Gen. James Cartwright walks out after speaking on Capitol Hill

Gen. James Cartwright walks out after speaking on Capitol Hill Alex Brandon/AP

Loose Lips Sink Ships, But What About Cybersecurity Leaks?

The lessons from the Snowden and Stuxnet leaks. By Peter W. Singer and Ian Wallace

The national security establishment is outraged about a spate of intelligence leaks and the impact they are viewed as having on our national security.

When Edward Snowden, a Booz Allen contractor at the National Security Agency, leaked details of programs to collect telephone metadata and (under a program called PRISM) mass Internet data, Director of National Intelligence James Clapper said the leaks had caused “long-lasting and irreversible damage to U.S. national security.”

These leaks were then followed by NBC’s reports that former Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright is under investigation for alleged leaks about the so-called Operation Olympic Games, in which a computer worm famously known as Stuxnet  was used to attack the Iranian uranium enrichment program. Jane Harman, former Democratic congresswoman and House Intelligence Committee chairwoman, now CEO of the Wilson Center, said, "I think [the leak] had devastating consequences.”

Yet not all leaks are created equal. Taken together, these two leaks raise questions of how the United States uses -- and keeps secret -- its extraordinary and unrivaled cyberpower, and what the various disclosures of it means for national security. But what are their real short term and long-term impacts? And what does it all mean for the future of U.S. cyberpower?

The short-term operational implications are less than much of the heat and steam of quotes like the above would have you believe. The original disclosure of the U.S. role in Stuxnet was not published until last June, long after the computer worm had broken out into the wild, and been well-dissected by researchers beginning in July 2010. What the leaks did is confirm what most had already suspected -- including the target, Iran -- that the U.S. and its allies were behind the attacks.

Snowden has likely done more damage -- especially if he has divulged more than has already been in the press to his Chinese and Russian hosts. Nevertheless, it is unlikely that many foreign governments will be genuinely shocked to discover that this country is capable of spying on them. And while it is likely that terrorists will be even more cautious about how they use the Internet and cell phones, the very fact that Osama bin Laden had cut himself off from the Internet specifically to avoid detection demonstrates that al Qaeda’s most dangerous terrorists are not as naïve about the powers of modern surveillance as some of the exaggerated claims now would have it. Indeed the true value of the NSA’s capabilities lies in the fact that in the modern age it is difficult to completely avoid electronic communications and stay effective.

Instead, the more significant impact of both sets of disclosures is likely to be long-term. They might have a terrible weight, shining a light on the problem of not just how the U.S. uses its new advanced cyber capabilities but also when and when not to let the world know about it.

Snowden’s revelations have certainly affected President Obama’s standing with his liberal base and added to a bigger problem of suspicion of government -- both in key innovation hubs like Silicon Valley and in the wider public. But it is in the international business and political arena where they may cause the most problems.  All those metadata bytes vacuumed up will cost U.S. firms billions.

Whatever the truth about the level of collusion of U.S. companies with the PRISM program (most were actually compelled to give up information by law), perception creates its own reality. And the United States’ international rivals will not shrink from reinforcing that impression. Chinese companies like Huawei, who have consistently been accused of placing back-doors within their products, will delight in now pointing the finger right back at U.S. companies. Local firms will carry out whisper campaigns for why major contracts should not go to American firms. And now watching the scandal widen to Germany, the United Kingdom and Australia, the revelations also make it more difficult for elected officials in allied governments to cooperate with us on some of the thorniest tasks of intelligence, for fear of the ramifications down the road for their own political fortunes.

Similarly, the idea behind Stuxnet – using a specially designed cyber weapon to slow down Iranian nuclear research without being detected, in order to give the international community breathing space for sanctions and negotiations -- undoubtedly has an element of genius about it. But future historians may regard the leaking to take ownership of it to be the more significant event. The prior U.S. position on offensive cyber weapons is now thrown back in our face, as we are seen to be the first to develop and use them. Many in the private sector believe that the recent spate of Iranian-backed attacks on U.S. civilian networks is partly in retaliation for Stuxnet, as Iran tries to demonstrate that it too can act in this realm. In their minds, both those who launched the Stuxnet operation and those who deliberately leaked its existence to make sure the U.S. got the credit didn’t sufficiently consider the long-term impact on other realms, and indeed on the future of the Internet more widely.  

To be sure, both cases now appear most unhelpful to the U.S. and its allies’ ongoing struggle to maintain Internet freedom and open governance in the face of challenges from more control-minded states like China and Russia.

The challenge ahead, therefore, will be to recalibrate the risks and rewards of cyber operations and factor in terms of what history may later say about them. Sometimes leaks can have positive effects. There is a case to be made that the PRISM disclosures could have a scare factor for terrorists, driving them away from the technology networks they need to coordinate effectively. The revelations are certainly driving a conversation about privacy and metadata that was long overdue. In turn, the claiming of credit for Stuxnet could be argued to be the key first building block to building deterrence in cyberspace. Indeed, Cartwright made a telling statement to Reuters back in 2011: "We've got to step up the game…You can't have something that's a secret be a deterrent. Because if you don't know it's there, it doesn't scare you.”

That may be the way to weigh the ultimate impact of this spate of leaks.  How does the rest of the world respond in the game that will play out over the coming years, as cyber power, and the uses --and potential misuses-- of it become ever more important to national security?

NEXT STORY: Egypt vs. Syria