This month the news website The Intercept revealed a new National Security Agency document outlining the ongoing battle between Iran and the United States in cyberspace. The memo, dated from April 2013, was prepared for then N.S.A. director and head of U.S. Cyber Command General Keith B. Alexander and contains a number of talking points for the general’s interaction with the head of Britain’s Government Communications Headquarters (GCHQ) — the British equivalent to the American N.S.A.
Most importantly, the document outlines a cycle of escalating cyberattacks and counter-attacks, first initiated by the Israeli-American Stuxnet attack against Iranian computers:
“Iran continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012. SIGINT [signals intelligence] indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”
The memo also outlines what can only be described as a cyber-arms race between the two nations: “NSA expects Iran will continue this series of attacks, which it views as successful, while striving for increased effectiveness by adapting its tactics and techniques to circumvent victim mitigation attempts.”
Iranian hackers, the memo notes, have adapted quickly and learned from their adversary as illustrated by one spectacular attack:
“Iran’s destructive cyberattack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary. Iran, having been a victim of a similar cyberattack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”
The N.S.A. document further emphasizes that the cyber conflict between the two countries is far from over and that the capabilities of both sides are ever expanding: “We continually update contingency plans to reflect the changes in both our access and Iran’s capabilities.”
After the publication of this document, The New York Times Editorial Board called for cyber arms control treaties. “The best way forward is to accelerate international efforts to negotiate limits on the cyberarms race, akin to the arms-control treaties of the Cold War. Barring that, there are few viable ways to bring these new weapons and their use under control,” the board cautions.
Yet given the easy proliferation of cyber weapons — although sophisticated cyberattacks such as Stuxnet require the backing of a nation state — a cyber-arms control treaty may be illusionary at this stage. Perhaps another idea may be worth considering.
Back in 2011, I was a member of a joint U.S.-Russian study group that produced a report entitled “Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace.” The report explored how to extend humanitarian principles that govern war to cyberspace. One of its recommendations was to create analogue markers in cyberspace — a digital Red Cross — that would designate a protected entity, and mark it off-limits from cyberattacks.
For example, digital records of hospitals could be designated as an off-limits entity protected by a digital Red Cross, as could civilian nuclear facilities. While this recommendation does not reduce the proliferation of ever more sophisticated cyber weapons, an international consensus on the creation of protected entities in cyberspace could at least reduce the unintentional consequences of cyber war.