Since the Soviet Union became the second nation with nuclear weapons in 1949, American presidents have tried to answer a very difficult question: how can they keep other countries from getting nuclear weapons, and can that be done without going to war. Responses have varied across the decades and administrations, with treaties and test bans shaping the process. It turns out that early in the Obama administration, when it appeared inevitable Iran would complete a nuclear weapon, the administration devoted resources to crafting a cyber weapon to halt the process, and they gave it a name straight out of a bad movie: Nitro Zeus.
The revelations come from director Alex Gibney, who found evidence of the program while conducting research for Zero Days, a documentary about the tensions between Iran and Western countries prior to the nuclear deal negotiated last spring, and which entered into effect earlier this year. Zero Days was first shown today at the Berlin Film Festival. Several media outlets received advance materials from the film, including information from the trove of data that former NSA contractor Edward Snowden took with him when he fled the country.
Here’s how the New York Times describes Nitro Zeus:
The plan, codenamed Nitro Zeus, was devised to disable Iran’s air defenses, communications systems and crucial parts of its power grid, and was shelved, at least for the foreseeable future, after the nuclear deal struck between Iran and six other nations last summer was fulfilled.
The Times notes that the plan included “the effort to infuse Iran’s computer networks with 'implants' that could be used to monitor the country’s activities and, if ordered by Mr. Obama, to attack its infrastructure.”
From BuzzFeed News:
The film’s sources said NITRO ZEUS involved hundreds of personnel over several years, and cost “hundreds of millions” of dollars — building programs ready to “disrupt, degrade, and destroy” Iranian infrastructure with code intended to leave no direct clues as to who was responsible for the attacks.
NITRO ZEUS was not just some theoretical battle plan, Gibney reports. Operatives had already gained access to all the relevant systems to execute the attacks if the order was given, and checked back on a near-nightly basis to ensure all the access points were still live and operational, and that the attack code wouldn’t interfere with any other code on the systems, to reduce the risk of discovery — or accidental triggering. The number of implants in Iranian targets was reportedly in the hundreds of thousands.
All of this describes a weapon built for an attack that stretches the very bounds of what counts as espionage and what counts as war. Much of what cyber deals with is infrastructure: the code and systems that power industrial projects, like power supply to nuclear reactors. We’ve already seen a similar practice in the works, with the Stuxnet computer worm created by the United States to target Iranian centrifuges used to enrich uranium.
Nations treat acts of espionage differently than acts of armed conflict, and cyber plays into both. Sophisticated attacks on computer systems can steal information, disable systems, and in the case of Stuxnet cause actual, physical damage. Where is the line between hacking and war? The rules of war, agreed-upon norms roughly followed by most nations, don’t yet have a clear answer, but we have something close.
The Tallinn Manual is a NATO-created body of legal scholarship that provides guidance, though no definitive answers, for how the law should treat hacking and cyberattacks related to war. In the fall of 2014, when former Speaker of the House Newt Gingrich claimed a North Korean online attack on Sony was an act of war, scholars consulted the manual and found that the attack didn’t meet the threshold for war.
To the best of our knowledge, Nitro Zeus has not yet been used, so we can’t examine an actual attack for context. Instead, the manual can indicate whether this is a shelved weapon or not. From the manual:
An action qualifying as a ‘use of force’ need not necessarily be undertaken by a State’s armed forces. For example, it is clear that a cyber operation that would qualify as a ‘use of force’ if conducted by the armed forces would equally be a ‘use of force’ if undertaken by a State’s intelligence agencies or by a private contractor whose conduct is attributable to the State based upon the law of State responsibility.
It appears Cyber Command, a military authority, put together Nitro Zeus, but even if it was just government workers employed by an intelligence service, like the NSA, or civilian contractors working or the government, using Nitro Zeus is probably, by this guidance, an act of war.
Digging deeper into the manual, we get to the actual definition of an attack:
A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
Conducted by an armed force, or at least on behalf of a government, it appears Nitro Zeus would have met the tentative guidelines for an act of war.
There is some sense in the revelations about the program that the administration knew the implications of such an attack. The Times notes that presidential directives specify that “only the president can authorize an offensive cyberattack, just as the president must approve the use of nuclear weapons.”