Communications - June 2012

most computer scientists know, these are breaches of confidentiality—the legitimate owner still has the information, but someone else has it as well, someone who should not have it and who might be able to use it against the legitimate owner.

These acts are undeniably unfriendly—but do they amount to “acts of war”? Espionage is not traditionally regarded as a violation of international law—primarily because all nations do it. They do violate domestic law, which is why such acts are (properly) regarded as criminal acts—appropriate for investigation and prosecution by law-enforcement authorities.

But the fact that what we have mostly seen to date is cyber espionage should not blind us to the fact that the range of possibilities for something bad to happen to us is not at all limited to the loss of confidentiality for sensitive information. Computers manage electric power generation, airplanes, cars, heating and cooling systems, flood control gates, sewage systems, and so on. They are also central to a U.S. defense strategy that relies on having an information superiority on the battlefield that enormously increases the capabilities of existing forces.

A number of examples of actual cyber attacks—actions taken to destroy, disrupt, or degrade computers—are known publicly. It is alleged that in 1984, the U.S. modified software that

The attribution
of any kind of
cyber operation,
whether for attack
or exploitation, is
technically difficult.

was subsequently obtained by the Soviet Union in its efforts to obtain U.S. technology. Ostensibly designed to operate oil and gas pipelines, the Soviets used this software to operate a natural gas pipeline in Siberia. After a period in which all appeared normal, the software allegedly caused the machinery it controlled to operate outside its safety margins, at which point a large explosion occurred. 6 And, in 2010, the Stuxnet worm disrupted industrial control systems in the Iranian infrastructure for enriching uranium, apparently destroying centrifuges by ordering them to operate at unsafe speeds. 3

Compared to acts of espionage, such actions are closer to the boundary between peace and war because they achieved effects that could have been achieved through the use of tra-

senator John Rockefeller spoke before the senate homeland security Committee in february 2012 on the urgent need to pass comprehensive cybersecurity legislation.

ditional kinetic weaponry such as bombs. Do these acts amount to acts of war? To date, the international community has not made such a determination. But this fact does not suggest there is no possible cyber attack that would cross the line. Indeed, given the increasing dependence of much of an advanced nation’s critical infrastructure on computers for safe and efficient operation, the possibility of a catastrophic cyber attack on an advanced nation cannot be ruled out— widespread power outages affecting hundreds of millions of people, a hacked air traffic control system causing airplanes to crash, military forces unable to deploy, and so on.

Are any of these catastrophic scenarios likely? Much of the public debate about such matters makes it seem these scenarios are imminent and they are easy to do, for example, by some lone teenage hacker/terror-ist working in a basement in a far-off land. Nonsense. A long-lasting catastrophic effect on the U.S. through a cyber attack would be very difficult even for a major nation-state to achieve. Still, policymakers are paid to make contingency plans even for unlikely events—and the policy question is this: If a catastrophic cyber attack against the U.S. such as I have described did occur, should the U.S. regard it as an act of war? For some sufficiently high level of damage and destruction to the U.S., surely the answer is yes. The 9/11 terrorists committed crimes against the U.S.—but the international community supported the U.S. call for treating the events of 9/11 as an armed attack warranting a forceful military response.

What about attribution? What does an act of war mean if you cannot identify the responsible party? There is no question that the attribution of any kind of cyber operation, whether for attack or for exploitation, is technically difficult. If the particular techniques of any given operation have never before been seen, and if the perpetrator has concealed his tracks perfectly, and if no one else knows he is responsible for the operation, and if there are no circumstances to suggest he might be behind the operation, then attribution may well be impossible. And indeed all of these condi-