When "60 Minutes" reported that computer hackers had shut off the lights in some Brazilian cities, it raised the obvious question of who was behind the alleged attack. The answers aren't clear, but it is clear that many countries are developing the capabilities to attack their adversaries in cyberspace and to do massive damage to critical infrastructures like the electrical grid. The United States already has those capabilities.
In the current issue of National Journal, I tell the story of how the National Security Agency and the U.S. military in Iraq were able to use cyber attacks to penetrate the communications networks of insurgents and foreign fighters. It was a surgical strike, aimed at a discrete target. But it raises an obvious question: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.
To understand why, forget about the cyber dimension for a moment.
Imagine that some foreign military had flown over a power substation
and Brazil and dropped a bomb on it, depriving electricity to millions
of people, as well as the places they work, the hospitals they visit,
and the transportation they use. If there were no official armed
conflict between Brazil and its attacker, the bombing would be illegal
under international law. That's a pretty basic test. But even if there
were a declared war, or a recognized state of hostilities, knocking out
vital electricity to millions of citizens--who presumably are not
soldiers in the fight--would fail a number of other basic requirements
of the laws of armed conflict. For starters, it could be considered
disproportionate, particularly if Brazil hadn't launched any similar
sized offensive on its adversary. Shutting off electricity to whole
cities can effectively paralyze them. And the bombing would clearly
target non-combatants. The government uses electricity, yes, but so
does the entire civilian population.
Now add the cyber dimension. If the effect of a hacker taking down the
power grid is the same as a bomber--that is, knocking out electrical
power--then the same rules apply. That essentially was the conclusion of
a National Academies of Sciences report in April. The authors write,
"During acknowledged armed conflict (notably when kinetic and other
means are also being used against the same target nation), cyber attack
is governed by all the standard law of armed conflict. ...If the effects
of a kinetic attack are such that the attack would be ruled out on such
grounds, a cyber attack that would cause similar effects would also be
ruled out."
The United States has never argued that the laws of armed conflict
don't apply in cyberspace. Indeed, the military has operated under the
assumption--based on experience--that cyber weapons can be so devastating
that they must be used sparingly. According to a report in The
Guardian, military planners refrained from launching a broad cyber
attack against Serbia during the Kosovo conflict for fear of committing
war crimes. The Pentagon theoretically had the power to "bring Serbia's
financial systems to a halt" and to go after the personal accounts of
Slobodan Milosevic, the newspaper reported. But when the NATO-led
bombing campaign was in full force, the Defense Department's general
counsel issued guidance on cyber war that said the law of (traditional)
war applied.
The military ran into this same dilemma four years later, during
preparations to invade Iraq in 2003. Planners considered whether to
launch a massive attack on the Iraqi financial system in advance of the
conventional strike. But they stopped short when they realized that the
same networks used by Iraqi banks were also used by banks in France.
Releasing a vicious computer virus into the system could potentially
harm America's allies. Some planners also worried that the contagion
could spread to the United States. It could have been the cyber
equivalent of nuclear fallout.
The reported conclusions of Pentagon lawyers and planners find echoes
in the Academies report: "The fact that an attack is carried out
through the use of cyber weapons rather than kinetic weapons is far
less significant than the effects that result from such use." That's
the critical question facing the United States military as it stands up
a new Cyber Command: What real world effect would hacking a power grid
have? What disruption to civilian life would corrupting a bank's
databases cause? The United States has apparently concluded that the
repercussions would be profound, widespread, and unjust.
A year and a half ago, I asked the head of counterintelligence for the
United States, Joel Brenner, what kinds of cyber attacks would qualify
as acts of war. He'd clearly given the question some thought. If
another nation took out a piece of our power grid, that would qualify,
he said. No different than if they'd attacked it with explosives.
In May, the current director of the National Security Agency, Lt. Gen.
Keith Alexander, told a congressional panel that cyber attacks in
Estonia and Georgia a few years ago, which knocked out public
communications and disrupted banking, got close to the definition of
cyber war. Alexander didn't say whether the United States would ever
engage in such attacks. But it's hard to believe that he would think
that's a good idea. Not unless we'd been attacked first, and in similar
fashion. And if that had happened, the escalation from cyber war into
real world war would be swift and devastating.
Shane Harris writes: "But it raises an obvious question: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first."
But of course the U.S. has already done this and similar things without having been attacked. One recent example: according to the Wikipedia article on the 1999 NATO bombing of Yugoslavia (in response to that government's actions in Kosovo), "Civilian installations such as power plants, water processing plants and the state-owned broadcaster were intentionally targeted."
Who the victors are defines what the crimes are. According the Wiki article, the International Court of Justice refused to take up the war crimes complaint against NATO because "Yugoslavia was not a member of the UN during the war."
Dropping a bomb on a power station is clearly an act of war. But why is it a war crime? Infrastructure attacks are actually pretty common in war. The alternative is killing people.
If you're going to claim something is a violation of international law, at least have the courtesy to tell us which part of which treaty you are referring to.
Remember back in 2006 when the first reports of Iran developing WMD's started coming out? It was very unclear as to whether IRAN would stop pursuing WMD. Today that dark veil of secrecy has been unvealed. It's pretty cear what Iran is after.... WMD's. The entire time, the media was reporting a Stealth bomber to lay in wait somewhere in Turkey that could take out any Nuclear Facility Iran was building. But you ever notice how the U.S. could never commit to declaring an act of war against Iran even under impending threat? It's the same situation with Iran, different set of circumstances. Who is going to flinch first?
A cyber attack won't have MADE IN CHINA or MADE IN NORTH KOREA stamped on the computer code. More likely, we will be unable to identify the national origin and degree of high-level complicity of the cyber attack with the certainty that would be required to justify a counterattack. A cyber attack might seem to originate in, say, Russia, but be a rogue operation and not the work of the Russian state.
The rationale to retaliate against such an attack would be inherently unclear. Cyber attack, computer viruses as we used to call them, would have to be dealt with on the same terms as germ warfare for the reasons Mr. MarkCaplan outlined. The origins could only be clear if someone stepped forward and deliberately claimed responsibility.