Russia’s call for NATO to launch an investigation into the computer worm that targeted a Russian-built Iranian nuclear power plant deserves a response. Claims that the incident could have triggered a new Chernobyl are probably exaggerated, but an investigation is certainly warranted. Indeed, a joint Russia-NATO investigation might be beneficial, especially if it were also to review the 2007 cyber attacks against Estonia (2007) and Georgia (2008).
The New York Times has reported that US and Israeli intelligence services collaborated to develop the destructive computer worm in a bid to sabotage Iran's efforts to make a nuclear bomb. No smoking Russian state gun has ever been found in relation to the attacks on Estonia, although evidence points to coordination among Russian professional computer specialists and chat sites that were exhorted on the blogosphere to attack Estonian sites. The question of who masterminded the attack itself has been reverberating for several years, with many fingers pointing at the Kremlin, but without any evidence to substantiate these claims.
A joint NATO-Russian analysis of both the Stuxnet and Estonia/Georgia cyber attacks would be an exemplary case of cooperative security in action. But don’t expect it to happen any time soon. The rattling of cyber skeletons inside both the Kremlin and Pentagon will see to that. In addition, the opinion pages in America have been full of praise for the “bloodless cyber warfare attack” on Iran, which is hardly surprising given the domestic support for other remote technological fixes in the US arsenal, such as armed drones. But just as those have blowback consequences, the moving of malware from the domain of civilian black-hats to full-bore military weaponry also has the potential to threaten us in return. As the Los Angeles Times points out “it's hard to ignore the signs that a new kind of arms race has started”. This is troubling for at least two reasons: we don't know how existing international laws and treaties that govern conventional conflicts would apply to cyber war, if at all, and second, our crucial infrastructure is highly vulnerable to attacks from cyberspace.
In an increasingly interconnected world, it's hard to tell where the cyber battlefield begins and ends. It is clear, however, that the US Defence Department is carrying out clandestine cyber activities with very little oversight by lawmakers, a situation that is almost certainly mirrored across several other NATO member states as well as other major powers, like Russia, India and China. The US military's use of offensive cyber warfare has only rarely been disclosed, the most well-known instance being the electronic jamming of Iraqi military and communications networks in advance of the ‘shock and awe’ attack in 2003. It seems highly likely that the US military is also involved in offensive military cyber activities in Afghanistan, Yemen and several other countries where it is supporting counterinsurgency or counterterrorism operations. The Pentagon has also centralized its cyberspace operations within a Cyber Command that became fully operational in October last year.
It is also clear that the US is making most of the running in developing cyber security partnerships with NATO and the EU. Hungary's Gabor Iklody is the point person on emerging security challenges for NATO, including cyber security, heading up a new office opened last August. The Lisbon Summit in November and NATO’s new Strategic Concept also identified cyber security as a priority and commit the Alliance to bringing a NATO cyber-incident response organization fully online by 2012 and to centralize NATO cyber security. The declaration also included commitments to develop an in-depth cyber defence policy by June 2011 and prepare an action plan for its implementation.
One of Ambassador Iklody’s first tasks should be to clearly define the parameters of offensive and defensive cyber operations and explore how NATO might contribute towards an international ban on offensive cyber attacks, or at minimum, a ‘no-first use policy’ akin to that adopted by some nuclear weapon states (but not NATO). He will first be required to remove the blinkers and address a significant obstacle to international cooperation in this area: that a major source of cyber attacks and a major spur to the cyber arms race resides within NATO itself.