By Joseph Eyre
In the early hours of June 30th, deep inside Iranian territory, a fire broke out at a key nuclear facility near the city of Natanz. Not long after, explosions roared through the night air. Behrouz Kamalvandi, a spokesperson for the Iranian Atomic Energy Organisation (AEOI) said that the incident caused “significant damage” and that it would “slow down the development and production of advanced centrifuges in the medium term.” When you consider that centrifuges are needed to produce enriched uranium and that this is a key ingredient in making nuclear weapons, you could be forgiven for assuming that this fire was no accident. In fact, Iran came to the same conclusion just a month later, with officials pointing to cyber sabotage as a cause.
While You’re Here…
Why not take a moment to subscribe to The International’s free monthly newsletter? It takes seconds to sign up, and you’ll stay up to date with the stories shaping our world at a pace that won’t overwhelm.
Although no culprit has been named directly, the United States, and possibly Israel, are very likely candidates given they executed a strikingly similar attack ten years ago. The US’s long-held aim of preventing Iran gaining nuclear weapons is no secret; in 2010, both Iranian technicians and International Atomic Energy Agency inspectors were noticing that centrifuges at the same Natanz facility were failing at an unprecedented rate, but with no idea why. It was only after seeking help from a Belarusian computer security company for an unrelated issue of crashing computers that the Iranians discovered their systems had been infected by malicious files. No ordinary computer virus, and dubbed “the world’s first digital weapon,” the Iranians had discovered Stuxnet, a cyberweapon developed by the US and Israel capable of inflicting physical destruction on equipment controlled by computers.
Considering Stuxnet, a sci-fi-like weapon, was first used over ten years ago, it’s worth examining how this relatively new form of warfare and sabotage has changed throughout the intervening decade. As Donald Trump nears the end of his tenure and Joe Biden prepares to take the reins, the incoming administration will inherit a significantly altered global cyber security landscape and also a substantially increased offensive capability.
The Obama Era
The Obama administration was the first to take threats to cyber security seriously and made a concerted effort to secure this new arena. Despite the Stuxnet attack, the administration’s policy came to be primarily aimed at discouraging, punishing and defending against hacking rather than actively carrying out offensive cyber warfare. In 2009, President Obama announced a cross-government “Cyberspace Policy Review” which, among many other things, outlined a near-term aim of “ensuring that cyberspace is sufficiently resilient and trustworthy” and that to do so would require leadership from the very top of, and cooperation across, the Federal Government. Evidently, this was a major priority for the new administration.
This policy was expanded further in 2012 by then-classified ‘Presidential Policy Directive 20 (PPD-20).’ Based on a fact sheet released by the White House, the policy emphasised a priority on “network defense and law enforcement as preferred courses of action” and a commitment to “restraint in dealing with the threats we face.”
However, despite the obvious focus on the issue and its status as a policy priority, success was unfortunately limited. Reflecting the scale of the problem, in October 2014, FBI Director James Comey stated that “there are two kinds of big companies in the United States, there are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” Just one month later, a high profile and very costly cyber attack, believed to be the worst on a company on US soil at the time, was carried out on Sony Pictures by North Korea.
Unsurprisingly, in early 2015, Obama declared the rising number of cyberattacks against the US to be a national emergency, and signed an executive order that would impose sanctions on those carrying out attacks. One key area of success, later that year, was an agreement with Chinese President Xi Jinping for both nations to abstain from commercial espionage for economic advantage. While only dealing with industrial espionage, the agreement proved somewhat successful, with security firms noting a substantial decrease in Chinese hacking activity on companies. But, despite this limited success, one of the most significant cyber attacks on the US was yet to come.
In 2015 and 2016, Russian hackers with links to Russian intelligence agencies gained access to the Democratic National Committee computer network and subsequently leaked large quantities of private emails. US intelligence agencies subsequently concluded that this, along with other operations conducted by Russia during the 2016 election period, was to assist Donald Trump in the US Presidential Race. Ultimately, Trump went on to win the 2016 election and his administration’s cybersecurity policy, for better or worse, has marked a substantial departure from that of the Obama administration.
The Trump Administration
A former Department of Homeland Security official and cybersecurity expert, Paul Rosenzweig, said in an interview that “the attackers are a year ahead of the defenders, the defenders are two years ahead of the legislators, and the legislators are two years ahead of the regulators.” He certainly isn’t the first to point out that the slow-moving bureaucracy of government is ill-suited to dealing with issues arising from the rapid advancement of technology; and it is for this reason that Donald Trump’s details-averse and hands-off approach to the Presidency has led to significant changes in US cyber security and warfare policy.
Most significantly, in 2018 the Trump administration scrapped the guidelines set out in Presidential Policy Directive 20, mentioned above. Restraint, cross-government coordination and top-level leadership are no longer the governing factors of US policy in this area. Trump, however, was not the only factor in this shift. The US defence community had increasingly been of the opinion that America needed to be more aggressive online and agile in their response. One defence official is quoted as saying “I think we’ve concluded that our restraint back in the day was, in fact, escalatory in and of itself.”
The result of this shift in thinking culminated with the dual appointment of General Paul Nakasone to the posts of NSA director and leader of US Cyber Command in 2018. A telling exchange during his senate confirmation hearing indicated what was to come during his tenure. Senator Dan Sullivan (R-AK) stated that “we seem to be the cyber punching bag of the world.” Nakasone agreed, saying that perpetrators “do not think that much will happen to them. The longer that we have inactivity, the longer that our adversaries are able to establish their own norms.”
Nakasone took control of Cyber Command, with its staff of over 6,000 people, and the NSA, with 38,000 staff along with close to 20,000 contractors. This vastly increased cyber capability, along with new powers granted through the revocation of PPD-20, is what has primarily defined the Trump administration’s cybersecurity policy. Whereas previously decisions on offensive operations had sat firmly with the president, they have now been delegated to Nakasone and his organisations. The administration sets their goals, with the tactics left to the commanders (Nakasone has adopted the illustraveily-named tactic of ‘persistent engagement’ of adversaries). These changes have introduced the much-needed agility required to respond to such rapidly advancing technological threats. An unnamed defence official has attributed the change to Trump personally; “he alone had the courage – maybe you would call it recklessness – to say ‘Sure, do that thing, unleash that thing.’ He didn’t actually spend a lot of time thinking about what’s the secondary or tertiary effects.”
Joe Biden’s Plan
With the Biden administration yet to take over, it is unclear what their approach to cybersecurity will be. However, it could well be that this shift in policy is here to stay, at least in some form, and that it will form a part of Donald Trump’s legacy. Taking his hardline approach to China as an example, Trump’s initial risk-taking and reckless approach has appeared to hasten in a new, bi-partisan approach to China that is tougher and more sceptical than under the Obama administration. This certainly appears to be something the Biden administration will continue, albeit with greater strategic coherence, and cybersecurity may well be the same.
While the Obama administration certainly put the urgently needed focus on the issue of cybersecurity, its policies were limited in their success. A lack of agility and a focus on punishment and prevention not only failed to prevent cyberattacks on the US, but the lack of offensive capability led to a weak deterrence. The Trump administration has improved on these aspects, but that is not to say that their policy will continue unmodified under Biden. Unrestrained offensive activity by the US could easily lead to escalation and normalisation of this form of warfare. Therefore, it’s much more likely that while the new administration will embrace the increased and more agile capability, the parameters within which it operates, and its goals, will be more restricted and cautious. If Obama’s approach was too cautious, and Trump’s borderline reckless, Biden’s will likely sit somewhere in-between. An optimist may well be anticipating the best of both worlds.
This report was compiled by Joseph Eyre. You can find Joseph on Twitter here.