The United States, ‚Olympic Games‘ and the future of offensive cyber operations

“Olympic Games” is the code name for a covert cybersecurity operation that started in 2006 and that, in 2010, managed to temporarily damage Iranian centrifuges at the Natanz facility by accelerating the speed of its uranium-enriching paddles, causing them to crash or break. The cyberattacks remain unacknowledged by the alleged perpetrators, the United States and Israel. The goal of the operation was to get access to the nuclear facility’s computers, to invade the devices that control the centrifuges and, finally, to destroy them. The work was allegedly carried out by the U.S.’ National Security Agency (NSA) and Israel’s Unit 8200, its military cyber operation. The United States had been building its cyber capabilities for years, especially after General James Cartwright was promoted to head of the US Strategic Command in 2004. Operation “Olympic Games”, if successful, would be the first significant use of this weapon by the United States. Discerning the extent to which the U.S. achieved its goals through the “Olympic Games” operation is useful; we must, however, also examine its unintended consequences.

Now, what was the objective of the operation “Olympic Games”? In his book The Perfect Weapon: War, Sabotage and Fear in the Cyber Age, David Sanger – chief Washington correspondent for the New York Times, a lecturer at Harvard University and national security coverage expert – outlines two goals that the United States pursued through this covert attack. First, it was intended to slow the Iranian efforts at nuclearization and force them to the negotiation table. Second, it was meant to dissuade Prime Minister Benjamin Netanyahu of Israel from bombing Iran’s nuclear facilities (Sanger, 2018). The attack, although it was started during the Bush years, fell into the lap of an Obama administration deeply concerned with Israel’s intentions. An Israeli bombing of Iranian nuclear facilities would have started a regional war between Iran and Israel, destabilizing a region in which the United States is already struggling to maintain its influence and reputation. Despite how far-fetched the possibility of Israel destroying the Natanz facility can seem, Netanyahu sees Iranian nuclearization as an existential threat to Israel. Moreover, Israel had already followed through with the promise of destroying Iraqi and Syrian facilities (Sanger, 2018).

Thus, Obama found Netanyahu’s threat credible. Operation “Olympic Games” was the path that the United States found most appropriate given the circumstances, as it would enable Israel to cripple Iranian nuclear facilities without starting an unwanted armed conflict – again, the main concern. With this understanding, Obama’s expansion of “Olympic Games” through the offensive at Natanz with the “Stuxnet” virus, the cyber-attack was useful. However, it is unclear to what extent “Olympic Games” was effective in convincing Iran to increase its efforts of denuclearization, the other goal of the Obama administration. Although the cyber offence angered Iranian authorities, it also slowed down their nuclear program, which arguably gave time for the Obama administration to negotiate a successful deal: The Joint Comprehensive Plan of Action, reached in 2015 by the P5+1 and Iran. Even though this deal is now in demise due to Donald Trump’s capricious withdrawal from the treaty, the JCPoA was an important landmark of the Obama administration and a step towards Western cooperation with Iran.

The operation “Olympic Games” was helpful in achieving its national security objectives in the short term. However, this operation yielded unintended consequences that the United States had not foreseen and that pose a threat for national security and the use of cyber operations. First, with “Olympic Games”, the U.S. put a target on its back. A couple of months after the operation, the worm used in the attack, “Stuxnet”, unexpectedly got out of the Natanz facility through a former worker, who connected his laptop to another network that the bug spread to in the summer of 2010. It had been first introduced in the Natanz facility, which was not connected to the Internet in any way, by an Iranian engineer recruited by a Dutch agency, according to Kim Zetter and Huib Modderkolk (Zetter & Modderkolk, 2019). After its release from the Iranian nuclear facility, the worm appeared in Russia, Iran, India and North Korea, among others. Suddenly, countries and hackers around the world all had a copy of the worm. Although initially, it wasn’t traced back to the United States, posterior investigations in 2011 would uncover information linking the U.S. to the worm and the Natanz facilities: Pandora’s box has been opened. With operation “Olympic Games”, the United States demonstrated that it could significantly harm another country’s security arrangements. In addition, the film Zero Days, directed by Alex Gibney and premiering in 2016, not only explored in-depth the “Stuxnet” worm attack but also uncovered the U.S. program “Nitro Zeus”. “Nitro Zeus” is a cyber weapon project that was developed with the purpose to control Iran’s command systems, disable their air defences and shut down their power, communications and financial systems in case of war (Szoldra, 2016). Although this plan was tabled, the damage it envisaged was much more extensive than the setback that “Olympic Games” implied for the Iranian nuclear program: it could have damaged core Iranian infrastructure. Although the United States will not confirm it or deny its role in the planning and carrying out of cyber operations against Iran, the rest of the world knows it is behind them and thus aware of the U.S.’ abilities. For example, Russia and China have accused it numerous times of cyber espionage, as well as of theft (Beaumont & Hopkins, 2012).

As of now, all countries are discovering the potential that cyber weapons entail. They are cheap to develop yet can instil a great amount of harm: a new “arms race” may be on its way. States cannot afford to have their rivals be able to reach and harm their infrastructures and weapons. The precedent that Israel and the United States set, destroying nuclear facilities through cyberwarfare, is very dangerous. The aftermath of the “Olympic Games” program and the uncovering of “Nitro Zeus” should force the United States to review its current (lack of) regulation of cyberwarfare. The recognition of the use of cyberweapons by the U.S. must come before any attempt at international codification – after all, how can anyone attempt to regulate a weapon if its possession and use remain unacknowledged?

Relevant regulation regarding cybersecurity has already been developed in the domestic law of important world players: the Russian Federal Law on Security of Critical Russian Information Infrastructure of 2018, the Chinese Cybersecurity Law of 2016, the U.S.’ Cybersecurity National Security Action Plan of 2016, the Israeli Cyber Security Strategy of 2015 and the EU Cybersecurity Act of 2019 (Kipker, 2019). The latter is the first international attempt at regulating cybersecurity and aims at strengthening the preparedness of EU member states for these attacks, increasing citizen awareness on cybersecurity issues and avoiding fragmentation across the EU. Nevertheless, it does not come even close to trying to codify the development and use of cyberweapons. It also only covers the European region.

In conclusion, cyber weapons, now that their development is impending, could prove very attractive. They could be used as a coercive tool, more powerful than sanctions but not as destructive as a nuclear weapon, to expand states’ choices and back up diplomacy (Sanger, 2018). Although the operation “Olympic Games” was successful in preventing an Israeli bombing of Iranian nuclear facilities, its long-term unintended consequences make it necessary for the United States to recognize its possession and use of cyberweapons. Next, international actors should step up and regulate the development and use of cyberweapons it in the international arena before they get out of hand and cause serious harm.

Written by Cecilia Cavero Sánchez

About the Author: Cecilia is a student currently pursuing a double B.A. in International Studies and Political Science at the Universidad Carlos III de Madrid. She studied abroad at the University of California, Berkeley and at Maastricht University, where she developed a profound interest in the field of international and human security. She co-founded and coordinates the online publication about international politics PRISMA UC3M. 

Sources:

Beaumont, P., & Hopkins, N. (2012, June 1). US was “key player in cyber-attacks on Iran’s nuclear programme.” The Guardian. http://www.theguardian.com/world/2012/jun/01/obama-sped-up-cyberattack-iran

Kipker, D.-K. (2019, October 17). International Regulation of Cybersecurity.

Sanger, D. E. (2018). The Perfect Weapon: War, Sabotage and Fear in the Cyber Age (1st ed.). Broadway Books.

Szoldra, P. (2016, July 6). The US could have destroyed Iran’s entire infrastructure without dropping a single bomb. Business Insider. https://www.businessinsider.com/nitro-zeus-iran-infrastructure-2016-7

Zetter, K., & Modderkolk, H. (2019, September 12). Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran. Yahoo News. https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html

2198