The hacking of the International Monetary Fund, Central Intelligence Agency and Citibank computer systems has raised fears that the US is on the brink of a cyberwar for which it is woefully unprepared. To deal with this growing threat, the Obama administration’s strategy is to treat destructive state-sponsored cyberattacks as an act of war that may even result in a conventional military response. This approach unfortunately has an unsustainable double standard: while Barack Obama’s strategy treats cyberdestruction by someone else as an act of war, his administration’s actions imply that cyberdestruction by America is a normal covert action, equivalent to espionage.
This double standard will undermine US attempts to confront cyberattacks and exacerbate one of the most intractable problems: how to attribute blame for such an attack. The US, along with Israel, is widely believed to be responsible for the creation and deployment of the Stuxnet computer worm now wreaking havoc with Iran’s nuclear programme. Stuxnet appears to have inflicted huge damage on Iran’s centrifuges, probably exceeding what could have been accomplished by an air raid, and set back its nuclear ambitions by several years. By the logic of the Obama cyberstrategy, this was an act of war against Iran.
The administration’s silence on Stuxnet suggests its de facto policy is to treat the use of cyberweapons as another form of covert operations. This option is particularly tempting and viable because it is relatively easy to disguise the source of a cyberattack. With Stuxnet, it allowed the US to escape blame and may have avoided a crisis with Iran.