Had the Iranian government not signed onto the international agreement limiting its nuclear program, the US had a cyber attack locked and loaded as a response. Theverge.com said, “The plan was codenamed Nitro Zeus, and if it had ever been deployed, it would have taken down parts of Iran’s civilian infrastructure, including its power grid, phone lines, and air defenses. The plan cost tens of millions of dollars to design and involved the placement of electronic implants in Iranian computer networks, in case it were ever decided to be implemented.” It seems like value for money.
One must first point out that this was a contingency plan and that the US military has a countless number of such plans. When something bad happens, one wants the president to be able to ask the Joint Chiefs of Staff for options and not hear “We’ll have to get back to you on that one, sir.” There are plans for everything imaginable no matter how ridiculous (e.g., defense of the US should Canada attack).
Detailed in the documentary “Zero Days,” which opens today at the Berlin Film Festival, Nitro Zeus (finally a codename that isn’t pure proganda like “Enduring Freedom”) was something new. The New York Times stated, “While cyberoperations have long been contemplated in other war scenarios, Nitro Zeus ‘took it to a new level,’ one participant said. Yet the planners warned that depending on how the conflict unfolded, there could be significant effects on civilians, particularly if the United States had to cut vast swaths of the country’s electrical grid and communications networks.”
At the same time, a narrower plan was hatched to sabotage the Fordo enrichment site much as the Stuxnet virus attack that damaged and partially disabled the Nantaz site a few years ago. This would not have affected civilians much if at all, and Iran’s ability to take yellow-cake and turn it into something useful in a power plant or a bomb would have been crippled.
From a legal standpoint, such an attack either on Iranian civilian targets like its electrical grid or on a uranium enrichment site probably counts as an act of war. International law is still somewhat fuzzy on cyberspace and its relationship to territoriality, the law of nations and the laws of war. However, if one knocks out a rival’s electrical grid with a bomb, that’s clearly an act of war. It is hard to argue that doing the same thing without an explosive is much different. It remains a hostile act.
However, international politics always overrides international law if expediency demands it. Presuming Iran had not agreed to the limits, tighter sanctions might have been possible but not certain. Russia and China were never that strong in demanding Iran forego its nuke program, so the P5+1 (UN Security Council permanent members plus Germany) wasn’t going to be a monolith in this. The US needed a way to raise the stakes without committing troops.
As the Stuxnet attack showed, a cyber offensive can be highly effective without actually leaving much in the way of hard evidence as to who launched the attack. How does one respond? This has been a headache for America for a long time with Chinese, Russian and other hackers. Are they representatives of a state or just gangsters? Where are they? Exactly who are they? In this instance, these issues would work to the advantage of the US.
Above all, “tens of millions” when it comes to military spending in the US is a rounding error. In fiscal 2015, the Pentagon spent just under $600 billion. When viewed from that perspective, a cyber option not only has the advantage of achieving one’s goals without going to war, but also it is vastly less expensive than cruise missiles fired from a carrier fleet or delivered by billion dollar stealth air squadrons.