The New York Times story this morning in which U.S. officials admitted having carried on a campaign of espionage and sabotage against Iran using the Stuxnet, Duqu and other malware is a victory for investigative journalism.
Writer David Sanger, from whose upcoming book the story was taken, spent 18 months interviewing officials in the U.S., Israel and various European countries to confirm who built, launched and controlled the Stuxnet, Duqu and (probably) Flame malware that have damaged or stolen secrets from Iran for as long as five years.
That the U.S. has the ability to play such an aggressive role is a victory for geeks, nerds and spies over the Pentagon's repeated, ham-handed efforts to address cyberwarfare mainly by redefining it and re-assigning it to someone else.
That the effort actually worked – significantly slowing Iran's uranium enrichment via Stuxnet, then stealing secret data for years via Duqu and, probably, Flame – is a victory for U.S. intelligence in general, which has been deservedly vilified for a series of missed cues and blunders usually laid at the feet of the CIA ( missing or misinterpreting evidence of the upcoming 9/11 terrorist attacks, weapons of mass destruction in Iraq, misunderestimating the potential for long-term insurgency from the defeated Iraqi military, not knowing North Korea was building a nuclear reactor for Syria, missing the Iran/Venezuelan cyberplot to attack U.S. nuclear facilities, not to mention 10 years of trying to locate Osama Bin Laden and failing).
Cyberwar is less bloody, not less messy
That's not to say the NSA, cyberwar or cyberespionage will be any more effective or, in the long run, any more accurate in helping shape U.S. foreign policy than good old-fashioned human intelligence and political analysis.
They are likely – almost certain – to become the go-to solution to a whole range of problems prudence dictates should not be solved with air strikes or visits from teams of SEALs.
Cyberwar creates a completely new set of combative, destructive alternatives that don't require military power or a willingness to redistribute blood and body parts.
It gives small countries a way to confront large countries. It gives pro- and anti- forces on opposite sides of any seriously divisive social issue an option for direct action that doesn't involve murder or insurrection. It provides a third way – other than sanctions-and-spying or air-raids-and-killing – for the U.N or other international diplomatic bodies to respond to international conflicts.
That may reduce the number of conflicts between governments that degenerate into open or covert warfare.
It may also increase the level of violence by reducing the moral barrier between arguing and fighting, allowing countries or partisan groups to intensify a fight without actually fighting, but justifying the use of force in the minds of their hacked-off opponents.
Either way the legitimization of cyberweapons and cyberattacks will change the dynamics of conflict – between nations, among ethnic populations, political groups, corporations or, potentially, overachieving but antagonistic dens of Cub Scouts.
Having a less-than-lethal option for leaders whose non-lethal options run out fairly quickly should only be a good thing, in the same way giving Tasers to police should have had only a positive effect on law enforcement in the U.S.
More options ≠ better choices
Rather than simply allowing individual cops to replace shootings with Tasings didn't make it easier to enforce laws, subdue bad guys or convince idiots to stop being idiots. It also didn't eliminate the tendency of police who abuse their power by making it harder to decide to shoot. It made many more aggressive because inflicting pain on others often gets you what they want – other people to shut up when you tell them to – without having to kill anyone and answer lots of awkward questions afterward.
Not all cops respond that way, but some do. The jerks, mainly.
National leaders can be jerks, too. The ability to hack a country that pissed you off in some way is one many national leaders won't be able to resist. In Syria, Egypt, Libya and other countries subject to Arab Spring or other popular-liberation movements, one of the most common responses during the past 12 months has been to attack the opposition's ability to use the Internet as a way to communicate with members or pontificate to the world at large. That didn't eliminate the beatings, extrajudicial executions or, in Syria, at least, the temptation to pacify rebellious townships by parking tanks in residential areas and having them open fire at random.
Cyberweapons, like any other weapon, tool or plush toy animal, will be viewed and used in different ways by almost everyone with the option of using them at all.
It's possible most will view and use cyberweapons – both those designed to gather information and those designed to destroy someone else's – as an alternative to violence.
In the long run, it's more likely to simply increase the volatility of conflict in general, extending those that have gone on too long already or introducing faux violence to a confrontation as a precursor to the real thing.
I'd like to say I'm optimistic about the former rather than the latter.
What I expect is that people will handle cyber weapons just as badly as they do the other kinds.
Those who escalate a conflict from talking to TALKING VERY LOUDLY will continue to do so, using cyberweapons to embarrass opponents, spy out their plans and try to dox them into submission.
Those who think it's reasonable to escalate from talking to shooting will use cyberweapons as a way to get to the "shooting" a little quicker, without as much chance of return fire.
Either way what we end up with is a lot more violence and chaos in the virtual world without any real change in the amount of either in the real one, which only probes even change that is inevitable isn't necessarily good.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.