by Constantine von Hoffman

Cyber War is Upon Us–But Only One Side is Attacking

Jan 23, 20134 mins

Is a cyberwar really a war if only one side is fighting? The United States hit Iran's nuclear program with Stuxnet and followed up with Flame, the James Bond of spyware. But Iran's response is the equivalent of a few shots from a Nerf gun, according to blogger Constantine von Hoffman.

There’s usually no confusion about when a “physical” war starts. Shells either fly or they don’t. Cyber wars, of course, have no such simple indicator. So while it sure looks like United States vs. Iran has been going on for a couple of years now, neither side will admit it.

The Iranians don’t want to fess up because they have yet to fire back with anything more than the equivalent of a digital Nerf gun. The United States doesn’t want to admit it because its opponents are so pathetic–despite ongoing efforts to make them look ferocious.

Our first shot was probably the release of the Flame spyware in 2007, this was followed by the release of Stuxnet (likely in 2009) which did a whole lot of damage to Iran’s uranium-enrichment capabilities.(This has been updated and corrected, please see note at end of post.)

What did the Iranians fire back with? A series of massive, on-going and ineffective DDoS attacks on American banks. This is a disproportionate response but not in the way military experts usually mean that phrase. It’s the equivalent of someone stealing your car and you throwing an ever-increasing number of eggs at his house in response.

“Whenever I’m asked whether this or that is an act of war my reply is: would it be in our interests to consider it an act of war,” Martin Libicki of the Rand Corp. told BankInfoSecurity. “Similarly, would it be in the United States’ interests to consider itself at cyber war with Iran? Could we convince others that our perception is reality? Would they reply that, with Stuxnet, the United States fired first? Indeed the damage from Stuxnet was far in excess of whatever disruption these bank DDoS hackers have done to the United States.”

It’s fascinating that Iran hasn’t done anything more despite the fact that U.S. critical infrastructure currently has the defensive posture of a dog waiting for a belly rub. Keep that in mind the next time you hear that a “cyber Pearl Harbor” is imminent.

Nonetheless we keep being told that the Iranians are the biggest biker gang on the information superhighway. Gen. William Shelton, who heads the Air Force’s operations in both real and cyber space, says the Iranians “are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Potential capabilities and potential threats? Well, that certainly sounds like a potential problem. Actually it sounds a bit like someone trying to make a teraflop of terror out of a byte-sized threat. *

He isn’t the only one in the government exaggerating this threat either. ProPublica reported yesterday that a widely cited Defense Department study claiming Iran’s Intelligence Ministry constitutes “a terror and assassination force 30,000 strong” has been “pulled for revisions.” It seems there’s no proof whatsoever that the 30,000 number wasn’t pulled out of thin air.

* Or he could be saying something else entirely. Gen. Shelton’s comments are more than a little on the inscrutable side. “Cyber Command is in the midst of determining how they are going to operate across all the geographic combatant commands as well as internal to the United States,” Shelton told journalists, “and it looks like we will be tapped for well over 1,000 additional people into the cyber business.” I hope his commands are clearer than his comments.

CORRECTIONAn earlier version of this post said the U.S. hadn’t acknowledged ownership of Stuxnet even though President Obama had done that. It also said that Stuxnet predated Flame. My apologies for the mistakes and my thanks to the readers at SlashDot for calling me on them.