Cyberpower has posed a challenge for strategists since its advent, and the questions have only grown more pressing with the revelation of the Stuxnet malware attacks on Iranian nuclear sites. Many interpretations currently abound in an attempt to provide a framework within which to think about Stuxnet and about cyberpower more generally. Stuxnet has been described as the digital equivalent of "fire and forget" missiles, and it has caused concerns that cyber war may achieve the same catastrophic results in the highly networked 21st century that superpower nuclear war would have had in the 20th. (1) Neither comparison is particularly apt. Instead, the most constructive way of thinking about Stuxnet is to conceive of it as a special operation in cyberspace. The strengths and weaknesses of Stuxnet correspond to the strengths and weaknesses of special operations. Although Stuxnet may be judged a tactical success but a strategic failure, it serves a pioneering purpose and holds the door open for the serious consideration of cyber attack as an instrument of strategy and policy.
Cyberpower and Stuxnet
Cyberpower has been steadily growing in prominence over the past decade, but for the most part it seemed to offer only a limited toolset to strategists. Danny Steed in a recent article suggests that it can be used as a tool or otherwise elicit effects in five different ways. First, it can be a potent tool of intelligence, affecting the scope of and speed with which information can be gathered. Second, it greatly optimizes the use of one's own hard power--the foundation of Western military prowess. Conversely, the third use of cyberpower can disrupt the network that underpins the enemy's hard power. Fourth is a greatly expanded conception of the third use: direct cyber attack on national infrastructure, as seen in Estonia in 2007 and Georgia a year later. Finally, it may have significant impact on morale, particularly on the home front, as casualties and accidents are typically made known, either by the media or the government, with a celerity that far outstrips the achievement of tactical success, let alone strategic success. However, there are two important military applications that the Steed analysis claims that cyberpower cannot do. First, it cannot directly cause corporeal harm, either to human beings or to their physical creations. Second, it cannot occupy actual terrain. Ultimately, the analysis concludes that "cyberpower will never coerce in the way that sheer physical force can do." (2)
This pertains to conventional cyberpower. These are the tactical limits within which the vast majority of cyberpower will fall. Strictly speaking, Stuxnet also belongs within these limits, despite purportedly resulting in the destruction of 1,000 Iranian centrifuges at the Natanz enrichment plant. This destruction was a second-order effect of the malware; it created the context within which the destruction occurred but did not directly inflict it. The first-order effect remained at the eternal limit of cyber assault: digital infection. However, Stuxnet is exceptional despite staying within the limits of what is tactically possible for cyberpower because through manipulation within those limits, it was able to reach beyond them. It broke previous patterns of political uses of cyberpower by spreading indiscriminately, while only activating on very particular machines. It exploited four vulnerabilities, including two zero-day vulnerabilities, in Microsoft operating systems to gain access to Siemens programmable logic controllers and control of the operation of centrifuge-operating computers, at which point it displayed decoy signals to indicate normal operation even as it followed instructions that broke those centrifuges. (3) It was the first time that such a comprehensive package--one common in the criminal cyber underworld, capable of spreading by itself, hiding itself, and attacking by itself--was employed against a specific target to achieve, or at least facilitate, a particular strategic or political effect. …