Truman National Security Project

Is Cyber Warfare Necessary to Ensure U.S. Security?

By Joe Costa | 1.14.13

The consequences of a nuclear-armed Iran to international peace and
security are so severe that any responsible country must exhaust all
options short of war to prevent that outcome.  The narrow and direct
use of cyberweapons against Tehran is an additional policy tool to
resolve the Iranian nuclear challenge diplomatically. To mitigate the
long-term dangers created by cyberattacks, the United States has taken
important first steps, and must continue to advance an international
conversation that will place appropriate constraints on offensive
cyberspace operations.

By the time President Obama assumed office in January 2009, Iran had
amassed nearly a bomb’s worth of low-enriched uranium. It had the
technical capability to turn this material into weapons-usable fuel if
a decision was made to do so. Negotiations with Tehran had failed on
multiple occasions over the previous six years. The United States had
intelligence that Iran was developing a second covert enrichment plant
with no civilian application under the hardened mountains of Qom.
Israel was sending a clear and direct message that there was limited
time remaining before it may launch a military strike.

The President was approaching a choice between two worst-case
scenarios: the possibility that a nuclear-armed Iran could emerge
under his watch; or, that a military conflict in the Middle East would
occur to prevent that outcome. Both would have catastrophic
consequences for global stability.

It was under these circumstances that a malicious worm reportedly
developed by the United States and Israel infiltrated Iran’s computer
network at the Natanz enrichment plant and disrupted 20% of its
operating centrifuges. Nearly a year later, a separate virus collected
information from the personal computers of senior Iranian officials. A
third wiped out data at Iran’s Oil Ministry, forcing the government to
temporarily disconnect some of its oil terminals from the Internet.

These cyberattacks served several useful purposes. The so-called
Stuxnet virus that struck Iran’s spinning centrifuges temporarily
delayed the program and created a slightly longer window of time to
assemble a diplomatic resolution to the crisis. More importantly, they
demonstrated to Israel that there was credible determination to delay
a nuclear-armed Iran and thereby contributed to holding off a
potential military strike.

The Flame virus secretly gathered sensitive information from the
personal computers of high-ranking Iranian officials. Acquiring
real-time intelligence is critical in identifying potential threats
before they evolve and demonstrating to the Iranian leadership that
they are being watched 24-hours a day, seven days a week. The Supreme
Leader is much less likely to pursue a nuclear weapon if he believes
there is a high probability of getting caught.

These tangible benefits have come at a cost. Due to a programming
glitch, the Stuxnet virus was released to the world.  It is now
accessible by states or individuals who do not have the U.S.’s best
interest in mind.

In 2011, Iran’s military created a cyber unit that U.S. officials
believe is behind recent cyberattacks that knocked some U.S. banks
offline, and rendered useless 30,000 computers at Saudi Arabia’s state
oil company, Aramco, in what Secretary of Defense Leon Panetta called,
“The most destructive attack that the private sector has seen to
date.” Soon after, a similar virus shut down the website and e-mail
servers of Qatar’s national energy company, RasGas.

The danger of Iranian retaliation, however, is being managed. In an
indirect warning to Tehran, Secretary Panetta declared, “If we detect
an imminent threat of attack that will cause significant, physical
destruction in the United States or kill American citizens, we need to
have the option to take action against those who would attack us to
defend this nation when directed by the president.” Iran is not likely
to test the credibility of that statement.

Looking to the risks of the future, the U.S. is seeking to constrain
state behavior in cyberspace by applying established laws of war to
this new domain. As State Department Legal Counsel Harold Hongju Koh
recently said, “Cyberspace is not a ‘law-free’ zone where anyone can
conduct hostile activities without rules or restraint.”

In the next four years, the Administration must continue to maintain
its leadership position on this issue and drive a global dialogue that
will create the international institutions and governing principles
that will place appropriate boundaries around this emerging

Joe Costa is a Truman Security Fellow and Chair of the Truman Nuclear Expert Group.  This article originally appeared on the website of the Federation of American Scientists.