David Sanger writes in today’s New York Times of the escalating cyber conflict between the United States and Iran:
A newly disclosed National Security Agency document illustrates the striking acceleration of the use of cyberweapons by the United States and Iran against each other, both for spying and sabotage, even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran’s disputed nuclear program.
With all the talk about the threat of cyber theft, attack, and even warfare, we should remember that it isn’t a one way street. Or, in other words, something only done to us:
It detailed how the United States and Britain had worked together to contain the damage from “Iran’s discovery of computer network exploitation tools” — the building blocks of cyberweapons. That was more than two years after the Stuxnet worm attack by the United States and Israel severely damaged the computer networks at Tehran’s nuclear enrichment plant.
The United States is undeniably the sole superpower. Unsurpassed in military and economic might. Yet, apparently, we are still seduced by tools that seem to promise big bang for the buck:
“The potential cost of using nuclear weapons was so high that no one felt they could afford to use them,” said David J. Rothkopf, the author of “National Insecurity,” a new study of strategic decisions made by several American administrations. But the cost of using cyberweapons is seemingly so low, Mr. Rothkopf said, that “we seem to feel we can’t afford not to use them” and that “many may feel they can’t afford ever to stop.”
The problem is, unlike nuclear weapons, other states and non-state actors are similarly not restrained in employing cyber tools. Even if, for the time being, they aren’t particularly sophisticated:
The main targets were the websites of Bank of America and JPMorgan Chase. By 2015 standards, those were relatively unsophisticated “denial of service” strikes that flooded the banks with data, so overloading them it was impossible for a time for customers to access their accounts.
What struck me about this article was that last bit. Sure, there are a lot of issues in the cyber domain involved with deterrence, attribution, escalation, and other issues of doctrine. However what is new, to the United States at least, is that this form of conflict may connect national security and other foreign policy decisions with the everyday lives of Americans in a way that probably hasn’t existed for decades.
For so long, perhaps even during the Cold War but definitely following the collapse of the Soviet Union, the United States has acted with relative impunity around the world. The costs of our involvement in far flung engagements ranging from special forces deployments in Africa to full on war in the Middle East have not been transferred to the American population writ large. Reasons for this range from our practical conventional military invincibility (at least when it comes to state actors, not insurgencies…) to an enormous nuclear deterrent (which keeps us out of serious conflicts with Russia and China) to an all volunteer force that has become an incredibly lethal and capable machine, but one removed from most Americans’ everyday lives. Even the reluctance of our elected leaders to pay for these actions through anything but borrowing against the future, rather than taxing in the present.
What’s different about cyber is that the U.S., or any other nation, has yet to demonstrate or develop dominance in this space. We haven’t yet figured out how to deter various levels of cyber incidents. We haven’t yet been able to articulate, never mind enforce or coerce acceptance, of “rules of cyber war” or their equivalent. So what has resulted is an ever shifting landscape where Iran can (for now simply) inconvenience U.S. citizens in retaliation for our cyber attack on their uranium enrichment equipment. But how far off in the future is it when they can do more than simply inconvenience us? Was that their current limit of capability or simply a warning shot across our cyber bow? How soon until they are able to mine our systems for personal data that can be sold or simply given to malicious third party actors?
This potential to affect the lives of U.S. citizens in such a manner could very well bring into sharper focus our nation’s national security and foreign policy choices for a much broader audience than is currently engaged. Sure, the public likes the veneer in foreign policy of both competence (usually defined as the perception that every other country is doing what the U.S. wishes it would do, regardless of their own national interests) and strength (usually defined as talking tough/occasionally dropping bombs on other countries).
What changes when they perceive they have a lot more skin in the game? Will elected officials be pressed as to what really are U.S. national security interests vis-a-vis an Iranian nuclear program? Today, it sounds scary – Iranians are crazy, developing missiles, and want to wipe Israel off the map. But if you, your parents’, and your neighbors’ financial or medical security and privacy are at stake, what will be identified as the most important threat – an unrealized nuclear program halfway across the world or loosing control of your own personal life?
After that threshold is crossed, what events or global security situations will be reconsidered in the same light?
National security is about to get personal very soon.