On the side of cyber defense, one emerging dynamic that must worry intelligence agencies is the international, crowd-sourced nature of technical analysis. Because data packets do not wear uniforms, computer network operations are more like covert action than traditional military operations — they are supposed to remain secret.
However, from the Cuckoo’s Eggto Stuxnet to the DNC hack, all cyberattacks share this mysterious quality: If they rise above a certain threshold of pain, curious scientists in disparate and previously disconnected laboratories will sacrifice a certain amount of sleep in order to find even one piece in a very large puzzle. And, as seen in "Zero Days," even a three-letter agency like the NSA (National Security Agency) appears to want to offer some juicy details, including the assertion that it was Israel, and not Fort Meade, who blew the operation.
The national security implications of Stuxnet are as controversial as ever. The technical nature of the topic, the "attribution problem" and over-classification give government hackers the space to do whatever they can get away with. But the laws of war dictate that militaries must operate within certain predefined parameters.
As a technical expert to the Tallinn Manualprocess, I believe that our understanding of a national security threat must evolve with technology. This is happening, but slowly. For example, no one is quite sure where the line is between cyber espionage and cyberattack. Once a hacker is in position to read an adversary's traffic, he or she can also manipulate it. Hence, the colocation of NSA and Cyber Command; the former has the technical capability to hack networks, while the latter has the authority to manipulate data.
We have already seen hints of self-imposed restrictions: Instead of compromising as many machines as possible, Stuxnet wanted to hack as few as possible. Further, one of the "kill dates" found in the code, Jan. 11, 2009, was just a week before the presidential inauguration of Barack Obama. Apparently, a legal team had decided that a presidential reauthorization of the operation was necessary.
"Zero Days" asks all of us to think harder about national security in the digital age, specifically from the standpoint of arms control and international norms. In the film, an alleged secret government source claims that Stuxnet was only a small part of " Nitro Zeus," a larger operation that could theoretically knock Iran right out of cyberspace. The right question to ask, then, is whether Iran (or more likely, Russia or China) could do the same to the U.S., and whether crossing the digital Rubicon with Stuxnet was worth it.
It is widely believed that Iran sent a message to the West in retaliatory cyberattackson Saudi Aramco and Wall Street, thereby signaling that the U.S. does not have a monopoly on cyber weapons.
The U.S. has more strategic depth in cyberspace than all of the world’s dictators combined, but we still have a lot to lose. Our economies and democracies depend on critical infrastructure, which, in turn, depend on the proper functioning of the internet. This is why, for example, the Department of Homeland Security spent significant resources to protect the U.S. from ... guess what? Stuxnet.
And relative to international norms, a legitimate fear is that this operation set a bad precedent: The U.S. did it, so it must be OK.
As the Internet of Things expands all around us, the line between "cyberspace" and "physical space" will disappear. In "Zero Days," researchers demonstrated this in a laboratory by popping a balloon with a Stuxnet-infected computer. At NATO’s annual Locked Shieldscyber defense exercise, we attached small fireworks to miniature factories.
Of course, the public will never understand all the technical aspects of Stuxnet, and there is nothing simple about the idea of cyber arms control. But just like Bush in the Situation Room, the public can see when something is physically destroyed. And by comparison, it should be simple to begin an international discussion on cyberwarfare in order to examine how we might limit the size of the cyber battlefield.
In my view, none of these issues raised in "Zero Days"
is hyperbole, and this film is worth your time.
Kenneth Geers (PhD, CISSP) is a senior research scientist at Comodo
, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) ambassador, a non-resident senior fellow at the Atlantic Council, an affiliate at the Digital Society Institute of Berlin, a visiting professor at Taras Shevchenko National University of Kyiv in Ukraine, and an accomplished author.