Since the Soviet Union became the second nation with nuclear weapons in 1949, American presidents have tried to answer a very difficult question: how can they keep other countries from getting nuclear weapons, and can that be done without going to war. Responses have varied across the decades and administrations, with treaties and test bans shaping the process. It turns out that early in the Obama administration, when it appeared inevitable Iran would complete a nuclear weapon, the administration devoted resources to crafting a cyber weapon to halt the process, and they gave it a name straight out of a bad movie: Nitro Zeus.
The revelations come from director Alex Gibney, who found evidence of the program while conducting research for Zero Days, a documentary about the tensions between Iran and Western countries prior to the nuclear deal negotiated last spring, and which entered into effect earlier this year. Zero Days was first shown today at the Berlin Film Festival. Several media outlets received advance materials from the film, including information from the trove of data that former NSA contractor Edward Snowden took with him when he fled the country.
Here’s how the New York Times describes Nitro Zeus:
The Times notes that the plan included “the effort to infuse Iran’s computer networks with ‘implants’ that could be used to monitor the country’s activities and, if ordered by Mr. Obama, to attack its infrastructure.”
From BuzzFeed News:
All of this describes a weapon built for an attack that stretches the very bounds of what counts as espionage and what counts as war. Much of what cyber deals with is infrastructure: the code and systems that power industrial projects, like power supply to nuclear reactors. We’ve already seen a similar practice in the works, with the Stuxnet computer worm created by the United States to target Iranian centrifuges used to enrich uranium.
Nations treat acts of espionage differently than acts of armed conflict, and cyber plays into both. Sophisticated attacks on computer systems can steal information, disable systems, and in the case of Stuxnet cause actual, physical damage. Where is the line between hacking and war? The rules of war, agreed-upon norms roughly followed by most nations, don’t yet have a clear answer, but we have something close.
The Tallinn Manual is a NATO-created body of legal scholarship that provides guidance, though no definitive answers, for how the law should treat hacking and cyberattacks related to war. In the fall of 2014, when former Speaker of the House Newt Gingrich claimed a North Korean online attack on Sony was an act of war, scholars consulted the manual and found that the attack didn’t meet the threshold for war.
To the best of our knowledge, Nitro Zeus has not yet been used, so we can’t examine an actual attack for context. Instead, the manual can indicate whether this is a shelved weapon or not. From the manual:
It appears Cyber Command, a military authority, put together Nitro Zeus, but even if it was just government workers employed by an intelligence service, like the NSA, or civilian contractors working or the government, using Nitro Zeus is probably, by this guidance, an act of war.
Digging deeper into the manual, we get to the actual definition of an attack:
Conducted by an armed force, or at least on behalf of a government, it appears Nitro Zeus would have met the tentative guidelines for an act of war.
There is some sense in the revelations about the program that the administration knew the implications of such an attack. The Times notes that presidential directives specify that “only the president can authorize an offensive cyberattack, just as the president must approve the use of nuclear weapons.”