Last week, U.S. intel leaks made headlines after an article in the New York Times quoted numerous anonymous sources, including current and former U.S. officials, alleging that President Obama ordered the Stuxnet attack against Iran’s Natanz uranium enrichment facility. The story comes in the wake of a two-week period of national security leaks in the New York Times, including the disclosure of a disrupted plot by Al Qaeda’s Yemen affiliate to smuggle a bomb onto a U.S. flight, the Obama administration’s expansion of the drone program, and how the Obama administration determines the drone “kill list.” Investigation by the Department of Justice into the Stuxnet intel leaks has begun, while political finger-pointing has the U.S. asking whether the White House is in part responsible for the leaks and ignoring the potential international repercussions of the leaked information.
In the summer of 2010, a computer worm coined “Stuxnet” had the world’s leading cyber security experts up in arms as the self-replicating computer worm made its way through computers the world over. Although Stuxnet was designed to target Siemens industrial software and equipment (specifically the computer systems that run Iran’s main nuclear enrichment facilities), a bug in the coding allowed Stuxnet to escape onto the public internet. Overnight, the worm infected computers across the globe, from Europe to China. At the onset of the Stuxnet outbreak, cyber security experts narrowed the list of culprits down to a short list of state actors with the ability to develop such complex computer code – America, Israel, China and Russia. Russia and China were quickly eliminated, leaving America and Israel as possible suspects, alone or working in conjunction. Despite this short list of actors, U.S. involvement with the Stuxnet has been dismissed as mere accusation. Even in the wake of the New York Times story, the U.S. has not publicly taken responsibility for the Stuxnet attack or issued a denial as to the legitimacy of the leak providing U.S. involvement with the computer worm.
Rather than address the substance of the leaked information, authorities in Washington have launched investigations into the leaks. Taking over direction of existing investigations by the Federal Bureau of Investigation, the Department of Justice is conducting two separate but concurrent investigations into the sources of the leaked information. U.S. Attorneys Ronald Machen, Jr. of Washington, D.C., and Rod Rosenstein of Maryland are overseeing the investigation and have full authority to prosecute criminal violations discovered as a result of their investigations. While the White House denies providing classified information to New York Times reporter David Sanger, it has come under fire from both sides of the political divide. Senior lawmakers, including Senator John McCain, claim that White House officials authorized the leaks to boost public support of President Obama in an election year through highlighting his stance on national security, basing their allegations in large part on the fact that the level of detail in the accounts could only have come from senior officials in the White House.
In addition to dispute over the source and cause of the Stuxnet leak, the ongoing investigations have generated significant political uproar in both the House and Senate Intelligence Committees. The committees have joined together in calling for an outside probe of the leaks. Specifically, Republican members of the Senate Judiciary Committee have criticized the Attorney General appointing U.S. Attorneys to probe the leaks. Instead, they are calling for a special counsel to lead an independent investigation. After the Justice Department’s national security division recused itself from the investigation due to the possibility that the department might have been a source of some of the disclosures, questions about possible conflicts of interests have arisen as frontline prosecutors might be required to interview their own department heads and senior officials. In light of the conflict of interests involved with the investigations, the House and Senate Intelligence Committees have begun discussing new legislation that would curtail unauthorized disclosures by limiting the pool of people with access to classified information and providing inspectors general with far more investigative powers.
The outrage over the leaks and the ensuing investigations is more than just another bipartisan affair dividing the next election: attributing the Stuxnet attack on Iran to a nation, specifically the U.S., potentially sets a new precedent in the realm of warfare. Now that the accusations of U.S. responsibility in the Stuxnet attack are becoming more of a reality, the international community is confronted with the real possibility of cyber attacks being used in times of war. Furthermore, many political and legal scholars already consider Stuxnet, and other similar cyber attacks, the equivalent of an armed attack; for example, unleashing a worm to damage another nation’s nuclear reactor has the same results as if a missile were fired at the same nuclear facility. In both cases, the right to self-defense and the use of force would arguably be triggered. However, the law of armed conflict requires attribution to a state actor, which was a missing element in the case of Stuxnet. The leaks of U.S. involvement in Stuxnet, if not refuted, may lead to attribution to the U.S. for the attack. The consequences could lay grounds not only for Iran to retaliate in self-defense under the law of armed conflict, but also set a preceden allowing the use of cyber attacks. The cyber attacks have a propensity for harm and collateral damage in our increasingly internet-dependent societies. State infrastructure, such as Supervisory Control and Data Acquisition control systems, are intertwined with public networks and a cyber attack could very well shut down anything from a water pump to an electrical grid. With the potential for such damage to result by cyber attacks, our national leaders need to be more concerned with how to reign in this potential precedent, whether by providing evidence that the U.S. was not responsible for the Stuxnet attack or by examining how this form of weaponry fits into the law of armed conflict.