Cyber War: The Next Threat to National Security and What to Do About It
Page 25
BANNING CYBER WAR?
Would it be a good idea, then, to agree to an outright ban on cyber war as defined here (that is, excluding cyber espionage)? An outright ban could, theoretically, prohibit the development or possession of cyber war weapons, but there would be no way to enforce or verify such a ban. A ban could also be articulated as a prohibition on the use of cyber weapons against certain targets or on their deployment prior to the outbreak of hostilities, rather than their mere possession or their use in espionage. To judge whether a ban on conducting cyber war would be in our interest, assuming it could be verified, let’s look at some hypothetical cases.
Imagine a scenario similar to the Israeli raid on the Syrian nuclear facility with which this book began. Change the scenario slightly so that it is the United States that wants to prevent some rogue state from developing a nuclear weapon and it is the United States that decides it has to bomb the covert site where the nuclear weapon is going to be made. The U.S. might well have the same kind of capability to turn off an adversary’s air defense system by employing a cyber weapon. If we had agreed to a ban on the use of cyber weapons, we would face a choice between, on the one hand, violating the agreement, and, on the other hand, sending in U.S. pilots without having done all that we could in advance to protect them. Few civilian or military leaders in this country would want to have to explain that U.S. aircraft were shot down, U.S. pilots taken prisoner or killed, because even though we could have shut off the adversary’s air defense system we did not because of an international agreement.
Or imagine a scenario in which the U.S. was already in a limited shooting war with some nation, as we have been in recent history with such nations as Serbia, Iraq, Panama, Haiti, Somalia, and Libya. The U.S. forces might be in a situation where they could substitute a cyber weapon for conventional explosive, kinetic weapons. The cyber weapon might result in lower lethality and do less physical damage, have less long-lasting effects. An outright ban on the use of cyber weapons would force the U.S. to choose, once again, between violating the agreement and doing some unnecessary damage to the adversary.
A simpler scenario would not involve a shooting war or a U.S. preemptive attack, but rather something as routine as a U.S. ship sailing peacefully in international waters. In this scenario, a U.S. destroyer sailing parallel to the North Korean coast would be attacked by a North Korean patrol boat, which fires missiles at the destroyer. The U.S. ship might have a cyber weapon that could be beamed into the guidance system of the incoming missiles, causing them to veer away. If there were an outright ban on the use of cyber weapons, the U.S. might even be prohibited from using them to defend its forces from an unprovoked attack.
The most difficult scenario in which to show restraint would be if cyber weapons were already being used against us. If an adversary tried to shut down a U.S. military network or weapon system by using cyber techiques, it would be tempting to ignore the international agreement and respond in kind.
The two sides of the case for and against a complete ban on the use of cyber war weapons are clear. If we really believe that a ban on cyber weapons is in the U.S. interest, we should be willing to pay some price to maintain the international standard of not using such weapons. We have been in situations in the past where we might have enjoyed some immediate military advantage by using a nuclear weapon or a chemical or biological weapon, but we have always decided that the larger U.S. interest is in maintaining a global consensus against employing such weapons. Nonetheless, because cyber weapons can be less lethal, banning their use in conjunction with kinetic combat may be hard to justify. If shots are already being fired, using cyber weapons might not be destabilizing or escalatory if (and this is a very big if) their use did not expand the scope of the war. The U.S. military will make the case (strongly) that cyber war weapons are a U.S. advantage and that we have to use our technological advantage to compensate for how thinly our forces are spread around the world and how sophisticated the conventional weapons have become that are in the hands of possible opponents.
Balancing our desire for military flexibility with the need to address the fact that cyber war could damage the U.S. significantly, it may be possible to craft international constraints short of a complete ban. An international agreement that banned, under any circumstances, the use of cyber weapons is the most extreme form of a ban. In the previous chapter, we looked briefly at the proposal of a no-first-use agreement, which is a lesser option. A no-first-use agreement could simply be a series of mutual declarations, or it could be a detailed international agreement. The focus could be on keeping cyber attacks from starting wars, not on limiting their use once a conflict has started. We could apply the pledge to all nations, or only to those nations that made a similar declaration or signed an agreement.
Saying we won’t be the first ones to use cyber weapons may in fact have more than just diplomatic appeal in the international arena. The existence of the pledge might make it less likely that another nation would initiate cyber weapons use because to do so would violate an international norm that employing cyber weapons crosses a line, is escalatory, and potentially destabilizing. The nation that goes first and violates an agreement has added a degree of international opprobrium to its actions and created in the global community a presumption of misconduct. International support for that nation’s underlying position in the conflict might thus be undermined and the potential for international sanctions increased.
A no-first-use declaration could result in reduced flexibility in many of the kinds of cyber scenarios I discussed above. Waiting to respond in kind once we detected that the cyber weapons had been used in a conflict, or used specifically against us, may also create a disadvantage in the cyber war phase of a conflict.
BANNING ATTACKS ON CIVILIANS?
There are less restrictive approaches than banning the use of cyber weapons, or even forswearing first use. One possibility would be to issue a unilateral declaration or to agree to an international protocol placing civilian targets off limits to nation-states’ use of cyber weapons. There is ample precedent in the international laws of war for a limited ban on certain weapons or activities, as well as to treaties that call for the protection of civilians caught up in wars.
In World War I, aircraft were used in combat for the first time. They were mainly employed for reconnaissance, machine-gun strafing of troops, and attacking each other in the air, but some aircraft were used to drop explosives on the enemy. This first, small use of aerial bombing opened the possibility of creating larger aircraft in the future to carry more, and bigger, bombs. Within a decade bomber aircraft were being manufactured. One of the earliest science fiction authors, H. G. Wells, vividly portrayed what such bombing aircraft could do to a city in his 1933 novel The Shape of Things to Come. By 1936 he and the filmmaker Alexander Korda had adapted the book into a movie, Things to Come, which horrified audiences. In 1938 in Amsterdam, an international conference agreed to limits on “New Engines of War.” That agreement led, later that year, to a “Convention for the Protection of Civilian Populations against Bombing from the Air.”
Unfortunately for Amsterdam, and most major cities in Europe and Asia, that agreement did not stop Germany, Japan, the United States, the United Kingdom, or the Soviet Union from aerial carpet bombing of cities in the war that started one year later. After World War II, nations tried again and wrote several agreements limiting how future wars should be conducted. These treaties, negotiated in Switzerland, became known as the Geneva Conventions. Convention Four covers the “Protection of Civilian Persons in Time of War.” Thirty years later the United Nations sponsored another series of conventions that protected not only civilians, but also military personnel against certain kinds of weapons that were thought to be destabilizing or heinous. The conventions were given the cumbersome title “Prohibitions or Restrictions on the Use of Certain Conventional Weapons…Excessively Injurious or Hav[ing] Indiscriminate Effects.” Five specific protocols were agreed on, banning or
limiting the use of established weapons such as land mines and incendiaries, as well as the new application of commercial laser technology to weaponry.
More recently the International Criminal Court agreement, which entered into force in 2002, banned intentionally targeting civilians. The United States has withdrawn from the Court treaty and has gained agreement from many nations that they would not support the prosecution of U.S. military personnel by the Court.
Either the Geneva convention on “Protection of Civilians” in war or the UN convention on weapons with “Indiscriminate Effects” could be expanded to deal with this new kind of warfare. Cyber weapons used against a nation’s infrastructure would inevitably result in attacking civilian systems. Nothing could be more indiscriminate that attacking such things as a nation’s power grid or transportation system. While such broad-based attacks would diminish a nation’s military capacity, some military capabilities will suffer less than similar civilian infrastructure. The military are more likely to have backup power systems, stockpiled food, and emergency field hospitals. A broad-based cyber attack on a nation’s infrastructure could keep the power grid off-line for weeks, pipelines unable to move oil and gas, trains sidelined, airlines grounded, banks unable to dispense cash, distribution systems crippled, and hospitals working at severely limited capacity. Civilian populations could well be left in cold, darkened dwellings with little access to food, money, medical care, or news about what was happening. Looting and a crime wave could follow. The number of fatalities would depend upon the duration and geographic scope of the outages. While such casualties would, however, be far fewer than those resulting from an aerial bombing campaign against cities, a sophisticated national cyber attack would definitely affect civilians, and might even be designed to do so.
Extending existing international agreements to protect civilians against cyber attacks has advantages for the United States. It allows the U.S. to continue to do what it is good at, cyber war against military targets, including going first. Sophisticated cyber weapons may allow the U.S. to continue to have technological superiority in potential military conflicts, even as other nations deploy modern conventional weapons with capabilities that approach or equal those of American forces. Cyber weapons may also allow the U.S. to compensate in local or regional situations where the American forces are outnumbered.
Limiting U.S. cyber attacks to military targets would mean that we could not disrupt another nation’s military as a side effect of a general attack on a civilian power grid or railroad system. It is likely, however, that U.S. cyber warriors have the capability to narrowly attack military targets such as command and control grids, air defense networks, and specific weapons systems. Thus, by respecting a ban on attacking civilian targets, the U.S. may not lose much or any capability needed that they need to dominate an adversary.
The U.S. is not very good at cyber defense, nor is anybody else; but the U.S. civilian infrastructure is more vulnerable, and thus the U.S. stands to suffer more from a broad national cyber attack than would most other nations. Because the U.S. military relies on the civilian infrastructure, a ban on cyber attacks on civilian targets would protect the U.S. military, as well as what it would do to avoid inflicting harm on people in general and on the economy.
If the U.S. thought such a limited ban on cyber weapons was in its interest and either proposed it or agreed to it, there are two immediate follow on questions. First, how do you propose to verify it? Let’s get to that in a moment. Second, what does it mean with regard to “preparation of the battlefield”? Do we define an attack as including the penetration of a network, or the emplacement of a logic bomb, or is it just the use of a logic bomb or other weapon? Specifically, what is it that we would be willing to agree to stop doing?
Earlier, we came to the conclusion that a formal international agreement banning cyber espionage was probably not a good idea for the United States. So, we would not ban the penetration of networks to collect intelligence, and there is probably intelligence information that one could glean from hacking into a railroad’s control system. But what real intelligence value would there be to hacking into an electric grid’s controls? Hacking into an electric grid’s controls and leaving a trapdoor to facilitate easy return can have only one purpose: preparation for an attack. Leaving behind a logic bomb is even more obviously an act of cyber war.
Theoretically, you could write a ban on cyber war attacks on civilian infrastructure that would not explicitly prohibit placing trapdoors or logic bombs, but would rather just ban any act that actually causes a disruption. This narrow ban would allow the U.S. to be in position to retaliate quickly against another country’s civilian infrastructure if it attacked ours. Without preplacement of cyber weapons, it might be difficult and time-consuming to attack networks. But by allowing countries to go around lacing one another’s networks with logic bombs, we would be missing the chief value of a ban on cyber attacks on civilian infrastructure.
The main reason for a ban on cyber war against civilian infrastructures is to defuse the current (silent but dangerous) situation in which nations are but a few keystrokes away from launching crippling attacks that could quickly escalate into a large-scale cyber war, or even a shooting war. The logic bombs in our electric grid, placed there in all likelihood by the Chinese military, and similar weapons the U.S. may have or may be about to place in other nations’ networks, are as destabilizing as if secret agents had strapped explosives to transmission towers, transformers, and generators. The cyber weapons are harder to detect; and, with a few quick keystrokes from the other side of the globe, one disgruntled or rogue cyber warrior might be able to let slip the dogs of war with escalating results, the limits of which we cannot know.
Although we can imagine situations in which the U.S. might wish it had already put logic bombs in some nation’s civilian networks, the risks of allowing nations to continue this practice would seem to far outweigh the value of preserving for ourselves that one option to attack. Thus, as part of a ban on attacking civilian infrastructure with cyber weapons, we should probably agree that the prohibition include the penetration of civilian infrastructure networks for the purpose of placing logic bombs, and even the emplacement of trapdoors on networks that control systems such as electric power grids.
BEGINNING WITH THE BANKS?
Even an agreement limited to protecting civilian infrastructure may pose problems. Some nations, like Russia, might contend that a U.S. willingness to accept such an agreement confirms their point that cyber weapons are dangerous. They could hold out for a complete ban. Negotiating a verification arrangement for even a civilian-protection protocol could, as we will discuss shortly, open a Pandora’s box of complications. Therefore, the U.S. may want to consider an even more limited scope for an initial international agreement on cyber weapons. One option might be an accord designed to preclude cyber attacks on the international financial system. Every major nation has a stake in the reliability of the data that underpin international bank clearinghouses, their major member banks, and the major stock and commodity trading exchanges. With few exceptions, such as the impoverished rogue state of North Korea, to launch an attack on an element of the international financial system would likely be self-defeating. The damage to the system could directly hurt the attacker, and certainly the financial retaliation that would result from the identification of an attacking nation could cripple a nation’s economy.
Because of the interlocking nature of major global financial institutions, including individual banks, even a cyber attack on one nation’s financial infrastructure could have a fast-moving ripple effect, undermining confidence globally. And, as one Wall Street CEO told me, “It is confidence in the data, not the gold bullion in the basement of the New York Fed, that makes the world financial markets work.”
The belief that cyber attacks on banks could unravel the entire global financial system has prevented successive U.S. administrations from approving proposals to hack into banks and steal f
unds from terrorists and dictators, including Saddam Hussein. As Admiral McConnell has noted, “What happens if someone who is not deterred attacks a large bank in New York and contaminates or destroys the data? Suddenly there is a level of uncertainty and loss of confidence. Without confidence that transactions are safe and will reconcile, financial transactions will stop.” Thus, since we seem to have a self-imposed ban anyway, it would probably be in the interest of the United States to propose or participate in an international agreement to forswear cyber attacks targeted on financial institutions. (Such an agreement need not prohibit cyber espionage. There might be intelligence value from observing financial transactions in banks, such as identifying the money of terrorists. The U.S. may already be doing just that. It apparently came as a shock to European financial institutions in 2006 that the U.S., seeking to track terrorist funds, may have been covertly monitoring the international financial transactions of the SWIFT bank-clearing system.)
INSPECTORS IN CYBERSPACE
The value of international agreements to ban certain kinds of cyber warfare activities, or pledges not to engage in such attacks first, may depend in part upon whether violations can be detected and whether blame can be assigned. Traditional arms control verification is very different from anything that would work in cyberspace. To verify compliance with numerical limits on submarines or missile silos, nations had only to fly their space-based surveillance platforms overhead and take photographs. It’s hard to hide a submarine-building shipyard or a missile base. For smaller objects, such as armored combat vehicles, inspection teams were permitted into military bases to conduct inventories. To ensure no improper activity at nuclear reactors, the International Atomic Energy Agency’s inspectors install surveillance cameras and place seals and identification tags on nuclear material. International teams sample chemicals at corporations’ chemical plants, looking for signs of covert chemical weapons production. To monitor for nuclear weapons tests, an international network of seismic sensors has been netted together, with nations sharing the data they detect.