Cyberwar hits Ukraine

By Peter Bergen and Tim Maurer

updated 10:09 AM EST, Fri March 7, 2014

Is Iran behind new cyberwar threats?

STORY HIGHLIGHTS

• Ukrainian officials say phone services of members of parliament were targeted
• Authors: Cyberattack was also reported before Russian invasion of Georgia in 2008
• They say attacks are easier than conventional warfare but can provoke counterattacks
• Bergen, Maurer: U.S. had a lead in cyberwarfare but that is likely to ebb

Editor's note: Peter Bergen is CNN's national security analyst, a director at the New America Foundation and the author of "Manhunt: The Ten-Year Search for bin Laden -- From 9/11 to Abbottabad." Tim Maurer is a research fellow at New America focusing on cyberspace and international affairs. (CNN) -- Ukrainian security officials are complaining that unknown attackers are interfering with the mobile phone services of members of Ukraine's parliament, making difficult political decisions about what to do about Russia's incursion last week into Crimea that much harder. The head of Ukraine's security service said on Tuesday, "I confirm that an IP-telephonic attack is underway on mobile phones of members of Ukrainian parliament for the second day in row." This is reminiscent of the Distributed Denial of Service (DDoS) attacks on Georgia that preceded Russia's invasion of the country in August 2008. The attacks shut down several websites of Georgia's government including the president's. While the Kremlin denied any involvement, Georgian officials accused Russia of being behind the attacks. Of course, just as some states have exploited offensive cyber capabilities for their own purposes, so too has the United States. Cyberattacks are double-edged swords. Compared to mounting a conventional war they cost little in terms of blood and treasure. However, in the long run they may have larger unintended consequences if more and more nation states and even private groups use cyberwarfare capabilities. The Stuxnet malware that was discovered in 2010 showed the potential of cyberattacks. The joint U.S.-Israeli operation demonstrated how the nuclear enrichment facility of Natanz in Iran could be effectively disrupted using a cyberattack that interfered with Iranian centrifuges' capacity to enrich uranium.

 The level of sophistication of the malware was unprecedented and affected the facility even though it was "air gapped" -- disconnected -- from the public Internet.

Last month came the news that Obama national security officials have debated since 2011 whether to target Bashar al-Assad's regime in Syria with cyberattacks. The upside: No American boots on the ground and some potentially significant harm could be done to al-Assad's military capabilities. The downside: What about unknown risks? Might such attacks embolden Syrian allies like Iran and Russia to launch cyber-counterattacks against targets in the U.S.? The Stuxnet attack on Iran was not an isolated event. A January report by the Center for Strategic and International Studies points out that Iran "is the likely source of a recent series of incidents aimed at Gulf energy companies, American banks, and Israel. The most important involved a major disruption involving the destruction of data on computers used by (oil giant) Saudi Aramco...." The Syrian Electronic Army, a group that supports the al-Assad regime, showed the potential to undermine trust in the financial system when it hacked The Associated Press's Twitter account last year to falsely report an attack on the White House, which caused the Dow Jones to drop by 150 points. While technically not comparable to Stuxnet and its effect was only temporary -- the White House quickly refuted the reporting -- it nevertheless demonstrates the existence of a tool for shadowy organizations to influence events that did not exist before. These recent incidents underscore both the scope and the significant differences among cyberthreats: -- The actions by the Syrian Electronic Army did not cause a physical effect; they changed data and the content of The Associated Press's reporting. -- The disruption at Saudi Aramco was due to the destruction of computer data, but it did not cause a physical effect either. --Stuxnet, on the other hand, had a physical impact making Iranian uranium enrichment centrifuges spin at a rate they were not supposed to. The DDoS attacks that appear to be happening in Ukraine right now, and the type of cyberattack that the U.S. launched against Iran that could at some point happen in some other form against Syria, raise significant moral and legal issues. In many ways the cyberwarfare issue is akin to the issue of the use of armed drones, which greatly reduce the number of deaths that would result from a conventional armed conflict. Whoever launches a drone attack or a cyberattack pays no costs of the kind that would typically take place on a conventional battlefield. You can't shoot down a drone pilot or kill a computer technician launching some kind of cyberattack thousands of miles from the intended target. For this reason drones and cyber capabilities can also make conflict more likely as the barriers to entry to engage in either drone warfare or cyberconflict are so low. Moreover, there is a risk that the use of drones or cyber capabilities can escalate into a conventional armed conflict. Similarly to the case of armed drones, the United States has had a large lead in its ability to mount effective offensive cyberattacks, but that advantage is unlikely to last. And since the United States is the only superpower and among the most technologically advanced (as well as most vulnerable), it must lead by example and harden cybersecurity at home and contribute to international agreements to govern the use of these powerful new tools. These tools that will only get more powerful as the world becomes more connected and ever-more dependent on computers.