Wired has reported that a virus has hit the US drone fleet operating out of Creech Airbase in Nevada. This has not stopped the Predator and Reaper drones from operating in Afghanistan, West Asia and now also North Africa, the areas the US considers as “war zones” – a shadowy war in which the ratio of high valued targets to actual “kills” are now (2009-2010 figures) running at 1: 147.
The issue I am writing here is not about the drones par se, but about the newest form of war that is now upon us – cyber war. And the virus against the drones fleet is not the first act in this new game of war – the first undoubtedly was Stuxnet, the virus that targeted Iran’s Natanz uranium enrichment facility.
The current virus afflicting the drones fleet seems to be logging the “pilot’s” keystrokes, therefore recoding what the pilot’s actions are. The pilots of the drones of course sit, not in the war zone, but thousands of kilometres away in what are called “ground control station” or virtual cockpits in Nevada. From here, using a bank of computers, the pilot carries out his kill missions. The virus seems to have infected both the classified networks to which the virtual cockpits are connected and the public networks connected to the outside world. Though, the two sets of machines – the ones on the classified network and those on the public network – are supposed to have no connection and infection in one should not affect the other, use of USB sticks can lead to this “air gap” being bridged. At this stage it is hard to tell whether this virus is simply a virus that has travelled through the public network and infected the classified network inadvertently or it is a targeted attack mounted by an adversary like Iran similar to the one that the US launched on the Iranian uranium enrichment plant at Natanz.
What is this new form of war – cyber war? If for instance, a virus targeting a facility can be used to partially or fully damage equipment, in what way is it different from say a bomb attack? It is possible to use a virus to take “malicious control” of equipment in a nuclear power plant and make it do things that can lead to a core meltdown. This can result in an accident of catastrophic proportions; the Fukushima disaster has already clocked up a bill of $52 billion in damages. So how we should look upon this malicious software that can lead to such damage, specifically if creating this software and targeting a specific facility is done with intent? This is not just maladjusted individuals sitting somewhere creating viruses for generating indiscriminate chaos in the computer networks. In what way is it different from an act of war?
The US had proclaimed in its Strategic Doctrine – Pentagon’s “Joint Vision 2020,” which first appeared in 2000, of full spectrum dominance. It speaks of full spectrum dominance as involving not just four – space, sea, land, air – as stated earlier but the fifth dimension as well: “information” or cyberspace. Full spectrum dominance means both defensive as well as offensive capabilities. in May 2010 the Pentagon set up its new U.S. Cyber Command (USCYBERCOM), complementing its other Commands.
The US has resisted all attempts till now to have an international treaty on cyber war. This is in line with its basic position on all matters of international law – it applies to all countries but not to the US – the case for US exceptionalism. From drone attacks – undeclared war and extra judicial killings to cyber war – all of this is permitted to only the US. The US has however publicly declared that any cyber attack on its infrastructure will be considered as an act of war and will draw a physical retaliation. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," as quoted by the Wall Street Journal. Sauce for the gander is not sauce for the goose.
Defining what constitutes an act of war as against trying to access unauthorised data or cyber crime is important. A number of attempts were made by groups originating apparently from China to access data from computers and have been reported widely in the press, the one with Google leading to a public spat between the US and China. All this could be categorised as espionage – either security related or for stealing commercially valuable data. This would be categorised as akin to conventional espionage – not nice but what all Governments seem to do. This changes, if for instance software can access the controls of vital equipment – power plants, national grids, telecommunications network, etc and make them misbehave or shut them down. Shutting down a grid can have catastrophic consequences. Causing control equipment used for vital infrastructure such as power plants could cause plant failures. In the opinion most people this would constitute as an act of war. The grey area would be an attack which leads to vital data – for some this is akin to an act of war while for others, not so.
By this definition, Stuxnet is a virus that seems to have been designed explicitly to target the centrifuges in Iran’s Natantz plant. Detailed accounts are available on the Stuxnet virus. It was analysed by Symantec when it first appeared in 2010 who found that out of more than 100,000 computers were infected, about 60% from Iran, about 20 per cent in Indonesia with India coming third with about 10 per cent infections. The target was a specific combination of machines – it targeted PC's with Windows Operating System and connected to Siemens PLC's. From the beginning, it was clear that it was not a run of the mill virus but had a very specific end in mind. Also surprising was the pattern of infection – it was not reflecting the pattern of computer usage but clearly also had a geographical target.
PLC's or Programmable Logic Controllers are classes of computers which control physical processes – they are used for industrial controls. They can control various equipment are found widely in all plants and equipment. After analysing the code, it was found that the target was even more specific – it seemed to have targeted two sets of frequency converters – one manufactured by Finland and the other by a manufacturer in Iran. From this, the short hop to the conclusion that the target was the uranium enrichment plant in Natanz.
The confirmation was came from the kind of numbers and configuration that the code analysis threw up – it identified an array of equipment which was known to be similar to the centrifuge array in one of the Natanz blocks. The code was designed at periodic intervals to speed up and slow down the centrifuges via the frequency converters. Once this was correlated with what was known by the IAEA inspectors of the Natanz plant – that a large number of centrifuges had got damaged and had been taken out -- the entire sequence of operations became clear. This was a cyber attack that had taken out vital equipment in Natanz.
Some of the issues that flow from this are whether Natanz was an “illegal” facility and therefore a legitimate target? It is clear from the NPT provisions that Iran has a right to enrich uranium. The US and other western countries argue that Iran has “lost” this right by virtue of its violations of certain IAEA provisions. If we look at international law, it is clear that the IAEA decision to report Iran for such violations was a political one and had very little to do with actual NPT obligations or IAEA violations. That is why India's breaking ranks with other non-aligned countries in IAEA Board who had opposed the US move is particularly galling and has bedevilled India and Iran relations since.
Irrespective of IAEA and subsequent UN sanctions, any physical attack on Iran's Natanz plant would constitute an act of war. There is very little doubt that the US reads that any attack on Natanz – a US or Israeli air-strike like the Israeli attack on Osirik reactor – would rapidly escalate to war, with this strike as the first act. Therefore the choice of a virus attack instead of physical one that could still delay or derail the Natanz fuel enrichment plant.
There is little doubt that the US was a part of this attack, though some claim it was a joint US-Israeli operation. The sophistication of the virus and the knowledge it had to have of Natanz precludes it being a private enterprise. In any case, the US and the Israelis have been doing a nudge-nudge, wink-wink denial of the Stuxnet attack, leaving very little doubt of the origin of this virus.
The question we need to ask is by changing the mode of attack, is it any different than a conventional attack which fulfils the same purpose? The second question is that if Iran retaliates by a similar virus attack on an US installation, what would be the US reaction? And the third, perhaps the most important – how do we prevent such viruses attacking other vital installations in any country which might not be targets, but could still get infected.
The US position is clear on this – while the US is allowed to attack other countries using such cyber attacks, any attack on US installations would lead to a conventional retaliation – in the US books, there is no difference between a conventional or a cyber attack as long as it creates a similar impact. But it still retains the right to target others it considers attack worthy. As it explained privately and its proponents state publicly, Stuxnet is justified as it “saved” Iran for bombing.
What should concern all of us is that we have now added a new dimension to war as it is understood. War in cyber space is also war, but the problem who is the originator and whether the attack is deliberate is far more difficult to define. By initiating this new form of attack, the US has deliberately brought in a whole new range of warfare and weapons into play. And as the infection of drone attack centre shows, others will surely follow where the US has lead – whether it is drones or other new forms of warfare.
Welcome to brave new wars of the 21st century: drones and computer wars.