By now, you've almost certainly heard of Stuxnet. The mysterious software being billed as the world's first "cyber superweapon" made headlines last month when it was determined to be the source of a major attack on Iran's nuclear facilities. By all accounts, the advanced code—which appears to have been built to target the industrial control systems of nuclear plants—has wreaked havoc on several of Iran's nuclear sites, and may even have delayed the launch of the Islamic Republic's showpiece reactor at Bushehr, despite official denials from Tehran.
Iran, however, appears to be just the beginning. Stuxnet is now said to have infected China's industrial system as well. Chinese computer experts estimate that some 6 million private computers and 100,000 corporate accounts in the PRC have been affected by the malicious software, and are bracing themselves for physical shutdowns of critical infrastructure and industry disruptions. Farther afield, India and Pakistan have also reportedly experienced infection by the worm.
"So far, so good," policymakers in Washington may be thinking. After all, America is not Stuxnet's primary target at the moment, and the complications now facing Iran (and perhaps even China) are welcome news to many. Still, the enduring lesson of Stuxnet—that cyberwar is here, and that it is evolving—is one that should be of profound concern to the United States.
America, after all, is deeply vulnerable to cyber attack. This point was hammered home by a simulation convened by the Washington-based Bipartisan Policy Center this spring. The drill, dubbed "Cyber Shockwave" and involving high-ranking former government officials in a day-long role-playing exercise, found that after a decade-and-a-half of investments in infrastructure and electronic system protection the country is still largely unprepared to handle a large-scale cyber attack.
Our enemies and strategic competitors understand this very well. In their seminal 1999 work, Unrestricted Warfare, Chinese colonels Qiao Liang and Wang Xiangsui outlined a new warfighting doctrine that would allow the PRC to exploit the weaknesses of opponents like the United States—including in cyberspace. Since then, a series of major Chinese cyber campaigns (including the infamous "Titan Rain" cyberespionage attacks that took place between 2003 and 2005) have targeted sensitive U.S. government facilities. Other countries—from Russia to Iran to North Korea—have also demonstrated increasingly mature cyberwarfare capabilities in recent years.
It's no wonder that American officials have been warning of the potential for a catastrophic cyber attack—an electronic "Pearl Harbor" of sorts—for most of the past decade. But what has Washington done about it, in practical terms? The answer is "not enough."
In 2003, the Bush administration issued an official National Strategy to Secure Cyberspace, based on the understanding that "the healthy functioning of cyberspace is essential to our economy and national security." But, as former National Security Council cyber czar Richard Clarke details in his new book, Cyber War, the previous administration's commitment to cybersecurity turned out to be more rhetorical than actual.
When it came into office, the Obama administration carried out a comprehensive cyber policy review of its own. That study, issued in May of last year, yielded twenty-four near- and medium-term priorities for bolstering national cybersecurity. Yet, a year-and-a-half on, the Government Accountability Office found that just two of these two dozen priorities had been fully implemented. A similar GAO study discovered that the Defense Department, the branch of U.S. government most heavily engaged on the cyber front, lacks a doctrine for dealing explicitly with cyber attacks against the U.S. or its deployed assets. American cybersecurity, in other words, is still very much a work in progress.
Which brings us back to Stuxnet. The worm now eating at Iran's nuclear program may be a qualitatively new weapon, but it is bound to spur copycats—and more likely sooner than later. As Melissa Hathaway, a former U.S. national cybersecurity coordinator, told the New York Times recently, "Proliferation is a real problem, and no country is prepared to deal with it… We have about 90 days to fix this before some hacker begins using it." The clock for America to get more serious about cybersecurity, in other words, is ticking.