Ellen Nakashima has an interesting piece in the Post describing Iranian computer network operations directed at U.S. banks and other private commercial entities, depicting them as the latest developments in the ongoing shadow conflict. The timing of the story is excellent, given Harold Koh’s recent speech discussing the US government perspective on the international law concepts applicable to computer network operations. Some will be tempted, of course, to argue that we’ve brought this on ourselves through the Olympic Games program (Stuxnet et al.), and indeed we see that perspective in a quote from one expert who spoke to Ellen for the piece:
Many experts have said the launch of Stuxnet — the world’s first physically destructive cyberattack — opened Pandora’s box.
“If you are in the glass house, you should not be the one initiating throwing rocks at each other,” Gregory Rattray, chief executive officer of Delta Risk, a security company, said at a recent conference. “We will have rocks come back at us.”
I’m a bit of a skeptic when it comes to such arguments, both as to computer network operations and drones. Both state and non-state actors have ample reason to develop or acquire these technologies, and if they are otherwise motivated to use them I do not think that it will prove dispositive whether the US government first blazed the trail. The real impact of US trailblazing instead has to do with the possibility that (i) we are motivating specific actors to accelerate their R&D efforts in these areas; (ii) the actual deployment of our drones and code might provide technological shortcuts for adversaries who get their hands on them; and (iii) we might lose the ability to denounce other actors on legal or policy groundsd for using arguably comparable methods.
Risk (ii) is a genuinely significant one. Risk (i) is potentially significant, but ultimately might be too hard to measure with real rigor. Risk (iii) is a staple of the drone strike debate, and a point that should always be kept in mind.