Stuxnet destroyed those centrifuges in 2010 – though it was most likely implanted into the Iranian system years earlier, lying in wait, activated at a moment when it brought the blessing of time for negotiations in a burgeoning proliferation crisis. A preliminary arms control agreement was reached in 2013, and formalized as the “Joint Comprehensive Plan of Action” in 2015. It was adhered to until the United States withdrew from the agreement in 2018. The Iranians openly broke the terms of the agreement in 2019. But long before this break, in 2012, Tehran and/or Iranian-aligned hackers demonstrated a capacity for retaliatory cybotage, too. Shamoon, a virus that attacked the master boot records – key to mass storage and computer function – erased and irremediably overwrote key data on more than 30,000 PCs of the oil firm Saudi Aramco. A similar attack was launched soon after against the Qataris, further contributing to widespread concern about the vulnerability of a key aspect of the global oil industry to cybotage.25 Needless to say, the Iranians have denied any involvement in Shamoon – much as the United States and Israel have never acknowledged any role in Stuxnet. The covert and clandestine aspect of cyberwar relies on veils of anonymity and deniability, for real, “smoking gun” evidence of actual involvement or perpetration would likely lead to escalation – perhaps even to a shooting war.
As to Stuxnet itself, even though it was carefully inserted into an Iranian system and designed for a very specific target – the programmable logic controls on particular Siemens equipment – its properties gave it a broader functionality across a range of SCADA systems. And when the worm leaked “into the wild,” perhaps spread by a technician who picked it up inadvertently (or not) on a flash drive, Stuxnet variants began to turn up. In 2011, Duqu emerged. Intended for intrusion and intelligence-gathering, it had Stuxnet-style attack properties as well. The following year, yet another variant debuted, Flame, which apparently attacked the Iranian oil industry. More recently, Triton appeared in 2017, and very quickly demonstrated a Stuxnet-like ability to disable safety systems, this time at a Saudi petrochemical plant. In the worst case, this attack could have caused an explosion leading to mass casualties and a major environmental hazard. Thankfully, it was detected before this happened; subsequent forensic investigation pointed to Triton having come from Russia. A wider search to detect this Stuxnet variant revealed that it is still spreading around the world.26 Other acts of cybotage using different malware have been alleged as well – as in Venezuelan government charges that the United States attacked its infrastructure as part of a “regime change” effort. While lacking credibility, such charges frame a growing fear of an emerging “cool war.”
What makes these exploits “cool”? There are two things, I believe. First, the actions taken must be clandestine (completely hidden), covert (if detected, deniable as to the real perpetrator), or at least able to be denied for a time and in a manner that forestalls retaliatory action. Second, cool war operations should be largely limited to disruption – even costly disruption – inflicting little, oftentimes no, destruction or loss of life. These two factors characterize actions taken in the fictional conflict Frederik Pohl depicted in his 1981 novel The Cool War. He was quite prescient, a decade before the Internet took off, including such actions by covert operators as causing stock market crashes and big drops in commodity values.27 Non-military forms of cyberwar considered thus far fit the category of “cool.” From strategic crime to spying, and on to cybotage, perpetrators are often able to protect their anonymity for long periods – some without ever being reliably identified or counterattacked. As Joseph Nye has observed, “retaliatory threats of punishment are less likely to be effective in cyberspace, where the identity of the attacker is uncertain; there are many unknown adversaries.”28 And the fact that, to be “cool,” attacks have to disrupt much but destroy little, means the likelihood of escalation to wider war is minimized. Even so, as Pohl foresaw in his novel, a lot of small-scale disruption can lead to a virtually unlivable world.
More war, less violence?
There is yet another aspect of “cool” that applies to cyberwar: the portion of that word’s meaning that can be used to describe something subtly attractive, insightful, or innovative. This is the kind of cool that speaks to cyberwar as David Ronfeldt and I first envisioned it at RAND back in the early 1990s. For us, “cyber” meant more than just cyberspace. We drew from the Greek root kybernan, “to steer,” and aligned ourselves with Norbert Wiener’s notion of cybernetics as the process of control through feedback.29 Our view was that, in military affairs, technological advances in information systems – communications, sensing, weapons guidance, and automation – implied the possibility of catalyzing transformational changes in warfare, particularly in battle doctrine. We saw in having an “information edge” the chance to defeat larger forces with smaller, nimbler, more networked units – on land, at sea, and in the air. Oddly enough, our views were shaped quite a bit by the example of the thirteenth-century Mongol campaigns of conquest. Genghis Khan’s “hordes” – often smaller than the armies they faced – benefited immeasurably from what we today call near-real-time reporting on the disposition, composition, and movements of the enemy by their corps of “Arrow Riders,” a Pony-Express-like communication system that gave the Khan a consistent winning advantage.
To be sure, Ronfeldt and I also perceived, back then, the tremendous broad potential of “information-related conflict at a grand level,” which would include new manifestations of “propaganda and psychological campaigns, political and cultural subversion . . . interference with local media [and covert] infiltration of computer networks and databases.” Clearly, in the more than quarter-century since we wrote those words, our predictions about the rise of political warfare and cyberspace-based disruption have been borne out. But we had an even deeper concern, driven by the fast-growing dependence of advanced militaries on information systems of all sorts. Our belief was that these technological advances were going to usher in an era of armed conflict in which the side with better information – that could be refined into knowledge to guide tactical and strategic decision making – was going to be able to win remarkable, lop-sided victories with fewer, but far better guided, forces. We saw it as a world in which, for the side with the edge in the information domain, “[s]mall numbers of light, highly mobile forces defeat and compel the surrender of large masses of heavily armed, dug-in enemy forces, with little loss of life on either side.”30 This possibility of less bloody, yet more decisive, operations lies at the heart of the more purely military aspect of cyberwar: Bitskrieg.
The new mode of warfare, in this respect, echoes the decisiveness of early Blitzkrieg campaigns in World War II that were energized by tank-and-plane operations, closely coordinated by radio – the key information technology of the time. For example, the German invaders of France in the spring of 1940 won, in just several weeks, an amazing victory at relatively low cost in killed and wounded – on both sides. As John Keegan described the rapid German breakthrough and swift conclusion of the campaign, it “had been, in its last weeks, almost a war of flowers.”31 In Yugoslavia, during the spring of the following year, the Germans defeated the million-man defending army in 10 days, suffering only 151 battle deaths. The advance on Belgrade had been led by the 41st Panzer Corps, which lost only 1 soldier killed in action.32 Similar successes accompanied operations in Russia and North Africa, until the Germans became bogged down in set-piece battles at Stalingrad and El Alamein – both of which they lost. Thereafter, Allied field commanders such as Russia’s Marshal Zhukov and the American General Patton showed how they, too, could operate in swift, decisive Blitzkrieg-like fashion. In later iterations of this mode of conflict, the Israelis won a lightning war against an Arab coalition in 6 days in 1967, then the Indians achieved a decisive victory over Pakistan in 1971 in 13 days – Field-Marshal Lord Carver called the latter