Iranian nuclear scientists found a rude surprise waiting for them at the office last month. A computer worm had infiltrated the networks at nuclear sites in Natanz and Fordo and, in addition to shutting down systems, reportedly left AC/DC’s “Thunderstruck” playing at full volume on some computers.
Iran has denied the reports. But if true, this was the latest in a series of cyber-torments, widely attributed to the U.S. and Israel, to target the country’s nuclear program. To the extent that these intrusions have slowed the ayatollahs’ progress toward a possible atomic weapon, and have done so nonviolently, they should be praised.
Unfortunately, as the era of cyberwarfare accelerates, thinking about how the U.S. should proceed remains muddled. The decision Thursday by Republican Senators to block consideration of important cyberwarfare legislation suggests that Congress is among the worst offenders.
Cyberspace will clearly be a major theater of future conflicts, and much of our infrastructure -- the electric grid, telecommunications, financial systems -- is vulnerable to digital intrusion.
The best strategy for the U.S. isn’t to count on the free market to lead American companies to adequately defend themselves, or worse, pray that international cooperation will somehow keep cyberspace free of malice. It’s to accept that the militarization of the digital world is inevitable, and to pass federal requirements to drastically improve our defenses.
The Iran -- including the release of the infamous Stuxnet worm, which took hundreds of Iranian centrifuges offline -- is in principle neither new nor unique. From the telegraph to guided missiles to drones, the U.S. and other countries have long made use of the electromagnetic spectrum to advance their military goals. Technology is always being adapted for warfare.
Other countries are also arming themselves -- as are criminals and terrorists. General Keith Alexander, the head of U.S. Cyber Command, that foreign governments and others had increased the number of computer-based intrusions against U.S. infrastructure 17-fold between 2009 and 2011, and stolen some $1 trillion in intellectual property.
Thus far, the U.S.’s offensive superiority in cyberspace, and the potential for blowback, has deterred other nations from attempting anything truly destructive. Moreover, terrorists are probably not yet sophisticated enough to pull off a major assault. Still, as security experts are fond of saying, a serious cyberattack is a matter of “when” not “if.”
So what preventative measures should we be taking?
Start by working with allies to create international guidelines for behavior in cyberspace -- while recognizing the limitations of such an approach. Security expert Bruce Schneier has argued that hot lines between cyber commands, on the Cold War nuclear model, could help prevent accidental exchanges, especially because the provenance of cyberattacks is often hard to determine. That’s a good idea, although it won’t stop non-state adversaries from wreaking havoc.
Schneier also argues for updating the Geneva Conventions, restricting certain tactics in cyberspace (such as attacks against banking systems) and prohibiting the use of “unaimed weapons” (which attack computers indiscriminately). That seems to have limited practical value. Foreign governments will be hesitant to sign up, violations will be too easy to disguise, and the opprobrium of the international community is unlikely to constrain terrorists.
Such drawbacks point to the most essential step: Prepare for the worst. That means paying better attention to exactly what we connect to the Internet -- watch those thumb drives -- and getting more companies to address their vulnerabilities. It means improving response measures, including preparing National Guard units to react to likely disaster scenarios, such as widespread blackouts or communications failures; building up alternate sites that can be activated in an emergency; and creating much clearer lines of authority during an attack.
Most important, it means getting the government and the private sector to work together.
In this last regard, Congress has unfortunately blundered badly. The Cybersecurity Act of 2012 was intended to encourage the private operators of critical infrastructure to adhere to minimum federal security standards. The bill originally let companies determine how best to meet these standards, thus allowing for innovation and competition, while enabling the Department of Homeland Security to enforce compliance.
In negotiations, the legislation was weakened dramatically, and the security standards were made optional. Backed by the U.S. Chamber of Commerce, Republicans argued that no one has a better incentive to protect against cyber-intrusions than companies themselves. That’s sloppy thinking at best. As we’ve argued before, without federal requirements companies simply won’t spend enough to protect themselves. Proper security is expensive: A study by Bloomberg Government of 172 organizations found that they would need to increase their cybersecurity spending almost ninefold to repel 95 percent of attacks. Responsible businesses would thus be at a competitive disadvantage.
Still, the final version of the bill would have been a decent first step. It would have created exchanges for the private sector and government agencies to share intelligence, with adequate privacy protections; rewarded companies for improving their defenses; strengthened coordination of the government’s cybersecurity efforts; and offered significant incentives for research and development.
On Thursday, even this weaker version failed to move forward in the Senate. Regrettably, a successful assault on U.S. infrastructure may be the only thing to convince Congress and the private sector of just how destructive cyberwar can be.
Of course, a militarized cyberspace can also prevent a lot of bad things from happening. The U.S. was right to disrupt Iran’s nuclear plans -- especially using a tactic that led to no casualties, affected no civilians, and may have bought time for sanctions and negotiations to start to work. Used responsibly, cyberattacks can offer one more tool in the nonlethal arsenal.
Our adversaries, however, won’t have such benign intentions. When they strike, we shouldn’t be surprised. We should be prepared -- and we should know exactly how to respond.
To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at email@example.com.