By now you probably have read The NY Times piece Obama Order Sped Up Wave of Cyberattacks Against Iran and if you follow me on Twitter a number of stabby tweets.
Countless hours have been spent on STUXNET and I won't rehash it all - all the technical details, actors, decisions, etc. have been guessed at some point and confirmed completely or in-part with today's NYT's piece. There is just one thing ~I~ wanted clarity on and I got it:
"He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks."
So The Bush and Obama Administrations did realize they were probably establishing a new "Rules of Engagement" with STUXNET? And they still executed and expanded operations at that given time - with the situations going on in Afghanistan and Iraq?
And potentially, if Iran is to be believed, may have continued operations on Oil Fields and other economic spheres against Iran today with the additional backdrops of Arab Springs and continued economic unrest Worldwide.
A lot of people look at Iran or Terrorists and say they'll always act with guerrilla intentions anyway but that's simply not the case. There are limits depending on what they have at stake. They know they're almost always asymmetrically overpowered and while they're often a bit off-kilter they are rational Actors.
Cutting to the chase..
STUXNET was a strategic mistake. It ushered in a new era in Cyber we weren't ready for. If we were going to do stupid - we should've done the stupid we know all angles of and gone kinetic from the get go. Now, regardless of STUXNET, we're just all struggling with the idea of if and when Israel will go kinetic on Iran and what part the US might play in it anyway. We just compounded ugly.
I've stated emphatically I think weaponizing Cyberspace is a losing proposition across the board but it's still going to happen. I was just hoping we'd cut it a bit short and realize the errors - this NYT piece makes me feel like we don't have enough depth in DC to realize the risks before it's too late.
Now - I didn't go to a War College - nor do I have any insider information - and I frequently say a lot of InfoSec practitioners who have wandered into geopolitics are armchair Generals. Myself included. So I always work under the assumption I'm probably wrong and trying to hash out where and learn.
This time - sorry - I think I'm right.
Cyber is unique in that you're giving away your weapons, tactics, the design of them, etc. simply by using them. It's only a matter of time. You'll never know if you have better or the same weapons as your adversary. You're not always sure where the cyber attack is coming from.
And the battlefield is, by default, across uninvolved Nation-State boundaries and online services, engrosses economic spheres far wider than any traditional conflicts. And, even more-so that traditional conflicts, a Cyber conflict can cause further stunting to underdeveloped regions of the World, reactions like Nation-State Intranets, more surveillance, less Freedom, etc.
OK - lets still say you were going to do this. At the same time you were complaining we're not ready for attacks? Preaching Doom & Gloom to our own Grid. On our own infrastructure. THAT'S when you choose to attack the Nuclear infrastructure of another Nation-State?
It doesn't matter if you've got big guns, if you don't have pants on, don't poke a Honey Badger in the eye with a stick. Certainly don't do it when all the other angry critters see you're occupied elsewhere and without pants.
So lets say the instigation and the race for readiness was a calculated risk. Some people have suggested it's Genius to mobilize "our forces" this way - force readiness down from on-high.
Uhh. No. We don't have the documentation, the human resources, the know how, or the slightest clue what to do on a wider scale. This isn't a centralized send a man to the Moon sort of project. We. Just. Aren't. Ready.
So here we are, each day someone else talks about Terrorism Online or Cyberwarfare.. our lack of readiness across the board. And we pushed the first pieces forward? (The Russian Georgia or Estonia arguments don't compare - lets not bring those back up.)
Was it the right time? Do we have that much confidence in our economies ability to absorb a return salvo and our Militaries ability to respond asymmetrically? Do we have confidence allies both economically and militarily will support us? Do we have the right stand-off ability?
It was just too soon. I'm not sure Donald Rumsfeld was asked but is this a case of quot;As you know, you go to war with the army you have, not the army you might want or wish to have at a later time." ??
I'm sure we'll get a better picture and re-visit this when Confront and Conceal is released.
Cross-posted from Packetknife's Space