In the spring of 2007, Russian computer experts hacked into Estonia’s government computer networks, blocked them from functioning, and brought the Estonian government to a standstill.
On August 8, 2008, Russian tanks invaded the disputed South Ossetia region between Russia and Georgia, a former Soviet satellite state. One day before the tanks rolled in, Russian cyber attacks defaced Georgian government websites and then made what are called “distributed denial of service” attacks, which effectively blocked the use of the computers by overwhelming the computer servers with a volume of traffic too great for them to handle and causing them to cease functioning. Russian cyberwarriors also managed to hack into Georgian servers to plant malicious software. “Malware,” as computer security experts call it, modifies a computer’s software to either prevent it from functioning or to revise its functions to benefit the attacker.
We don’t know of any other massive attacks such as the Russian strikes on Estonia and Georgia from unclassified sources. Several nations—China, Iran, and Saudi Arabia, among them—try to limit their citizens’ access to the Internet to prevent the spread of dissent. Myanmar (née Burma) has apparently cut off Internet access twice—once in late 2007 and again in November 2010—to place an electronic Iron Curtain around its population.
Sources say that a “cyber criminal,” not a national entity, made successive—and partially successful—attacks on the Brazilian power grid in November 2009.
What a nation does to limit its own citizens’ freedom is an act of oppression. But when one nation uses computers as a weapon against another, is it war?
No one would say that the Russian tank invasion was not an act of war. But what about the cyber attacks? Were they something less, or truly an act of war using an unconventional weapon?
THE TERM "ARMED CONFLICT" is used to describe war. But what is war? Is a war only a war if conventional weapons are used to fight it?
Prussian general Carl von Clausewitz’s 1832 text On War defined war to be “…an act of force to compel our enemy to do our will.” The aggressive use of armed force—like the Japanese attack on Pearl Harbor in 1941—fits that definition perfectly. Following Pearl Harbor, our two choices were to surrender or declare war, and we properly chose the latter course. The attack, and the declaration of war, not only united Americans in pursuit of victory but also justified our use of all of the force we could devise and deploy to win.
Throughout history, acts of war, either as aggression or in defense, have entailed similar foreseeable consequences for the belligerent nations: declaration of war and military mobilization. Conventional war was the clash of arms between nations; men in different uniforms fighting and killing each other to conquer or defend. It was the most definable of human activities, compelling a clarity of purpose that focused every aspect of a society on achieving the goal.
But then insurgencies became common, and later the idea that, for instance, a “police action” in Korea could be a war of limited purpose and duration in which stalemate was accepted as a goal. Clarity was lost. And then came the advent of global Islamic terrorism.
Is an act of terrorism a crime or an act of war? Is it necessary to prove, as liberals insist, that a national government is responsible for a terrorist act before war is invoked against it?
Terrorists don’t fight under a flag or risk themselves to avoid killing civilians. To the contrary—and in violation of the Geneva Conventions—terrorists intentionally target civilians. The pecksniffs of the UN and the media insist that the response to a terrorist attack be “proportional” to the attack a nation suffered. People who have suffered the most and the longest from terrorism, such as the Israelis, suffer the calumnies of the proportionalists who, safe in their ivory towers, condemn an airstrike in retaliation for a mortar attack on a village. The proportionalists, of course, don’t live in the line of fire.
What terrorism taught us is that there are no “front lines” behind which anyone is safe. Gettysburg and the Somme are battlefields historians and schoolchildren visit. You can’t visit today’s battlefield because it is everywhere.
THE CYBER ATTACKS on Estonia and Georgia prove that terrorism isn’t the final chapter in the evolution of war. Though terrorism and conventional war will always be with us, the concept of a weapon, and how newly conceived weapons can be used anywhere and anytime, is so fluid we need to be continuously thinking about it and adjusting to it—our adversaries and potential adversaries are. Because our economic, military, and intelligence communities depend on computer systems to function, within those systems is another battlefield that encompasses almost everything our civilization relies on to work.
Computer warfare—cyberwar—may be the most dangerous new kind of warfare because most Western nations don’t regard cyber attacks as acts of war. The 2002 publication of Unlimited Warfare, a book by two Chinese People’s Liberation Army colonels (Qiao Liang and Wang Xiangsui), proved the depth of one of our adversaries’ thinking on what may be the most important questions about war in the 21st century:
War in the age of technological integration and globalization has eliminated the right of weapons to label war and, with regard to the new starting point, has realigned the relationship of weapons to war, while the appearance of weapons of new concepts, and particularly new concepts of weapons, has gradually blurred the face of war. Does a single “hacker” attack count as a hostile act or not?…
[Technological progress and globalization] means that all weapons and technology can be superimposed at will, it means that all the boundaries lying between the two worlds of war and non-war, of military and non-military, will be totally destroyed, and it also means that many of the current principles of combat will be modified, and even the rules of war may need to be rewritten…
The battlefield is everywhere.…As we see it, a single man-made stock market crash, a single computer virus invasion or a single rumor or scandal that exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.
Liang and Xiangsui aren’t just theorists. Their book was semi-official, endorsed by high-ranking Chinese generals. And they have an eminently realistic view of modern war and one of its means, cyber war. One part of China’s military strategy is sha shou jian: the “assassin’s mace” strategy of unconventional warfare. A 2006 Pentagon report on the Chinese military said that Chinese leaders, recognizing their apparent disadvantages in conventional war, have invested heavily in asymmetric warfare to create the ability to attack and knock out an enemy quickly by unconventional means:
We assess that this conclusion might have given rise to a priority emphasis on asymmetric programs and systems to leverage China’s advantages while exploiting the perceived vulnerabilities of potential opponents—the so-called Assassin’s Mace (sha shou jian) programs.
China isn’t alone in investing in cyberwar. India, Russia, the U.S., and Iran are also heavily invested in it. Some, like America, are investing in defense. Others, especially China and Russia, are also heavily invested in offensive cyberwar.
The only conclusion we can reach is that a computer is as much a weapon as a rifle, a cyber attack as much an act of war as dropping a bomb in the middle of a city. In the West, and in the law of warfare, those concepts have not yet taken root.
THE CHINESE COLONELS’ ideas have already been put into action by Putin’s Russia and by an anonymous cyber warrior who planted a computer worm in Iran’s nuclear program computers. Those actions were not labeled acts of war only because Estonia and Georgia didn’t want open war with Russia and because the law of war doesn’t label them as such.
The most famous malware was the “Stuxnet” program which someone (or, more likely, some nation’s computer warriors) slipped into the computers that run the Iranian nuclear weapons project. It caused significant damage that may still be unfolding.
Stuxnet is a computer “worm”: a highly sophisticated piece of software that, properly designed and placed, can cause machinery controlled by the computers it infects to run destructively. Worms disable security software, duplicate themselves, and spread to other computers networked with the one infected. Some can add “bot” software that will reach out and capture other networks to spread themselves further.
According to several news reports, the Stuxnet worm made the Iranian nuclear centrifuges spin wildly out of control while causing the Iranians running the centrifuges to see—on their gauges and computers—that all was running normally. Some reports, which may be apocryphal, indicate that Stuxnet was capable of mutating: changing itself to continue damaging the nuclear centrifuges even after it was detected and Iranian computer scientists believed it had been neutralized.
Cyberwar isn’t confined to Eastern Europe and Iran. In June 2007, the Chinese PLA cyberwarriors hacked into the Army’s Pentagon e-mail system, causing it to shut down briefly. The Chinese have the most active cyber-espionage effort in the world. (Spyware—software which reveals restricted data stored on computers—is one of the most common forms of malware.)
One ring of Chinese hackers, code-named “Titan Rain” by U.S. investigators, was responsible for years of cyber espionage targeting U.S. military computer networks. And although the “Titan Rain” group may or may not still be operating, U.S. experts estimate that Chinese cyber espionage is responsible for hundreds of attempts to penetrate U.S. military, intelligence, and commercial networks every day.
WERE THE RUSSIAN cyber attacks on Estonia and Georgia acts of war? Was the Stuxnet virus one? Not according to U.S. law or the Geneva Conventions.
Title 18 of the U.S. Code defines acts that comprise federal crimes. But in Section 2331 of Title 18, we find the only definition of an act of war under U.S. law. Section 2331 defines it as, “…any act occurring in the course of: (A) declared war; (B) armed conflict, whether or not war has been declared, between two or more nations; or (C) armed conflict between military forces of any origin….” Nothing in that definition would include a cyber attack. The Geneva Conventions, too, speak only of armed conflict.
Because neither U.S. law nor the Geneva Conventions deal with cyberwar, we are left with the questions and answers from Liang and Xiangsui. The answers they give, and the logical extensions of them, should be a focus of our lawmakers and diplomats.
If there is nothing to define a cyber attack as an act of war, there is nothing to say when a cyber attack constitutes a war crime. Both should be defined in domestic law and in the law of war.
We must begin with the fact that computer viruses, worms, and such are weapons. Just as guns and bombs, they are tools of war. When a disgruntled twenty-something hacker sends a virus out concealed in an e-mail, it’s a crime, not an act of war. But when a nation attacks a military or commercial target—be it a computer network, a satellite, or part of our economic infrastructure—it is just as much an armed attack as if that nation had dropped a bomb on Times Square.
Proportionalists will argue that a cyber attack cannot be an act of war because, if it were, it would entitle the nation suffering the attack to respond with conventional weapons. To that, we must answer as we did on 9/11: a nation that suffers an act of war is entitled to respond as it chooses. We went to war in Afghanistan not to create a democracy there, but to punish the Taliban for giving safe haven and support to al Qaeda.
If, as the Chinese colonels say, a cyber attack by a nation caused the stock market to crash or, for example, caused the New York Stock Exchange computers to erase billions of dollars of assets, that would be an act of war. The difference between that and, for example, our bombing of German factories to destroy the Nazi economy is a difference in methodology, not substance.
The Russian attacks on Estonia and Georgia were acts of war. Were they capable, and had they decided to, those nations would have been perfectly justified in using conventional armed forces to respond.
The Stuxnet attack on Iran’s nuclear program was also an act of war, as was the Chinese attack on the Army’s Pentagon e-mail system. To defend against them is a principal duty of the sovereign: to respond to them in kind or by different means is a matter of how severe they may be.
IT FOLLOWS LOGICALLY that if a cyber attack is no different than an attack with conventional weapons, some cyber attacks must be prohibited by the law of war. What cyber attacks could be defined to be war crimes?
Under U.S. law and the Geneva Conventions which it implements, war crimes are among the gravest of all offenses. Torture, genocide, and the intentional targeting of civilians by military forces are among them. In order for a cyber attack to constitute a war crime, it should have to meet a very specific criterion: that it intentionally caused great physical harm or death to non-combatants. For example, if a cyber attack seized control of our air traffic control system and caused civilian airliners to crash, that would be a cyber war crime just as the 9/11 hijackings were war crimes. The people who authorized and committed the attack would be war criminals just as is Khalid Sheik Mohammed, the al Qaeda 9/11 planner.
America is spending billions to defend itself from cyberwar. Government agencies and contractors working for them mount defenses in a variety of ways. Elaborate password protections, limitations on access to the Internet for computers on which classified information is worked on or stored, and highly sophisticated security software to detect and cut off unauthorized access or use are the most ordinary. The government went so far as to establish the “SIPRNET”—the secret Internet protocol router network—on which classified information can be shared among government agencies.
(SIPRNET was the network from which Army private Bradley Manning allegedly copied and stole hundreds of thousands of classified documents which he passed to Julian Assange’s “WikiLeaks” website. It is targeted daily for cyberespionage and hackers.)
Cyber defense is not only passive. Several government agencies including the FBI have teams of cyberguards who monitor protected computer networks to detect, defeat, and trace back attacks, be they espionage, sabotage, or any other unauthorized access to the systems. If an attack is detected, the attacker’s software is often captured and used to construct ever-evolving protective software. Attacks can often be traced back to the source. China is the most often-detected source. Russia is another.
Both are very dangerous cyber adversaries. Open sources say our defense, intelligence, and industrial computer networks are attacked hundreds of times a day by China alone. In April 2008, the Indian Ministry of External Affairs was hacked, but not disabled, by the Chinese, and the following month the Belgian government suffered the same kind of Chinese attacks.
Our chief cyberwarrior believes we’re not doing enough. Last March, Gen. Keith Alexander, commander of the U.S. Cyber Command, told the House Armed Services Committee, “We are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin and a crisis would quickly stress our cyber forces.…This is not a hypothetical danger.” One of the questions for Gen. Alexander is not whether he needs more money but what he’d do with it if it were appropriated. (Gen. Alexander did not respond to a request for an interview for this article.)
THE PENTAGON, the intelligence community, and private companies are working hard to interdict cyber attacks and protect our key government and military computer networks. The FBI has many teams of investigators working to identify and arrest domestic hackers. But even though hundreds of attacks are thwarted—or suffered and corrected—every day, it’s increasingly clear that we’re not using our considerable scientific and cyber expertise to best advantage.
The problem, according to some cyberwar experts, is not only that Gen. Alexander lacks the resources to protect our cyber infrastructure, but that his command is entirely oriented toward defense. What we don’t have, and obviously need, is an operational doctrine for offensive cyberwar.
It’s possible that the Stuxnet worm originated in Israel, the nation closest to Iran that is its most obvious nuclear target. It’s also possible that it originated here. If it didn’t, it should have.
An operational doctrine for American offensive cyberwar would establish a covert war, one in which we would engage and seek to destroy the capacity of our adversaries to attack us by cyberwar or conventional means. It would develop more advanced worms like Stuxnet that would be hacked into the computers controlling our adversaries’ most advanced weapons. House Armed Services Committee chairman Howard “Buck” McKeon (R-CA) is trying to push the Pentagon into offensive cyberwar. One must hope he succeeds.
It’s not beyond possibility to imagine an American cyberwar capability that would shut down the ability of Russia, China, and North Korea to launch missiles against us or our allies. That possibility should, with the rest of our offensive cyberwar doctrine, become a reality as soon as our best minds can make it so.