Arms Control for a Cyber Age
New York Times, Feb. 26, Pg. A26 | Editorial
A recently disclosed document from the National Security Agency about the escalation of cyber attacks between the United States and Iran presents a chilling summary of how swiftly cyber warfare developed from the first salvos against Iran’s nuclear program a few years ago to a full-fledged cyber arms race.
The attacks and counterattacks grew in scope, it shows, even as the United States and its Western partners tried to curb Iran’s nuclear ambitions, fostering the sense that doomsday bombs of the past were being supplanted by futuristic weapons far easier to develop and deploy, yet with enormous potential for destruction.
The N.S.A. document — prepared in April 2013 for the agency’s director — was revealed this month by The Intercept, a website that reports on the trove from the former N.S.A. contractor Edward Snowden. It confirmed for the first time that American cyber attacks on Iran’s nuclear facilities — presumably including the Israeli-American Stuxnet attack against Iranian computers that is regarded as the first shot of cyber war — led Iran to retaliate in 2012 against American banks and the Saudi Arabian national oil company. Iran, the memo declared, ”has demonstrated a clear ability to learn from the capabilities and actions of others” and would most likely continue the attacks.
The memo could just as easily have dealt with China, Russia, North Korea or the dozens of other states that are working to defend their computer systems or to sabotage those of other states. The problem is that unlike conventional weapons, with cyber weapons ”there’s no clear line between offense and defense,” as President Obama noted this month in an interview with Re/code, a technology news publication. Defense in cyber warfare consists of pre-emptively locating the enemy’s weakness, which means getting into its networks. Recent attacks shows how easily systems considered impenetrable — major banks, Sony Pictures Entertainment, an electrical utility — can be invaded.
The N.S.A. document notes that Iran, for one, continues to adapt its techniques to ”circumvent victim mitigation attempts,” as other global cyber raiders probably do, constantly adding momentum to the digital arms race. And as the race quickens, so does the clash between privacy and cyber security. President Obama was right to call for a ”public conversation” on finding an appropriate balance of privacy and safety.
The tougher challenge is on the global level. Cyber warfare has already done considerable damage and can lead to devastating consequences. The best way forward is to accelerate international efforts to negotiate limits on the cyber arms race, akin to the arms-control treaties of the Cold War. Barring that, there are few viable ways to bring these new weapons and their use under control.