OECD Says The U.S. Doesn’t Get Cyberwarfare, Stuxnet Suggests Otherwise


Have governments got cyberwarfare all wrong? A new study argues that the United States and United Kingdom have never figured out a proper definition of cyberwar and that a “true cyber war” will never happen.

But it’s not all good news: In order to prevent a combination of cyberwarfare, conventional war and other disasters from causing future, the scholars behind the project argue that an internet equivalent of the Nuclear Non-Proliferation Treaty is needed to protect against worms, distributed denial of service (DDoS) attacks and hackers.The study was written for the Organisation for Economic Cooperation and Development by Peter Sommer of the London School of Economics and Ian Brown of Oxford University. In it, Brown and Sommer claim that governments — including the United States — have been too quick to label a wide assortment of criminal behaviors, espionage activities and economic skirmishes as “cyberwarfare.” But while genuine cyberwarfare does exist, the study finds that there is relatively little risk of Stuxnet-like worms being used due to the difficulty involved in crafting them.

But there is bad news. Sommer and Brown argue that embedded malware and DDoS attacks are likely to be used in future cyberwarfare by both governmental and non-governmental actors.

And this cyberwarfare threat also extends to third parties. According to Jillian York of Harvard University’s Berkman Center for Internet & Society, which just published a report on DDoS attacks against human rights groups, “DDoS attacks — as well as other types of attacks and intrusions — on human rights sites and independent media are becoming increasingly common. As a result, such sites — which frequently lack skilled personnel and/or funding — are often effectively silenced as a result of these attacks, because they become a liability to their hosting providers.”

A recent New York Times article on Stuxnet — a worm that infected Iranian nuclear facilities and damaged centrifuges — alleged that the infamous worm was a joint American-Israeli cyberwarfare project. A simultaneous investigation by Wired indicates that the worm had its origins in al Qaeda attempts to explore security flaws in U.S. infrastructure and the American response — which was both to identify the security holes and try to hack a system themselves.

However, there are those who doubt that America was behind Stuxnet or that cyberwarfare isn’t that big a concern for the country. Jeffrey Carr, a security consultant and the author of Inside Cyber Warfare (and a noted skeptic of the Israeli-American Stuxnet theory), told TPM that the OECD study was “very light and didn’t do justice to their ambition.” Carr also criticized what he saw as a lack of attention to threats to power grids and the potential applications of complexity and chaos theory to cyberwar analysis.

OECD’s report is part of a series called “Future Global Shocks” that examines threats such as a collapse of the global financial system, large-scale pandemics and worldwide weather change.