Cybersecurity

Cyber-Attacks and Secrecy

By Matthew Waxman
Friday, June 1, 2012, 11:22 AM

Let me add to the comments so far on David Sanger’s extensive report in today’s NYT about U.S.-Israeli cyber-attacks against Iran’s nuclear program.  One of the most provocative paragraphs is this one (with my italics):

Mr. Obama, according to participants in the many Situation Room meetings on Olympic Games, was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks.

If this is so – and the substantive point here is debatable, but let’s assume that the President emphatically took this view during these debates – it’s quite remarkable that senior officials at those very meetings are now speaking about this to the press.

Note also that although the NYT’s account “is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts,” it apparently does not include interviews with Iranian officials.  Indeed, the article notes that “Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it.”

This last observation about Iranian secrecy is actually not surprising and has implications for what will probably be very slow and incremental development of international law in this area.  As I’ve argued elsewhere, it’s likely that in many cyber-attack scenarios, both sides – the attacker and the attacked – will have great incentive to maintain very tight secrecy about it; among other reasons and aside from political considerations, the attacked will not want to disclose information about its vulnerabilities and responses.  In light of the “secrecy and low visibility of some states’ responsive actions [to cyber-attacks]… it will be difficult to develop consensus understandings even of the fact patterns on which states’ legal claims and counterclaims are based, assuming those claims are leveled publicly at all.”  In writing this, I may have underestimated how much information might leak from the attacking side.