The famous Stuxnet attack against Iran is credited by some as forestalling the alternative: a bombing raid by Israel against Iran’s nuclear facility. The use of such cyber-weapons in the future, however, may mean more countries end up in low-level conflicts more or less continuously.

Military strategists are still grappling with the domain of cyber-warfare, which is particularly fraught because of the fuzzy overlap between outright conflict, cyber-espionage and the responsibility of civilian agencies to protect critical infrastructures (banking, utilities, transport) – most of which is in civilian hands anyway.

Kenneth Geers, ambassador for the NATO Cyber Centre and senior fellow of the Atlantic Council, explained that an air force could bomb a target overnight but (as evidenced by Stuxnet) you “can’t hack on the same day”.

“Who are you going to be in conflict with in the next year? You have to decide who, when, how deeply you want to hack… and study networks beforehand,” Geers told El Reg.

“You’d better do a lot of hacking in peace-time [since] you can’t do it overnight,” he added.

Geers, who recently relocated to Kiev, Ukraine, said doctrines applicable to Stuxnet were also applicable to the BlackEnergy malware attacks against power distribution systems in the Ukraine last December. Russia is the prime suspect in the latter attacks but proving it is a different matter. Attribution is notoriously difficult in cyberspace.

“Packets don’t wear uniforms,” Geers noted.

The Tallinn manual, drawn up by experts in international law, offers a framework towards creating a “Geneva Convention” for cyberwarfare actions. NATO recently said it reserved the right to respond militarily to the most serious category of cyberattack, something consistent with these emerging rules but the issues doesn’t stop there.

Establishing “plausible deniability” in the face of accusations of launching a cyberattack is always a potential option. “Fear of retaliation is low and there’s not much deterrence,” Geers concluded.

Stuxnet and Israel

Stuxnet is widely and rather convincingly credited as a joint US-Israeli op, codenamed Olympic Games. Israel doesn’t acknowledge this officially and security companies don’t even admit to it privately, although the body language whenever the subject is raised smacks of pride – not to mention chutzpah.

Professor Ben Israel, a retired major general in the IDF, stated that the Stuxnet attack showed that cyber-weapons are a known phenomenon and that “Israel should be prepared more”. He credits it for spawning a complete revamp of Israel’s cyber strategy that in no small part helped fuel the growth of Israel’s security startups. ®