menu

The present, predominant view that Weapons of Mass Destruction (WMD) is confined to Chemical, Biological, Radiological, Nuclear, and High Yield Explosives (CBRNE) only is now passé. Many people do not even include the “E”. This is far too narrow a view!

Clearly our enemies, extremists in the main, but also rouge states, continue to seek the full gamut of Chem, Bio, Rad, Nuke, and HYE devices. They have few if any scruples that would deter them from deploying such devices against any vulnerable target – Gov’t, Military, or civilian, including complete innocents. One imagines that using such a terror-producing device against the most innocent of targets would actually be a more desirable outcome for many of these groups.

This view is daunting enough, but as noted above, today it is too narrow to cover the true scope of the issue. At least two other categories must be included in the pantheon of WMD. These are cyber weapons and economic warfare. Some may baulk at this widening. Obviously, ALL chem, bio, rad, and nuke devices are considered a WMD, regardless of size and effected area. HYE are more subjective. How big does an explosive device have to be before it becomes HYE and therefore WMD? One imagines that the old saw about pornography would apply; “I know it when I see it.”

Similarly, not every piece of malware should be considered WMD. In fact, most would not be. Frankly, most are not nor should not even be considered a weapon at all. We have trouble today determining what constitutes a cyber attack at all without a great deal of debate. If anything, we probably over use the term “cyber attack” for instances that are really only info gathering probes and cyber espionage.

There are however, certain types of cyber events that will constitute a WMD. We have seen that closed loop, air gapped (i.e., not on the Internet) systems can be penetrated, as was done with the StuxNet worm. That means we must consider any industrial control system to be a potential target. This is the sort of cyber event that would most likely rise to the level of a WMD. One can imagine the elegance (for a terrorist or rouge state) of hitting the “enter” button on one continent and having all the valves in a chemical plant next to an American city open simultaneously? We would suddenly have a “Bopol, India-like” disaster that kills a multitude. What if StuxNet had caused the Iranian centrifuges to rip themselves apart instead of just degrading their performance? It would not have been too difficult.

Those who say there is no such thing as cyber terrorism are blind to how terrorists think and have little appreciation for their level of imagination. Additionally, cyber can be used to augment other more “conventional” terrorist events to make them more effective, or to enhance the effect of the terror. Hacking a major city’s 911 system to redirect first responders away from real incidents and to ambushes would devastate the confidence of citizens and cripple those whose job it is to help those in need.

The same type of argument can be made for economic warfare. Every embargo is not a WMD, but taking actions to ruin a peoples’ ability to function in an economy (devaluing their currency, flooding a market with much cheaper products, etc.), or other actions that bankrupt or starve a people should be considered to have crossed the line into a realm of WMDs. They may use cyber means (corrupt or change the data of a national bank), chemical means, (introducing agents that make a factory area unusable), biological means (spraying crops with agents that kill them or make them inedible), or radiological (setting off a dirty bomb anywhere on Manhattan Island, causing financial and other businesses there to leave NYC forever – considered by many to be NYC’s biggest terrorist concern by the way).

Our leaders should look at these high-end cyber and economic warfare issues because the enemy with surely consider their use. We should go from “CBRNE” to “CBRNE-CE”.

There may be considerable overlap between the various parts of this construct. Cyber may be used to augment and enhance any of the other methods, as would Economic Warfare. Multiple device / methodology scenarios are only limited by one’s imagination, and more likely than unitary ones.

Frankly, highly effective Chem, Bio and Nuke devices are hard to make. Quite often they are as dangerous to their makers as they are to the intended targets. Dirty bombs are much easier to create and deploy but are far less destructive, if just as fear producing. The components needed to create all of these genres of weapons are being watched, monitored and reported on by the civilized nations of the world. It is really hard to move this stuff around without setting off “flags” everywhere. This is not so with cyber means and the potential economic warfare methods.

These methods have no one watching out for proliferation or dual use, and they do not take a large number of people or a huge set of industrial facilities to develop them. They need highly qualified people, but not many, and those cyber ninjas and economic gurus exist in every country in the world. They can do the analysis, targeting and operational planning that will lead to enormously devastating effects, and many will be manifested in the physical realm.

As we close more and more doors to our easily accessible physical targets, the enemies of this Nation will adapt and look elsewhere.

If we chose to leave cyber and economic warfare outside the intellectual category of WMD’s, our enemies will not. Again, we need to embrace CBRNE-CE.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More