Since President Barack Obama took office, the United States, along with Israel, has launched a series of cyber attacks that have damaged Iran's nuclear program, according to a June 1 story in The New York Times. These attacks are apparently the first time that the United States used a cyberweapon to damage another country's infrastructure, the Times writes.
But should another country launch a similar attack, experts say the United States remains woefully unprepared to defend itself.
James Lewis, a senior fellow at the Center for Strategic and International Studies, said the United Kingdom, Russia, China and Israel all have cyberweapons, while France, Germany, Iran and North Korea are trying to develop them.
"We're in a place where these weapons exist and people will use them," Lewis said.
However, the United States "does not really have any defense against this," he said. "We depend on the kindness of strangers that someone hasn’t launched something against us," said Lewis.
Last year, the Pentagon said that computer sabotage coming from another country can constitute "an act of war."
According to the Times, Obama accelerated covert cyber attacks against Iran that began during the Bush administration. One attack temporarily took out nearly 1,000 of the 5,000 centrifuges Iran used to purify uranium, slowing the country's ability to develop nuclear weapons, the Times reports, citing interviews with current and former U.S., European and Israeli officials involved in the cyber program.
Since these attacks by computer worm became public in 2010, security researchers have speculated that the United States and Israel were behind them, although neither country had publicly acknowledged its role. Cybersecurity experts have dubbed the worm Stuxnet and called it the most sophisticated cyberweapon ever created.
The confirmation that the United States was behind Stuxnet is another sign of the Obama administration's efforts to build up the country's offensive cyber capabilities. Earlier this week, the Washington Post reported on a Pentagon effort to develop new technologies to launch cyber attacks, including a plan to map the entirety of cyberspace and build a system that can launch cyberweapons without human operators typing in the code.
But experts say America's ability to defend itself in turn is lagging. The computers that ran Iran's nuclear centrifuges and were hacked by Stuxnet were made by the German company Siemens, whose industrial control systems are used around the world. In December, Siemens announced it was working to fix security flaws in those systems after the U.S. Department of Homeland Security warned that such flaws could make public utilities, hospitals and other critical infrastructure vulnerable to cyber attack, according to Reuters.
"We now live in a world where industrial control systems can be attacked in the event of a crisis. That goes for ours as well as everybody else's," warned Stewart Baker, a former assistant secretary at the Department of Homeland Security.
And yet, Baker said, "We do not have a serious plan for defending our industrial control systems even though our entire civil society depends on it."
Congress is considering legislation to bolster the cybersecurity of the nation's most vital computer networks. Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) have introduced a bill that would require power plants and other critical infrastructure to meet baseline security standards. The bill, which has the support of the Obama administration, is expected to receive a vote in coming weeks.
But Republicans and business lobbyists have opposed imposing cybersecurity regulations, saying they hurt private companies, which control the majority of critical infrastructure. Last month, the House passed a cybersecurity bill that did not set security standards, but instead focused on greater sharing of information between the public and private sectors.
Some experts saw irony in the news that the United States was behind Stuxnet. Jason Healey, director of cyber statecraft initiatives at the Atlantic Council, said some current and former government officials have cited Stuxnet as an example of why the federal government needs to impose security regulations on critical infrastructure.
"They've said, 'Look at this dangerous thing out there,'" noted Healey. "But we wrote it. We unleashed this thing. It's like an arsonist calling for a better fire code."
Healey said the United States must better secure its own cyber defenses before it launches more cyber attacks on other countries.
"I'm hearing a lot today about glass houses and stones," he said.