Remember the years-long controversy about whether the U.S. or the Israel would bomb Iran's nuclear program? It appears they just did – virtually. And if they did, they also may have expanded our sense of how nations wage war in cyberspace.

For all the hype, "cyberwar" has been a bush-league affair so far. Websites get defaced or taken offline, or an adversary's software gets logic-bombed into a malfunctioning mess. Analysts warn that future assaults could fry an electrical grid (if it's networked too well) or cause a military to lose contact with a piece of its remotely-controlled hardware. But that's about the extent of the damage. Only the Stuxnet worm may point to a huge innovation for cyberwar: the mass disablement of an enemy's most important strategic programs.

Stuxnet's origin is unknown. Attributing credit for Stuxnet is rightly the subject of geopolitical intrigue. As our sister blog Threat Level has exhaustively reported, the worm eats away at a very specific kind of industrial control system: a configuration of the Siemens-manufactured Supervisory Control and Data Acquisition (SCADA) system that commands the centrifuges enriching uranium for Iran's nuclear program, the key step for an Iranian bomb. But the Stuxnet whodunit may be solved: it appears to be a joint U.S.-Israeli collaboration – and a cyberwarfare milestone.

The New York Times doesn't have definitive proof, but it has fascinating circumstantial evidence, and Threat Level's Kim Zetter will publish more on Tuesday. In 2008, Siemens informed a major Energy Department laboratory of the weaknesses in its SCADA systems. Around that time, the heart of Israel's nuclear-weapons complex, Dimona, began experimenting on an industrial-sabotage protocol based on a model of the Iranian enrichment program. The Obama administration embraced an initiative begun by the Bush administration to "bore into [Iranian] computers" and disable the nuclear effort. Motive, meet opportunity. By late 2009, Stuxnet was popping up globally, including in Iran.

Iran denies that Stuxnet did any major damage to its nuclear program. But last week, the outgoing chief of Israel's Mossad spy agency publicly asserted that Iran wouldn't be capable of making a bomb before 2015, adding four years to a fearsome nuclear schedule. It's possible that's just ass-covering spin: for years, both Israel and the U.S. have repeatedly pushed back their estimates of when Iran would go nuclear. But both countries also have long track records of covertly sabotaging Iranian nuke efforts, whether it's getting scientists to defect or... other means. (Some scientists are getting killed in the streets by unknown assailants.) Stuxnet would be a new achievement for a long-running mission.

And what an achievement. The early stages of cyberwar have looked like a component effort in a broader campaign, as when Georgia's government websites mysteriously went offline during its 2008 shooting war with Russia. The Navy's information chief recently suggested that jamming capabilities will be increasingly important to Chinese military doctrine. The difference between that and Stuxnet is the difference between keying someone's car and blowing up her city.

With Stuxnet, there's no broader conventional assault, but an adversary's most important military asset gets compromised. The mission of an aerial bombardment of Iran would be to set Iran's nuclear program back; to at least some degree, Stuxnet has done precisely that. Only Stuxnet didn't kill anyone, and it didn't set off the destabilizing effect in the region that a bombing campaign was likely to reap.

In other words, Stuxnet may represent the so-called "high end" of cyberwarfare: a stealthy, stand-alone capability to knock an opponent's Queen off the board before more traditional military hostilities can kick in. It wouldn't be taking out a particular ship's radar system or even a command-and-control satellite. All of that could still happen. But this would be the first instance of cyberwarfare aimed at a truly strategic target.

That's not to say we're there yet, since we don't really know how many years of a non-nuclear Iran Stuxnet provided. But it is to say that we may be getting there. North Korea's uranium enrichment efforts have similar industrial control mechanisms, and if Stuxnet couldn't take them down, a son-of-Stuxnet might. And just consider what kinds of *other *major cyberwar programs are out there – the ones really hidden in secrecy, not like the winks-and-nods that U.S. and Israeli officials have given to their possible authorship of Stuxnet.

All this has major implications for U.S. military doctrine. There isn't any for cyberwarfare, for instance. The new U.S. Cyber Command describes its primary mission as protecting military networks from incoming assault, and says very little about what its offensive mission might be. Writing malicious code and transmitting it into enemy networks, up to and including nuclear controls, even in advance of conventional hostilities, could be CYBERCOM's next big step. It would represent an update to the old Air Force dream of strategic bombing (.pdf), in which bombing an enemy's critical infrastructure compels him to give up the fight.

That also points to the downside. Just as strategic bombing doesn't have a good track record of success, Stuxnet hasn't taken down the Iranian nuclear program. Doctrine-writers may be tempted to view cyberwar as an alternative to a shooting war, but the evidence to date doesn't suggest anything of the sort. Stuxnet just indicates that high-level cyberwarfare really is possible; it doesn't indicate that it's sufficient for achieving national objectives.

The Times has an irresistible quote from Ralph Langner, a German expert who decoded Stuxnet. Langner wrote that "Stuxnet is not about sending a message or proving a concept. It is about destroying its targets with utmost determination in military style." Maybe so. But that certainly does send a message. And if it doesn't exactly prove a concept, it points a way forward to just how powerful cyberwarfare can become.

Update, 3:15 p.m., January 17: Friend-of-the-blog Judah Grunstein, editor-in-chief of World Politics Review, sends along this typically thoughtful reaction:

What hasn't yet been mentioned in this discussion is the question of strategic uncertainty that this new era of cyberwar introduces. You obliquely suggested as much when you used a worm targeting nuclear weapons launch and guidance control systems as an example. Given Stuxnet's ability to cover its tracks, the variables it introduces into all computer-controlled systems are inherently "unknown unknowns." That means the very decision to launch must now include a much broader calculus of just what will happen once the launch is executed. There was always a "margin of error" calculus inherent to strategic nuclear launch, but Stuxnet has increased it to such an order of magnitude that it becomes a category difference. Before, we might have launched and missed Moscow. Today, we might launch and hit NY or Washington, or nothing at all. The Mutual Assured Destruction formula of nuclear deterrence is inoperative if the assured part is removed from the equation. Nuclear control systems are the most graphic illustration, but not the only one. Hopefully the folks in Tehran aren't the only ones worrying about the integrity of their control infrastructure, and what the implications of that essentially unanswerable question are.

Photo: Via Arms Control Wonk

See Also: