Not the 'Wild West': Talking Cyber Ops at Iran's Backdoor
The Blotter attends Black Hat cyber security conference in Abu Dhabi.
ABU DHABI </br> Dec. 6, 2012 — -- [Editor's Note: The original version of this story incorrectly identified Robert Clark as an operational attorney for the U.S. Cyber Command. He is an operational attorney for the U.S. Army Cyber Command. Also, the original report included the quoted word "revolutionary," but it was not clear that quote was meant to reference previous descriptions of the various cyber weapons and was not a reflection of Clark's remarks.]
Robert Clark, an attorney for U.S. Army Cyber Command, stood in a grand ballroom with gold flaked ceilings and sparkling chandeliers to address an audience that included men in flowing white robes and veiled women and tried to hammer home a single point: cyber warfare is not the "Wild West."
In an age where a new powerful cyber weapon is discovered every few months -- usually on computers in Iran -- Clark, who emphasized that he was speaking only in a personal capacity and not on behalf of the U.S. government, wanted to assure the relatively small gathering in the United Arab Emirates that legal considerations would be taken into account before cyber attacks are launched.
"Articles that talk about cyber warfare and [say] that rules of engagement aren't evolving as fast as [the cyber attacks], it's just not true," Clark said. "We have the law of armed conflict applying to any type conflict and it applies to cyberspace operations also... It's just not the Wild West out there."
For most of his presentation, Clark spoke in generalities about the legal aspects of American cyber capabilities because despite the months-old admission from U.S. Cyber Command chief Gen. Keith Alexander that the military is developing a "pro-active, agile cyber force," and the oft-cited New York Times report on America's role in developing Stuxnet, the devastating cyber weapon that hit an Iranian nuclear facility in late 2009, no current American officials have gone on record claiming responsibility for an offensive cyber attack.
However, emboldened by a government colleague's praise of Stuxnet earlier this year, Clark couldn't resist using it as a hypothetical example.
He said that before a weapon like Stuxnet would be launched, the same legal criteria would be considered as if it were a physical military attack. Is there an imminent threat from the target? Does it absolutely have to be taken out? Will the attack cause casualties or collateral damage that could and should be avoided?
Answering his own question about casualties, Clark echoed comments from colleague Air Force Col. Gary Brown when he noted the impressive restraint of the worm. Though Stuxnet was discovered on thousands of computers around the world in 2010, cyber researchers quickly realized that it was something of a smart bomb. It would spread harmlessly from computer to computer until it found itself on the exact system configuration -- a control system at an Iranian nuclear facility -- it was meant to target.
"Stuxnet," Clark said, "was a very discriminant weapon."
After Stuxnet was discovered and analyzed, Richard Clarke, a former White House counter-terrorism adviser and current ABC News consultant, said he thought that Stuxnet showed such care to limit collateral damage that it must have been developed with healthy input from anxious lawyers.
Robert Clark's presentation Wednesday was one of the first talks at the Black Hat security conference held at the opulent Emirate Palace Hotel in Abu Dhabi and though most of the presentations were highly technical, Clark wasn't the first and or the last to talk about the cyber struggle over Iran.