems that the Israelis took the lead on the Stuxnet operation but required the backing and assistance of allies such as the United States, as well as the U.K. and Germany -- though in the case of the latter two, it is unclear whether their role in the operation was knowing. Cyberoperations of this scale have many moving parts and are thus subject to the friction that will inevitably arise out of such complexity. Advanced technical expertise, meticulous intelligence preparation, sophisticated logistics and tens, if not hundreds, of millions of dollars are required to pull off these kinds of cyberattacks successfully under the cover of the strictest secrecy.
Cyberweapons must be tailored to their intended targets. Stuxnet worked because the Iranians had to use a foreign-made operating system to control their centrifuge operation. That particular system was known to be made by Siemens of Germany, and according to the New York Times, Siemens cooperated with the Department of Energy's Idaho National Laboratory to test its operating system for vulnerabilities. Of course, Siemens is not the only company that manufactures operating systems for large-scale industrial processes, but it is reasonable to assume that intelligence agencies have uncovered the vulnerabilities of all the various makes, or are in the process of doing so. But if the Iranians had the resources, expertise and overall ability to design and manufacture their own operating system -- even one using open-source software -- tailoring a cyberweapon capable of producing a strategic effect similar to that of Stuxnet would have been much more difficult and much more dependent on having reliable human intelligence assets within the Iranian program.
Resiliency and redundancy are keys to withstanding cyberattacks. The Stuxnet attack reveals the importance of possessing resilient and redundant networks in the face of such offensive capabilities. Had the Iranians acquired back-up operating systems from a variety of manufacturers and had them in reserve, it is reasonable to speculate that Stuxnet's effect would have been significantly mitigated. This raises the prospect that in the future, countries like Iran will place a greater emphasis on resilience and redundancy, despite the delay and cost of doing so. Indeed, now that Iran and others are wise to the threat, they are already devising workarounds and defenses, putting the onus back on cyberattackers to circumvent these new countermeasures. This raises questions about offensive persistence (.pdf) in cyberattacks and the capacity on both sides for a conceivably rapid offense-defense cycle.
Effective cyberattacks require large, complex operations. If the New York Times account is true, it seems that the Israelis took the lead on the Stuxnet operation but required the backing and assistance of allies such as the United States, as well as the U.K. and Germany -- though in the case of the latter two, it is unclear whether their role in the operation was knowing. Cyberoperations of this scale have many moving parts and are thus subject to the friction that will inevitably arise out of such complexity. Advanced technical expertise, meticulous intelligence preparation, sophisticated logistics and tens, if not hundreds, of millions of dollars are required to pull off these kinds of cyberattacks successfully under the cover of the strictest secrecy.
Portada de un sitio WEB considerado "enemigo". |
Precise cyberattacks will entail a massive intelligence burden. In light of this, Stuxnet also confirms the notion that such attacks require years of detailed, careful and persistent intelligence efforts -- and not an inconsiderable amount of luck. Stuxnet has been years in the making and is suggestive of the massive intelligence burden required to make similar attacks work. Precise cyberattacks will be burdensome and time-consuming.
Though cyberattacks can be precise, they will entail unforeseen consequences. The unique characteristics of Stuxnet that resulted from this massive intelligence effort suggest that cyberweapons can be precise. But this does not mean that they will not have unknown second- and third-order effects. Some experts believe that Stuxnet could conceivably be reverse-engineered and used against American and other Western targets. If so, the Stuxnet attack against Iran, and others like it, could have a boomerang effect on the perpetrator -- assuming Israeli or U.S. responsibility for Stuxnet. Similarly, the Anonymous hacker collective -- responsible for the cyberattacks against Visa, PayPal and other companies that denied their services to Julian Assange's WikiLeaks organization -- claims that its members have access to Stuxnet. There is doubt in some quarters, however, that Stuxnet could be used against the U.S., and the claims of access to Stuxnet by the Anonymous hacker group cannot be independently verified. Ultimately, though, no one can be certain at this stage as to what the consequences, if any, might ultimately be.
Cyberattacks will always take place within a strategic context. Stuxnet, like previous known cyberattacks such as those against Estonia and Georgia, took place within a wider, known strategic context and was not carried out in isolation from other, more traditional means. In Estonia, the immediate strategic context revolved around the tearing down of a memorial statue of a World War II-era Soviet soldier and the protests and riots the removal triggered. In a broader sense, the strategic context was the political warfare campaign waged by Russia against Estonia and other former Soviet states in order to undermine their political and economic viability. The cyberattacks on Estonia were just one data point in that context. The same is also true for the cyberattacks against Lithuania, Georgia, and Kyrgyzstan, among others. In Iran, the Stuxnet attack has taken place in the wider context of regional and international concern not only over Iran's nuclear program, but also over its apparent rise and regional hegemonic aspirations. These cyber incidents suggest that a surprise cyberattack, while certainly possible, makes little strategic sense, raising questions about the plausibility of "cyberbolts" out of the blue.
Cyberattacks are most effective when used in conjunction with other instruments of power. In an immediate sense, the Stuxnet attack has taken place against the backdrop of a longstanding campaign by Western intelligence agencies targeting Iran's nuclear program, including: sabotage of nuclear equipment bound for Iran; assassinations of leading Iranian nuclear scientists by unknown parties and entities; and the imposition of a seemingly biting sanctions regime. In short, context matters a great deal, and cyberweapons and attacks seem most effective when used in conjunction with other instruments of power.
Despite media speculation, we still know very little for sure about who was responsible for the Stuxnet attack. But the characteristics of war by cyber means listed above are plausible, if certainly debatable, regardless of the veracity of the numerous media reports on the issue.
Some Questions Arising Out of Stuxnet
While the Stuxnet attack reveals possible characteristics of war by cyber means, it also raises some serious questions about the use of cyberweapons that policymakers and strategists would do well to consider.
- Stuxnet has demonstrated the real strategic utility of cyberweapons, but in so doing, it has also highlighted issues of legitimacy, accountability and restraint in the use of such weapons. In this particular case, many might understandably argue that Iran's nuclear program has been significantly disrupted and possibly delayed, and that this is surely a good thing. But what if a cyberweapon had unintended consequences that resulted in the death of civilians -- by a power outage that kills patients in an affected hospital, for instance? In such cases, how should a victim respond, and what should the international community's obligations be, if any? Who in the chain of command should ultimately make the decision to employ such weapons? This is not a call for hand-wringing; in terms of proportionality, Stuxnet is infinitely preferable -- and probably cheaper in a number of ways -- than an air campaign. But these important questions remain relevant and should be given serious consideration.
- So far, cyberattacks, ranging from the various denial-of-service attacks against the likes of Estonia and Georgia through to Stuxnet, have produced a disruptive strategic effect. On that empirical evidence one can confidently assert, for the time being, that cyberpower is a disruptive strategic instrument. However, Stuxnet complicates the notion that we might be able to defend, or even deter, against such weapons. For example, do we know with any certainty both the capabilities and capacity of our adversaries, both existing and potential? Do we have an inkling of their thresholds (.pdf) for when a disrupting cyberattack becomes, for them, a casus belli that spills over into a more traditional military response? The effects of a nuclear attack, or varieties of conventional munitions, are more or less widely understood. To borrow from the theology of nuclear strategy, we know where the escalation ladder ends when it comes to nuclear weapons. We do not know where that limit is for cyberweapons. As a result, any talk about defense and deterrence when it comes to war by cyber means is worse than premature -- it is downright misleading.
- While few are likely to have sympathy for Iran and the damage it suffered from the Stuxnet attack, there is a serious question of blowback. Iran, along with a number of other state and nonstate actors, is investing in cyberwar capabilities. Do we, in the West, possess the necessary resilience, robustness and redundancy in our various networks not only to withstand a Stuxnet-style attack or worse, but also to respond if required and if the perpetrator can be identified with a certain degree of confidence? There are reasons to doubt the effectiveness of our cyberdefenses and our ability to satisfactorily attribute cyberattacks, and those issues need to be urgently addressed.
- Our seeming lack of knowledge about the extent of cyberwar capabilities, combined with the evidence of its emerging strategic utility, makes cyberarms control proposals seem nonsensical at best. Stuxnet seems to have demonstrated that states consider cyberweapons, unlike a number of other destructive capabilities, eminently usable and useful, despite their risks. However, this does not mean that international discussions about war by cyber means cannot be useful, and policymakers must consider how best to foster such discussions.
- The rapid offense-defense cycle between cyberattack capabilities and defenses means that the effectiveness of offensive cyberweapons will be short-lived. Once a belligerent tips his hand, it does not take long for a defender to come up with an adequate defense to the weapon. This means that cyberattack weapons will ideally be employed in pursuit of a large strategic payoff, rather than a short-term tactical advantage. Policymakers and strategists must carefully weigh the use of these weapons so that their possible benefits outweigh any potential costs. In light of this, do policymakers and strategists fully understand the capabilities they may have at their disposal?
- Finally, Western states might view cyberweapons as an easy alternative to more traditional forms of military power. The problem with this way of thinking is that the coercive effectiveness of cyberweapons employed autonomously is negligible and, if discovered, could put the onus on an adversary to escalate a crisis into a full-blown conflict. Cyberweapons are unlikely to be a bloodless alternative to more-traditional forms of military force. Indeed, the real effectiveness of cyberweapons is likely to be the disorienting effect it has on adversaries when coupled with military force. Policymakers and strategists must therefore carefully gauge the right mix of cyber and other military capabilities in order to achieve the maximum effect. Current strategic thinking and doctrine on the matter has yet to provide any reliable guidance on this issue, and much intellectual effort is needed to provide a sounder basis for the use of cyberattack capabilities. Land, sea and air power all have a theoretical canon that is taught in the service war colleges around the world. For example, Rear Adm. Alfred Thayer Mahan's groundbreaking work, "The Influence of Sea Power Upon History, 1660-1783," was written in 1890 and is still taught in naval staff colleges around the world. Where is the Mahan for cyberpower?
Undoubtedly many more questions can be raised from the Stuxnet attack against Iran's nuclear facilities, but the questions outlined above are perhaps the most salient for now. It is vitally important that policymakers, strategists and defense intellectuals consider them in detail in order to deepen our currently limited knowledge and understanding of war by cyber means.
Is Stuxnet a Game-Changer?
The Stuxnet attack is undoubtedly an important turning point in the evolution of war using cyber means. And as noted above, this type of warfare raises a number of very important questions for policymakers and strategists to consider. However, as dramatic as the Stuxnet attack initially seemed to many, with time it has actually revealed that cyberattack capabilities are likely to have transitory and limited effects as coercive instruments. The real strategic attribute of cyberpower is the ability to manipulate enemy perceptions of their strategic environment for one's own advantage. Cyberpower disorients the enemy and thus provides other military instruments and other national instruments of power, such as diplomacy, a greater chance of achieving policy objectives.
Stuxnet is not the harbinger of a change in the nature of war, because the cyberattack capabilities it has revealed do not change the fundamental strategic calculus between states and other actors. Instead, they are merely another tool in the strategic toolbox that, in some circumstances, might provide the basis for the continuing advantage of one belligerent over another. But for the most part, cyberattack capabilities will play a supporting role that will help leverage the lethal effects of more-traditional military instruments or provide the window for meaningful diplomatic initiatives. In that sense, cyberpower will only become more important, but from a strategic perspective, it is hardly revolutionary.John B. Sheldon, Ph.D., is professor of Space and Cyberspace Strategic Studies at the U.S. Air Force's School of Advanced Air & Space Studies, and deputy director of the Air Force Space and Cyber Strategy Center, Maxwell AFB, Alabama. He is also a research fellow at the George C. Marshall Institute in Washington, D.C. The views expressed here are those of the author alone, and do not represent the views of the U.S. Air Force or the George C. Marshall Institute.
No hay comentarios:
Publicar un comentario