Is this all it would take to start a war?
After a violent incident occurs, one of the first questions usually asked is, “who did this to us?”, followed by, “how do we respond?” We have thousands of years’ worth of debate on those questions, and in some cases we even have laws governing our answers to them. But, how much of this experience and law applies to (what’s usually referred to as) cyberwar?
As Wesley Clark and Peter Levin recently argued in Foreign Affairs, cyberwar is not a distant threat. The US first used a logic bomb against the Soviet Union in 1982. Government and corporate computers face thousands of attacks daily. Defense Secretary Gates has said the military is “desperately short” of people with the skills to fight off attacks. The New York Times reported last week that, recognizing the threats, the US and Russia are discussing potential treaties on cybersecurity and cyberwarfare.
Yet, as Clark and Levin note, we usually can’t answer the “who?” question about a cyberattack. An attacker who sends code through countries with which the US has poor cooperation laws is almost untraceable. Perhaps more crucially, there is no tradition to guide thinking about the “what now?” question. There aren’t laws of war for the Web — as of this writing, not even the Wikipedia entry for “laws of war” includes the words “computer” or “cyber.”
Determining the laws of cyberwar, or treaties regarding cyberwar, raises several questions we could discuss. These are some that come to my uninformed mind, but I imagine others with more knowledge in this area could ask better ones.
- May the victim of a cyberattack respond with physical attacks? How do we determine what compromises a proportional physical response to a cyber aggressor? For example, if I use a logic bomb to disable your power plant (killing no one) may you firebomb my power plant (killing ten)?
- Given that data move across the Web in fractions of seconds, should we institute laws requiring commanders to “cool off” in some way before ordering a cyberattack? Because essentially no time passes between commencing some forms of cyberattack and their delivery, certainty of the initial aggressor’s identity is paramount in avoiding attacks on the wrong group. But, as said, certainty is difficult to come by in cyberattacks. This question seems to have particular importance for the US, which has politicians who win elections based on proudly not second-guessing their decisions.
- We could also challenge the need for laws of cyberwar to begin with. What actions that could take place in cyberwar require laws developed around them? Online, there are no sick or wounded soldiers, nor prisoners of war. Yet these are the situations for which traditional laws of war were designed.
UPDATE | DEC 17: While not quite related to the laws of war, the Wall Street Journal’s report today that militants in Iraq have hacked into video feeds from US pilotless predator drones underscores the vast amount of work to be done in any effort to prepare ourselves for war in the 21st century.
[...] My friend Curtis Bunner graciously allows me to contribute to Digi-Docket, a group blog dedicated to discussing ideas related to technology and law. Today, I posted my first Digi-Docket entry, which addresses the underdeveloped laws of war as they relate to cyberwar. If you have time, check it out: Fighting fire with firewalls. [...]
Dave,
Cyber Warfare is a very scary subject. Mostly because it is so poorly understood by the supposed “experts.” I read a tech pundit column called “I, Cringely” which used to be sponsored by PBS, but is now an independent blog. One of the posts concerns the recent announcement by the Department of Homeland Security that they would be hiring 1000 cybersecurity experts over the next three years to help protect U.S. computer networks.
In Cringely’s post, he argues that the announcement wrongly assumes that there even ARE 1,000 cybersecurity experts out there, and most that have the technical skills to qualify as cybersecurity experts are hackers, not security analysts. One of the sources he references (who remains anonymous) had the following to say:
“Define ‘expert,’” said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.”
What’s even scarier that being vulnerable to cyber attacks is not having the resources or experts knowledgeable enough to improve the situation. Who knows, maybe the Soviet Union may yet win the Cold War, albeit with Russian hackers instead of nukes . . .
But isn’t the expert from behind Door Number Three searching for a perfect solution? Even a single expert who knows “how to run the kitchen” has a limit to the consequences he or she can predict.
If we at least acknowledge that our group of cooks is full of people with only specialized knowledge, can’t one member of that group at least try, however fruitlessly, to comb the knowledge of other members to predict consequences before pulling the trigger? Granted, this solution is not overwhelmingly comforting, either, but it’s slightly more positive than assuming the whole group will be directionless.
I see your point, Dave. However, I think the thrust of Cringely’s post still stands – there are nowhere near the number of “Cybersecurity Experts” that the Department of Homeland Security is planning to hire. It’s misleading to think that the DHS can just hire a bunch of experts to tackle the problem. It’s much more challenging to cobble together a varied group of specialists and impose an effective form of leadership/management/cooperation.
I do agree with what you say we are going to have to do – assemble the best group of chefs we have and make the most of it. The DHS doesn’t seem to see the situation in a similar light, or at least their press release didn’t reflect that view.