There is a well-defined script to the State of the Union. It is typically filled with vague and platitudinous statements about the strengths of the nation and the challenges the country faces, culminating in an outline of policies the administration will pursue as it courageously rises to the occasion. To acknowledge the lack of its literary merit and its labored attempt at mass appeal is not to confuse it for being a vapid performance. The President proposes substantive policies—even if the details usually leave something to be desired.
President Obama’s State of the Union last night towed a similar line, draping itself in the cozy image of the American family while sketching various policies required to uphold this ideal. Economic insecurity and national security threats, in this hackneyed script, always affect the most sympathy-inducing and vulnerable of us, usually children or the disabled. The formulaic presentation aside there were more than a few pronouncements in the State of the Union worth pausing over. Consider the following section on cyber threats:
We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
By now it has become established wisdom in Washington that cyber-attacks are an increasing threat to the country. In October 2012 then Secretary of Defense Leon Panetta warned that the U.S. could face a “cyber-Pearl Harbor” and was “increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government.” A year later the FBI director James Comey testified to the Senate Homeland Security and Government Affairs committee that “cyber-attacks were likely to eclipse terrorism as a domestic danger over the next decade.” More worryingly a survey of technology experts by Pew Internet and American Life Project in October 2014 revealed that more than 60% of the experts believed a major cyber-attack will take place in the next decade—large enough to cause “significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.”
For the government, then, it seems there are few doubts that cyber-attacks are a clear danger to the country. The Obama administration has long been preparing for the possibility of such attacks. In 2011 the Pentagon, in its first formal cyber strategy, concluded that “computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” A military official told the Wall Street Journal, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.” A year later the State Department’s top lawyer, Harold Koh, reiterated the same point. According to a New York Times report the Pentagon’s classified rules for cyber warfare were updated for the first time in seven years just two years ago, resulting in an interagency “playbook for cyber.”
Obama’s comments in his State of the Union convey the impression that the United States seeks merely to protect itself in cyberspace. This is only fair. No administration would present itself to the American people as the aggressor and the Obama administration has long cultivated itself as reluctant to take military action. In his first major speech on cyber policy last year Defense Secretary Chuck Hagel was careful to stress this point, remarking that the government “does not seek to militarize cyberspace.” The military’s first purpose, he continued, is “to prevent and de-escalate conflict.”
This carefully cultivated image, however, suffers from one minor problem: it happens to not be true. Not only has the Obama administration developed offensive capabilities in cyberspace it has also taken the next step and deployed them.
U.S. development of what David Sanger—the chief Washington correspondent for the New York Times—calls “offensive cyberweapons” was first initiated by George W. Bush. In his book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, Sanger writes of the “cyberwar against Iran” which “goes back to 2006.” The plan, jointly developed with Israel, was to introduce a bug into Iranian nuclear centrifuges and subsequently “spinning the centrifuges to enormous speeds” or “slamming on their brakes” to destroy them. After taking office the Obama administration ordered “a detailed review of all of Bush’s old findings on Iran and the authorizations for covert action” and, after some amendments, largely continued the program.
The program, however, soon ran into major trouble. Narrowly programmed to target centrifuges in the Natanz nuclear facility in Iran, random copies of Stuxnet—as the bug came to be known—were soon found “floating around the globe.” The program had been transferred into the laptop of a controller at Natanz and, as one government official put it, “began to think of the Internet as its little, private network.” President Obama and Vice-President Joe Biden, according to Sanger’s account, apparently “had to be persuaded that the virus would not hurt anything beyond its intended target.” Obama had reportedly always been wary of Stuxnet’s implications, wondering about potential collateral damage or some “unanticipated harm to civilians.” Now the bug and its blueprint were freely available to technology enthusiasts around the world.
As for Iran, Sanger concludes in his book, “there is no reason to believe America’s cyber wars have ceased. Iran remains the number one target.” Whether or not Iran is still a target as it engages in diplomatic talks with the United States is an open question.
While last night’s State of the Union may have contained a bold vision of protecting “our children’s information” by combating the “evolving threat of cyber-attacks”—through policies privacy groups are not too enamored with—the truth remains that the United States has already attacked a sovereign state in cyberspace, something its own State Department, the Pentagon, and independent legal experts consider a potential act of war. The President portrayed cyber threats as a matter of protecting American lives, intelligence, and infrastructure but the threat may instead be the United States itself.