Center for Strategic Communication

Military cyberpower is everywhere in the news. But is also still tremendously invisible. Take Misha Glenny’s recent op-ed, “Stuxnet Will Come Back to Haunt Us”

THE decision by the United States and Israel to develop and then deploy the Stuxnet
computer worm against an Iranian nuclear facility late in George W.
Bush’s presidency marked a significant and dangerous turning point in
the gradual militarization of the Internet. Washington has begun to
cross the Rubicon. If it continues, contemporary warfare will change
fundamentally as we move into hazardous and uncharted territory.

The phrase “militarization of the Internet,” does not seem to mesh with the fact that military-funded research played a major role in developing the Internet. To go back even further, Alan Turing and Norbert Weiner, two monumental figures in the history of computing and robotics, were originally World War II-era military researchers in cryptography and command and control. We owe ubiquitous location-based mobile services, one of the drivers of today’s emerging “post-PC” information ecosystem, to global positioning systems—also a military invention. It is good that most of what we associate as cyberspace can be exploited as public goods, but computing and information technologies have always been strongly associated with military command and control, targeting, and weaponry.

Glenny’s focus on the Internet is part of a common fixation on the Internet as cyberspace, when in fact cyberspace is actually something far larger. As the National Defense University iCollege’s Samuel Liles and Dan Kuehl have both argued, the invention of the “Victorian Internet” in the form of the telegraph and its order-of-magnitude improvement in military command and control marks the real beginning of military cyberpower. Cyberspace is, as Kuehl has written, a global domain within the information environment whose distinctive and
unique character is framed by the use of electronics and the
electromagnetic spectrum to create, store, exchange, and exploit
information via inderdependent and interconnected networks using
information-communication technologies. The Internet is certainly part of cyberspace, but there was cyberspace long before anyone began to seriously discuss the idea of computer network operations. As Bob Gourley tweeted, superior American exploitation of cyberpower won the Battle of the Atlantic in World War II and exposed the Zimmerman Telegram in World War I.

Stuxnet itself is a curious candidate when one looks for a point at which a Rubicon has been crossed that would fundamentally change contemporary warfare. Stuxnet targeted centrifuges rather than human beings. Yet, the United States military uses cyberspace for instrumentally lethal military purposes every day. Drones? They operate on the network, which is part of cyberspace. The Tomahawks we lob at Yemen? And so on and so on. We based the Offset Strategy on the idea that we could exploit superior computing technologies to engineer conventional weapons with superior combat effectiveness against Soviet second echelons–weapons that would obviate the need for tactical nuclear weapons to compensate for raw Warsaw Pact armor. To focus on computer network attacks alone is to ignore the massive structure of military power and coercion built around cyberspace and how crucial it has been to warfare for decades. Cyberspace has been one of the many drivers behind US military hegemony, a fact that has not been lost on aspiring military competitors. Just like focusing on remotely piloted aircraft as uniquely dangerous weapons of war renders invisible the fact that manned aircraft are the actual “grunts” of the targted killing missions, regarding Stuxnet as uniquely horrible is only possible if other, more substantial, military uses of cyberpower are normalized.

There is a tremendous need to conceptualize cyberspace as a kind of pristine, Edenic realm corrupted by the Satan’s Apple of Stuxnet. Just like space, cyberspace is seen as a zone that is beyond–or should be beyond–geopolitics.  But space began with explicitly military origins and military spacepower facilitates Earthbound military operations. Operational domains have always been zones of conflict and contestation. Glenny’s use of the phrases “monster” and “come home to roost” in his op-ed also reveal a framing of Stuxnet as a Frankenstein narrative, a kind of cyber version of the karmic theories of foreign policy and strategy Dan has criticized. But military cyberpower is not a monster cooked up by a mad scientist in a dreary castle, and “coming home to root” is a phrase that implies a kind of divine retribution more appropriate for a Old Testament prophecy than a security assessment.

Glenny’s implicit comparison between a stable world of nuclear weapons and an unpredictable world of “advanced cyberwar” is also interesting because those nuclear weapons were part of a global American military command and control network enabled by exploitation of cyberspace. And in comparison to nuclear weapons, Stuxnet only inficted kinetic damage on the target–the Iranian nuclear program. As Thomas Rid observes, the collateral infection of other computers commonly cited in analysis of Stuxnet were not actually damaging: 

Cyber-weapons with aggressive infection strategies built-in, a popular
argument goes, are bound to create uncontrollable collateral damage.The underlying image is that of a virus escaping from the lab to cause
an unwanted pandemic. But this comparison is misleading. Stuxnet
infected more than 100,000 Windows hosts to increase the chances of
reaching the targeted system – yet the worm did not create any damage on
these computers. In the known cases of sophisticated cyber-weapons,
collateral infections did not mean inadvertent collateral damage.

Glenny worries that Stuxnet and Flame will precipitate constant penetrations of networks in order to gain target intelligence for attacks during the initial period of war, but somehow has missed the fact that this has been a basic element of Chinese and Russian military doctrines for some time. The phrase “Advanced Persistent Threat” is commonly used as a euphemism for nation-state attackers seeking to conduct “long-range cyber recon” of United States military and defense networks to steal military secrets and develop a better understanding of their dynamics and vulnerabilities. And the United States has not been the only victim of long-range cyber recon, and the Chinese and the Russians are far from the only culprits. Glenny worries that Stuxnet will prompt nation-states to develop cyber weapons and use them, but neglects to provide strategic rationales or scenarios for such development and use. South Korea, for example, is developing cyber capabilities to deal with the North’s development of computer network and electronic warfare capabilities. Cyberpower is an outgrowth of the South’s existing national security policy rather than a special effort somehow prompted by the use of Stuxnet and Flame.

Military cyberpower, once invisible to all but a few defense specialists, is slowly becoming visible. In some ways the current wave of commentary on Stuxnet is simply a delayed reaction to what should have been apparent once the electromagnetic spectrum was utilized by Abraham Lincoln to command the American Civil War: a new operational domain has military as well as civilian purposes. The civilian use of cyberspace, like the civilian use of the ocean or space, provides commercial and cultural value, but there is also a power-political context that simply cannot be wished away.

Update: Mike Tanji wrote a far more concise (and hilarious) critique of the op-ed here.