most computer scientists know, these
are breaches of confidentiality—the
legitimate owner still has the information, but someone else has it as well,
someone who should not have it and
who might be able to use it against the
legitimate owner.
These acts are undeniably unfriendly—but do they amount to “acts
of war”? Espionage is not traditionally
regarded as a violation of international
law—primarily because all nations do
it. They do violate domestic law, which
is why such acts are (properly) regarded as criminal acts—appropriate for
investigation and prosecution by law-enforcement authorities.
But the fact that what we have
mostly seen to date is cyber espionage
should not blind us to the fact that the
range of possibilities for something
bad to happen to us is not at all limited
to the loss of confidentiality for sensitive information. Computers manage
electric power generation, airplanes,
cars, heating and cooling systems,
flood control gates, sewage systems,
and so on. They are also central to a
U.S. defense strategy that relies on having an information superiority on the
battlefield that enormously increases
the capabilities of existing forces.
A number of examples of actual cyber attacks—actions taken to destroy,
disrupt, or degrade computers—are
known publicly. It is alleged that in
1984, the U.S. modified software that
The attribution
of any kind of
cyber operation,
whether for attack
or exploitation, is
technically difficult.
was subsequently obtained by the Soviet Union in its efforts to obtain U.S.
technology. Ostensibly designed to operate oil and gas pipelines, the Soviets
used this software to operate a natural
gas pipeline in Siberia. After a period
in which all appeared normal, the software allegedly caused the machinery it
controlled to operate outside its safety
margins, at which point a large explosion occurred.
6 And, in 2010, the Stuxnet worm disrupted industrial control
systems in the Iranian infrastructure
for enriching uranium, apparently destroying centrifuges by ordering them
to operate at unsafe speeds.
3
Compared to acts of espionage,
such actions are closer to the boundary between peace and war because
they achieved effects that could have
been achieved through the use of tra-
senator John Rockefeller spoke before the senate homeland security Committee in february
2012 on the urgent need to pass comprehensive cybersecurity legislation.
ditional kinetic weaponry such as
bombs. Do these acts amount to acts
of war? To date, the international community has not made such a determination. But this fact does not suggest
there is no possible cyber attack that
would cross the line. Indeed, given
the increasing dependence of much
of an advanced nation’s critical infrastructure on computers for safe and
efficient operation, the possibility of
a catastrophic cyber attack on an advanced nation cannot be ruled out—
widespread power outages affecting
hundreds of millions of people, a
hacked air traffic control system causing airplanes to crash, military forces
unable to deploy, and so on.
Are any of these catastrophic scenarios likely? Much of the public
debate about such matters makes it
seem these scenarios are imminent
and they are easy to do, for example,
by some lone teenage hacker/terror-ist working in a basement in a far-off
land. Nonsense. A long-lasting catastrophic effect on the U.S. through
a cyber attack would be very difficult even for a major nation-state to
achieve. Still, policymakers are paid
to make contingency plans even for
unlikely events—and the policy question is this: If a catastrophic cyber attack against the U.S. such as I have
described did occur, should the U.S.
regard it as an act of war? For some sufficiently high level of damage and destruction to the U.S., surely the answer
is yes. The 9/11 terrorists committed
crimes against the U.S.—but the international community supported the
U.S. call for treating the events of 9/11
as an armed attack warranting a forceful military response.
What about attribution? What
does an act of war mean if you cannot
identify the responsible party? There
is no question that the attribution of
any kind of cyber operation, whether
for attack or for exploitation, is technically difficult. If the particular techniques of any given operation have
never before been seen, and if the perpetrator has concealed his tracks perfectly, and if no one else knows he is
responsible for the operation, and if
there are no circumstances to suggest
he might be behind the operation,
then attribution may well be impossible. And indeed all of these condi-
PHotoGraPH Courtesy oF JoHn d. (Jay) roCkeFeller IV