Schrodinger’s War: Attacking and Not-Attacking Iran
by WILLIAM MERRIN
In 1984 two UK ‘hackers’, Stephen Gold and Robert Schifreen, gained access to the BT Prestel network, an interactive videotext system launched in 1979 that, hooked up to the TV and phone lines, could receive text and graphic data. Obtaining a username and password through a brute-force attack they spent time on the network, gained system manager level access and accessed subscriber areas, eventually revealing themselves by sending an email to the Prestel manager from the Duke of Edinburgh’s email account. They were identified and arrested in April 1985, but it was unclear what to charge them with as there was no relevant legislation. An attempt to charge them with fraud, for using false details to log-on, was initially successful, but overturned on appeal. It was the failure of this case that led the UK to introduce the Computer Misuse Act 1990 (CMA).
This was a beautifully short and simple act that, in three sections, essentially criminalised three things: unauthorised access to computer material, unauthorised access with the intent to commit another offence, and ‘unauthorised modification of computer material’. The latter was an attempt to solve the problem of what to charge hackers and users of malware and viruses with. Previously they’d been charged under the Criminal Damage Act 1971 as causing damage to ‘property’, which was defined in S.10 as ‘property of a tangible nature’. That had immediately led to a debate as to whether changing anything on a computer constituted changing ‘property of a tangible nature’, but early cases such as Cox v Riley (1986) established that altering the operation of a printed circuit did come under this definition. The case of R V Whitely (1991), a hacker who erased data on a university network, followed the same logic, concluding that the 1971 act only required tangible property be damaged and not necessarily that the damage be tangible, hence even altering the magnetic particles on a disc constituted ‘damage’. S.3 of the CMA prohibiting ‘unauthorised modification’ was designed to simplify this and make changing anything on a computer a crime.
Within a few years, however, this section was deemed lacking. Early ‘mail bombs’ (overwhelming an email server) and, later, full DDOS attacks became popular forms of protest. Importantly, none of these modified a computer, they just prevented them from functioning. Hence the need for a review of the legislation, leading to the UK Police and Justice Act (2006), in force 1stOctober 2008, which rewrote S.3, replacing ‘unauthorised modification’ with ‘unauthorised acts with intent to impair’ the ‘operation of a computer’. This essentially criminalised any act that changed a computer or altered or interrupted its functioning.
So, how does this help us understand recent events regarding Trump and Iran? That’ll take some getting to, as we first need to review these events and US actions.
US-Iranian relations have deteriorated since May 2018, when the US left the 2015 deal with the Iranian authorities, intended to limit their nuclear programme. The heavy sanctions since imposed by the US have proved crippling to the Iranian economy and Iran’s response – designed to send a message regarding their ability to hurt the global economy and warn off America – has been a series of attacks on oil tankers. In the most recent, on 13thJune 2019, Iran’s Islamic Revolutionary Guard Corps (IRGC) attacked two tankers in the Gulf of Oman, a strategic waterway crucial to global energy supplies. This already-volatile situation became even more serious on 20thJuly when Iran shot down a US $131.4m RQ-4A Global Hawk High-Altitude, Long, Endurance (HALE) drone. Iran maintained it was shot down over Iranian airspace, giving the coordinates as ‘(25°59'43"N 57°02'25"E) near Kouh-e Mobarak’, whilst the US claimed the drone had been shot down in international airspace at a point about nine nautical miles southwest of that claimed by Iran. Even if we accept the US claims, we might ask whether they would have allowed an advanced military Iranian surveillance drone to freely-operate in international airspace off their own coast? The answer to that question isn’t hard to guess.
America’s response was both to attack, and to not attack, Iran. Twice.
The first time was revealed on 21stJune when Trump tweeted he had been about to strike Iran but had called off the military response: ‘We were cocked & loaded to retaliate last night on 3 different sights (sic) when I asked, how many will die. 150 people, sir, was the answer from a General’. Hence, Trump added, ‘10 minutes before the strike I stopped it’, as causing so many casualties would not have been ‘proportionate to shooting down an unmanned drone.’ At first it was unclear if the planes were actually in the air until Trump clarified they weren’t ‘but would have been pretty soon’. This seems accurate: plans had been made to strike Iranian radars and missile batteries and senior administration officials had been pushing for such action. Trump, however, had based his presidency on no-more-foreign-wars and may have been more influenced by Fox-host Tucker Carlson who warned him an Iranian war could cost him his re-election. (What times we live in, when a Fox commentator is the voice of reason and global peace…)
The result was an attack that didn’t happen. That showed a remarkable restraint from Trump, and even evidence of a desire to prevent a rapid escalation to full conflict. But the problem was that restraint wasn’t enough. It might be seen as a climb-down, or failure of nerve. Trump, the dick-waving, who’s-got-the-biggest-hands-? President (never better described than by Edward Luce, ‘as a kind of Ku Klux Kardashian, combining hard-right pugilism with the best of postmodern vaudeville’) still needed to publicly, globally, assert his military virility: he needed it to have been seen nearly-to-have-happened. Instead of a Baudrillardian ‘non-war’ that didn’t happen precisely because the real excess of war eliminated any contest, this was a non-war that kind-of-happened, even if it absolutely didn’t, simply because it could have happened, it nearly did happen, gosh it was so close, and it would have been a good attack, believe me, the best. It would have been fine. So fine. Twitter, social media, the internet, therefore, became the vector of a war that couldn’t be allowed not to take place: it had, at least to be announced, to be asserted, to be bragged about, with precise casualty-figures that the US can’t provide for the actual strikes it does carry out. It needed to take on an almost-reality, to land an imaginary victory, to eradicate the perceived humiliation of a US non-response.
Trump was always so influenced by Norman Vincent Peale’s 1952 self-help book The Power of Positive Thinking which believed in the power of the mind to overcome reality itself: As Peale said, ‘Any fact facing us, however difficult, even seemingly hopeless, is not so important as our attitude toward that fact’, hence, ‘A confident and optimistic thought pattern can modify or overcome the fact altogether.’ Trump, so used to asserting his will-as-reality, tried the same tactic here. This was, you have to understand, a strike that would have worked so well it would have been amazing, so amazing. So, if you think about it, it really was successful anyway – too successful in fact! And that’s why it had to be called off because of the number of people it would have killed. Like Schrodinger’s box, where reality exists in two states at once – where, if you don’t open it to see, the continued life and the death of the cat are both simultaneouslythe case- so this non-war/war simultaneously didn’t and did happen, in exactly the same space-time. It was, perhaps, a desperate political strategy of reputational recuperation on Trump’s part, but it was one the president had successfully pulled off before. Here, however, it was history itself Trump was gaslighting.
But then the Schrodingerisation of war went further.
Two days later it turned out the US had responded. On 22ndJune it was reported by Yahoo News and The Washington Post that the US Cyber Command had already retaliated against the Iranian Revolutionary Guards on the day the drone was downed, launching a ‘retaliatory digital strike’ against their radars and missile batteries. So, the real, kinetic strike hadn’t taken place, but a digital, virtual cyberattack had.
This was the first offensive show of force since Cyber Command was elevated to a full combatant command in May. What exactly that cyberattack was hasn’t been officially confirmed. A Pentagon spokesperson for Cyber Command said, ‘as a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.’ Sources, however, suggested Trump approved cyberattacks on ‘Iranian computer systems used to control rocket and missile launches’. In effect, we can assume the attacks either took over these systems, removing Iranian control, or turned them off, or impaired their functioning in some way.
There has long been a debate as to what ‘cyberwar’ is, whether it counts as ‘war’, or whether ‘cyberattacks’ really count as ‘attacks’. Since proof-of-concept computer network exploitation (CNE) attacks with real-world effects and damage, such as Stuxnet in 2010, the attack on a German steel mill in 2015 and the 2015-16 attacks on Ukrainian power stations and energy supplies, the idea that ‘cyber’ constitutes a real field of attack has been more broadly accepted. But issues remain here, being widely-expressed, whether with nuance and insight, such as in Rid’s Cyberwar Will Not Take Place (2013), or more truculently, as in the response of one reviewer to a recent project of mine who was insistent that only kinetic, ‘traditional war’ counted (‘To put it bluntly – traditional military operations involve tanks, plans and bombs…’). With this in mind, it’s worth reflecting on what US Cyber Command did here.
Remember the opening discussion of UK computer misuse legislation? Obviously, it doesn’t apply anywhere outside of the UK (and even there it doesn’t apply to the government who, conveniently, later amended the legislation to legalize their own cyberwarfare and hacking operations). But what it does do well is show us that it is possible to have a bottom-line – to see that any actthat alters data on a computer, changes its physical state (even at the microphysical level), or that stops, changes or impairs its functioning in any way, constitutes a real and significant act. Hence, to impair the functioning of radar and missile systems is, without a doubt, a significant action.
But that still leaves us wondering if it constitutes an ‘attack’? Philosophically, it may be better understood as an anti-attack, in preventing kinetic attacks (not only the Iranians’, but the US’s too). It’s the equivalent of perhaps hiding a boxer’s gloves before a match or stealing a soldier’s guns. That isn’t an attack, indeed, it’s closer to trolling. There is almost something amusing about being able to do this: maybe ‘we turned off your missile systems, LOL. U Mad Bro?’ to a dancing troll-face, or, perhaps Sean Bean declaring, ‘One does not simply bring down a $132m drone…’. It’s also, if we’re honest, not much of an attack as it’s such a small-scale thing to do. It’s not going to get the ‘traditional war’ proponents excited. No-one got hurt, nothing happened and even the equipment may not have suffered any effects. We’re talking of a few missile systems at a few ‘sights’, which barely compares to the (recently commemorated) D-Day landings. Only the geeks will fan-boy-squeal here.
Also, just as Iran’s shooting down of an unmanned drone rather than manned US aircraft in the region was an attempt to limit the possibility of escalation, so too the US’s choice of cyberattack rather than bombing was a deliberate choice to reduce the chance of real confrontation. Under Trump the US is becoming more comfortable using offensive cyberweapons, recognising their value as useful technological tools, and deploying them more aggressively. But, equally, they are also realizing that cyberweapons offer a new range of opportunities, in allowing a more nuanced approach to flashpoints, expanding the political and military toolkit, allowing more proportionate responses, and successfully projecting power whilst simultaneously deescalating conflict-situations and avoiding the need to deploy kinetic weaponry. Hence ‘cyberweapons’ (or rather, CNE) operates here as the opposite of war. All of this suggests that for all the global headlines on 22ndJune about ‘cyber-strikes on Iran’s missile systems’ what this really meant militarily was far less significant than we might have thought: whatever ‘cyberwar’ may be, this wasn’t it and possibly it never would be.
Except, all of this evidence accumulated against ‘cyber’ being truly part of ‘war’ can also be reversed to reach another, very different conclusion – that cyber is one of several developments today that is so blurring the concept of war as to make it almost impossible to distinguish and delineate this sphere. Because what the headlines on the 22ndalso had to admit was that these US ‘cyber-strikes’ were part of a much broader and ongoing phenomena. The 2010 US-Israeli ‘Stuxnet’ attack on Iranian nuclear industry facilities were a significant moment. In response Iran created its own cyberwarfare unit which learned quickly, launching the Shamoon virus at Saudi Aramco in August 2012, attacking the US banking system that September and the Las Vegas Sands Corporation in February 2014. It has been equally busy since then, with recent months seeing a resurgence of Iranian activity. As The Washington Post reports:
Private-sector analysts have documented a gradual increase in cyber activity by Iran and its proxies targeting U.S. industry since 2014. It has often come in the form of spearphishing attempts seeking access to computer systems in the energy sector. ‘In the last year, the activity has sped up,’ said Robert M. Lee, co-founder of cybersecurity firm Dragos, who conducted cyber operations for the NSA and Cybercom from 2011 to 2015. ‘In the last six months, we saw another hike. And last week, we saw additional activity.’ ‘The reality is we’ve been seeing more and more aggressive activity for quite some time,” he said. ‘It’s just getting worse.’
Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, confirmed this, commenting on the 22ndthat, ‘CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks’ (virus-based attacks designed to erase computers).
Commentators also noted that it has become standard operations for Iran to track who is going into and out of the Gulf, including all commercial shipping and all US and allied warships. A major way it does this is through cyber-operations, including hacking ship-tracking systems and also employing social media ‘honeypots’ to target US Navy sailors. Pretending to be attractive young women looking to connect with ‘lonely seamen’, agents would build relationships with US Navy personnel across social networking sites, to gather intelligence about deployments and ship movements.
But if Iran has been very busy, then so too have its enemies. When an Iranian official denied on the 22ndthat any US attacks had been successful, he added as proof that ‘Last year we neutralized 33 million attacks with the [national] firewall’. Yes, 33 million… We may never know the extent of Iranian and US mutual CNE, or of the additional attacks by any other interested nation, non-government actor or individual, but what we can easily surmise, however, is that CNE activities are ongoing, permanent, all-the-time and massive. Whether shutting off a missile system or impairing its functioning is an ‘attack’ or not, it is definitely a tiny but significant action, that takes its place within however many more, tiny significant actions, all seeking to delete, change, alter or impair systems, and all of these together constitute a reality that may add up to a significant threat and, indeed, ‘war’. Or, perhaps, with no beginning or end, no way to distinguish when ‘attacks’ start or finish, no way to completely separate and identify out individual ‘attacks’, and with an increasing blurring of computer-based activity and physical, real-world effects, more radically it is the concept of ‘war’ itself that dissolves here. ‘To put it bluntly’ (for those wedded to kinetic concepts and who enjoy things exploding), it’s time to look at what’s actually happening today, rather than the rear-view mirror of WWII. Perhaps if you want to understand war today you’d be better off reading computer science and media studies than military history (insert smiley emoji/troll-face).
Because this, as I suggest in my book Digital War, is an ‘ambient war’. The word ‘ambient’ comes from the French ambient and the earlier Latin ambientem, which is from the verb meaning ‘to go about’. By the late 16thcentury it had taken on its modern meaning in English which the OED lists as ‘lying round, surrounding, encircling, encompassing, environing’. Ambient, therefore, refers to that which is environmental, which encircles us, which we are immersed within. This is precisely what cyberwar, or CNE really is: it’s a permanent, background, mostly-invisible or ignored environmental reality against which everything else takes place. Hence, we can perhaps finally resolve these slightly-tiresome debates about the real status of cyberoperations by understanding them as a mode of Schrodinger’s war.
The Trump-ordered ‘cyber-strikes’ were ‘war’ and they were not ‘war’; they were ‘attacks’ and they were not ‘attacks’; they were ‘strikes’ and they were not ‘strikes’; they were escalatory, and they were not; they were military, and they were not; they were kinetic in changing physical systems, and they were not. Thus, all of those who want to definitively reject cyberoperations and CNE as ‘war’ are all perfectly correct; and equally all those who see them as war are too. In Schrodinger’s warcyberwar is a mode of activity that exists as two separate, opposed, but simultaneously existing realities: it both is war and is not. It is everywhere, ongoing, and dangerous, physically threatening of critical infrastructure and all human life-systems and also nothing important, for no-one’s died yet and it’s irrelevant compared to a pistol, let alone a nuclear warhead.
Hence, if Trump’s aborted airstrikes were simultaneously not-a-war and announced to exist as a kind-of-war to try to appear as if something had really been done about the drone, a real response hadactually been carried out the same day, though these cyber-strikes existed in a similar Schrodingerian space, as something that, depending on your point of view, was both a war and not-war.
But, to add an extra twist to this, even this wasn’t enough. The administration had to let us knowit had carried out the ‘cyber-strikes’. And here another element of ‘ambient war’ becomes important.
Because another use of the term ‘ambient’ is in ‘ambient music’. The concept was coined by Brian Eno, who explained in his September 1978 liner-notes to Ambient 1: Music for Airportsthat ‘An ambience is defined as an atmosphere, or a surrounding influence: a tint’. He’d discovered the idea whilst recuperating after being hit by a car in 1975, being stuck in bed listening to a barely-audible album his old girlfriend had left on in the room. As he said, ‘This presented what was for me a new way of hearing music – as part of the ambience of the environment just as the colour of the light and sound of the rain were parts of the ambience.’ The ambience was something background, but it was also more than that, it was something one’s consciousness could focus on and also leave. As he said of Ambient 1: ‘I wanted to make something you can slip in and out of.’ This has become an essential element of the ambience of cyberwar.
Because Trump couldn’t let this ambient cyberactivity stayin the background. If the airstrike hadn’t happened, some kind of response had to be publicly promoted instead. Hence information about ‘cyber-strikes’ was leaked to the press and the ambient war, following Eno, was allowed to drift into full, public consciousness for a time. Suddenly, out of this stream of attacks and activities, an event was taken, pushed to the fore, given boundaries and explained as a ‘strike’. And in the process cyberwar achieves a meta level – that level that all cyber-commentators deal with. For, let’s be honest, all any of know about ‘cyberwar’ is these moments that are picked out, that slip from the ambient national security operations into our consciousness. The ‘cyberwar’ we all discuss is merely a momentary fragment of a unitary whole – of that uninterrupted flow of operations that is war and is not war – that is suddenly split from the stream and promoted as a ‘cyberwar’ event (which we then debate as to whether it constitutes war or not).
So, what really happened here? Like I said, the US attacked and didn’t attack Iran, twice. The first time a non-attack had to be presented and announced as an almost-attack that was so certain and effective if it had happened that we should really consider it as having the same status as if it had occurred. The second time a real attack happened at the cyber-level, but many don’t think of this as an attack, plus what is the point of it as an attack if the public and the world don’t know about it, which means that for it to really happen, like the aerial attack that didn’t, it had to be announced.
And what was announced was Schrodinger’s war. It was a cyberattack (that wasn’t an ‘attack’), that was only one of an ambient reality of mutual cyberattacks (that aren’t really ‘attacks’), that had to be promoted as an ‘attack’ (though it wasn’t) to prove the US had responded, having had to call off their real attack (that, nevertheless, in being announced, with an identified number of casualties that would have occurred, was kind-of-an-attack, though it really wasn’t). It was an attack and it wasn’t, but in the multiple levels of announcement of an attack and non-attack that satisfied the demands of honour. This Schrodingerian box is the reality of all CNE operations today, and, we might add, of all Trumpian foreign policy. We exist in two realities simultaneously, and the outcome – the victory – is whatever the will wants to claim. And, as a final note, let us hope that this dual-reality might ultimately protect us from a world where the conflict resolves definitively down to one side.
And that cyberattack, you should have seen it, it was the best, it really was. And I’m not just saying that, it really did its job. It was a fine attack. These boys, the coders, they really knew what they were doing. And Iran. They nearly lost 150 people, but our boys stopped that. This was huge. It was a huge success. And I’m not just saying that. Really, it was, and I’m saying, and I have to say this, and you’ll hear me say it, that everyone’s talking about it, they really are. And we’ve got me to thank for that. I’ve seen it myself and Iran knows it too. And that’s why they need to understand. We’ll do it again if we have to. And I won. Believe me …