June 16, 2012

THE COMPUTER WORM known as Stuxnet was stealthy. It was able to inject malicious code into the devices controlling Iran’s uranium enrichment centrifuges and deceive the operators while quietly sabotaging the centrifuges. The intent was to slow Iran’s accumulation of highly enriched uranium, which could contribute to the making of a nuclear bomb.

Much has been learned about how Stuxnet functioned since it was first discovered more than two years ago by computer security experts. But the recent disclosure that Stuxnet was approved by both Presidents George W. Bush and Obama as a covert operation aimed at Iran sheds new light on a nascent U.S. offensive cyberweapons program that has largely existed in the shadows. Instead of forcing cyberweapons into deeper secrecy, the disclosure should prompt a more open and thorough policy debate about 21st-century threats and how they will be countered with American power.

The world is awash in hacking, espionage, theft and disruption. Nations are struggling to defend their networks, but also building offensive cyberprograms designed to function as free-standing weapons or as adjuncts to conventional kinetic warfare.

Stuxnet demonstrated that these weapons can be deployed to attack, although they also can be hard to deter and could invite retaliation that is nearly impossible to trace.

Secrecy in military and intelligence matters, including cyber, is vital to protect sources, methods and operations. But in a broader sense, the technology of cyberconflict has grown faster than policy. The Pentagon now describes cyberspace as a new domain on a par with land, sea, air and outer space, but the United States today has no overarching, open doctrine to govern an offensive cyberprogram, nor is there a healthy debate about what it should entail.

It is time to start that debate. Nuclear weapons policy was openly discussed during the Cold War, when the stakes were existential. The United States crafted a declaratory policy about the use of nuclear forces, which was public; an employment policy that included sensitive matters, which was largely secret; and an acquisition policy, which was some of both. Why not start by creating a declaratory policy for cyberforces?

The administration’s May 2011 International Strategy for Cyberspace pledged that the United States “will respond to hostile acts in cyberspace as we would to any other threat” and that “we reserve the right to use all necessary means.” This is a beginning but hardly enough. A fuller debate might broach such topics as: What are the conditions and thresholds for offensive cyberoperations? What are the rules of engagement? Where are the boundaries between espionage and offensive military operations? What is the chain of command?

President Obama said in his strategy document last year that the digital world “is a place where the norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold.” Perhaps, but the digital universe is also spawning warriors, including those of the United States. An open debate would go a long way toward preparing the American people for what is certain to be decades of commitment and uncertainty in this new domain.

More on this debate:

Jack Goldschmidt: Taking cyberthreats seriously

David Ignatius: A cold war cyberchill

Ed Rogers: Stuxnet, a worm infecting the Obama campaign

The Post’s View: Code wars