Gen. James Cartwright walks out after speaking on Capitol Hill

Gen. James Cartwright walks out after speaking on Capitol Hill Alex Brandon/AP

Loose Lips Sink Ships, But What About Cybersecurity Leaks?

The lessons from the Snowden and Stuxnet leaks. By Peter W. Singer and Ian Wallace

The national security establishment is outraged about a spate of intelligence leaks and the impact they are viewed as having on our national security.

When Edward Snowden, a Booz Allen contractor at the National Security Agency, leaked details of programs to collect telephone metadata and (under a program called PRISM) mass Internet data, Director of National Intelligence James Clapper said the leaks had caused “long-lasting and irreversible damage to U.S. national security.”

These leaks were then followed by NBC’s reports that former Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright is under investigation for alleged leaks about the so-called Operation Olympic Games, in which a computer worm famously known as Stuxnet  was used to attack the Iranian uranium enrichment program. Jane Harman, former Democratic congresswoman and House Intelligence Committee chairwoman, now CEO of the Wilson Center, said, "I think [the leak] had devastating consequences.”

Yet not all leaks are created equal. Taken together, these two leaks raise questions of how the United States uses -- and keeps secret -- its extraordinary and unrivaled cyberpower, and what the various disclosures of it means for national security. But what are their real short term and long-term impacts? And what does it all mean for the future of U.S. cyberpower?

The short-term operational implications are less than much of the heat and steam of quotes like the above would have you believe. The original disclosure of the U.S. role in Stuxnet was not published until last June, long after the computer worm had broken out into the wild, and been well-dissected by researchers beginning in July 2010. What the leaks did is confirm what most had already suspected -- including the target, Iran -- that the U.S. and its allies were behind the attacks.

Snowden has likely done more damage -- especially if he has divulged more than has already been in the press to his Chinese and Russian hosts. Nevertheless, it is unlikely that many foreign governments will be genuinely shocked to discover that this country is capable of spying on them. And while it is likely that terrorists will be even more cautious about how they use the Internet and cell phones, the very fact that Osama bin Laden had cut himself off from the Internet specifically to avoid detection demonstrates that al Qaeda’s most dangerous terrorists are not as naïve about the powers of modern surveillance as some of the exaggerated claims now would have it. Indeed the true value of the NSA’s capabilities lies in the fact that in the modern age it is difficult to completely avoid electronic communications and stay effective.

Instead, the more significant impact of both sets of disclosures is likely to be long-term. They might have a terrible weight, shining a light on the problem of not just how the U.S. uses its new advanced cyber capabilities but also when and when not to let the world know about it.

Snowden’s revelations have certainly affected President Obama’s standing with his liberal base and added to a bigger problem of suspicion of government -- both in key innovation hubs like Silicon Valley and in the wider public. But it is in the international business and political arena where they may cause the most problems.  All those metadata bytes vacuumed up will cost U.S. firms billions.

Whatever the truth about the level of collusion of U.S. companies with the PRISM program (most were actually compelled to give up information by law), perception creates its own reality. And the United States’ international rivals will not shrink from reinforcing that impression. Chinese companies like Huawei, who have consistently been accused of placing back-doors within their products, will delight in now pointing the finger right back at U.S. companies. Local firms will carry out whisper campaigns for why major contracts should not go to American firms. And now watching the scandal widen to Germany, the United Kingdom and Australia, the revelations also make it more difficult for elected officials in allied governments to cooperate with us on some of the thorniest tasks of intelligence, for fear of the ramifications down the road for their own political fortunes.

Similarly, the idea behind Stuxnet – using a specially designed cyber weapon to slow down Iranian nuclear research without being detected, in order to give the international community breathing space for sanctions and negotiations -- undoubtedly has an element of genius about it. But future historians may regard the leaking to take ownership of it to be the more significant event. The prior U.S. position on offensive cyber weapons is now thrown back in our face, as we are seen to be the first to develop and use them. Many in the private sector believe that the recent spate of Iranian-backed attacks on U.S. civilian networks is partly in retaliation for Stuxnet, as Iran tries to demonstrate that it too can act in this realm. In their minds, both those who launched the Stuxnet operation and those who deliberately leaked its existence to make sure the U.S. got the credit didn’t sufficiently consider the long-term impact on other realms, and indeed on the future of the Internet more widely.  

To be sure, both cases now appear most unhelpful to the U.S. and its allies’ ongoing struggle to maintain Internet freedom and open governance in the face of challenges from more control-minded states like China and Russia.

The challenge ahead, therefore, will be to recalibrate the risks and rewards of cyber operations and factor in terms of what history may later say about them. Sometimes leaks can have positive effects. There is a case to be made that the PRISM disclosures could have a scare factor for terrorists, driving them away from the technology networks they need to coordinate effectively. The revelations are certainly driving a conversation about privacy and metadata that was long overdue. In turn, the claiming of credit for Stuxnet could be argued to be the key first building block to building deterrence in cyberspace. Indeed, Cartwright made a telling statement to Reuters back in 2011: "We've got to step up the game…You can't have something that's a secret be a deterrent. Because if you don't know it's there, it doesn't scare you.”

That may be the way to weigh the ultimate impact of this spate of leaks.  How does the rest of the world respond in the game that will play out over the coming years, as cyber power, and the uses --and potential misuses-- of it become ever more important to national security?

NEXT STORY: Egypt vs. Syria

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.