Cyber War: The Next Threat to National Security and What to Do About It (31 page)

Unfortunately for Amsterdam, and most major cities in Europe and Asia, that agreement did not stop Germany, Japan, the United States, the United Kingdom, or the Soviet Union from aerial carpet bombing of cities in the war that started one year later. After World
War II, nations tried again and wrote several agreements limiting how future wars should be conducted. These treaties, negotiated in Switzerland, became known as the Geneva Conventions. Convention Four covers the “Protection of Civilian Persons in Time of War.” Thirty years later the United Nations sponsored another series of conventions that protected not only civilians, but also military personnel against certain kinds of weapons that were thought to be destabilizing or heinous. The conventions were given the cumbersome title “Prohibitions or Restrictions on the Use of Certain Conventional Weapons…Excessively Injurious or Hav[ing] Indiscriminate Effects.” Five specific protocols were agreed on, banning or limiting the use of established weapons such as land mines and incendiaries, as well as the new application of commercial laser technology to weaponry.

More recently the International Criminal Court agreement, which entered into force in 2002, banned intentionally targeting civilians. The United States has withdrawn from the Court treaty and has gained agreement from many nations that they would not support the prosecution of U.S. military personnel by the Court.

Either the Geneva convention on “Protection of Civilians” in war or the UN convention on weapons with “Indiscriminate Effects” could be expanded to deal with this new kind of warfare. Cyber weapons used against a nation’s infrastructure would inevitably result in attacking civilian systems. Nothing could be more indiscriminate that attacking such things as a nation’s power grid or transportation system. While such broad-based attacks would diminish a nation’s military capacity, some military capabilities will suffer less than similar civilian infrastructure. The military are more likely to have backup power systems, stockpiled food, and emergency field hospitals. A broad-based cyber attack on a nation’s infrastructure could keep the power grid off-line for weeks, pipelines unable to move oil and gas, trains sidelined, airlines grounded, banks unable
to dispense cash, distribution systems crippled, and hospitals working at severely limited capacity. Civilian populations could well be left in cold, darkened dwellings with little access to food, money, medical care, or news about what was happening. Looting and a crime wave could follow. The number of fatalities would depend upon the duration and geographic scope of the outages. While such casualties would, however, be far fewer than those resulting from an aerial bombing campaign against cities, a sophisticated national cyber attack would definitely affect civilians, and might even be designed to do so.

Extending existing international agreements to protect civilians against cyber attacks has advantages for the United States. It allows the U.S. to continue to do what it is good at, cyber war against military targets, including going first. Sophisticated cyber weapons may allow the U.S. to continue to have technological superiority in potential military conflicts, even as other nations deploy modern conventional weapons with capabilities that approach or equal those of American forces. Cyber weapons may also allow the U.S. to compensate in local or regional situations where the American forces are outnumbered.

Limiting U.S. cyber attacks to military targets would mean that we could not disrupt another nation’s military as a side effect of a general attack on a civilian power grid or railroad system. It is likely, however, that U.S. cyber warriors have the capability to narrowly attack military targets such as command and control grids, air defense networks, and specific weapons systems. Thus, by respecting a ban on attacking civilian targets, the U.S. may not lose much or any capability needed that they need to dominate an adversary.

The U.S. is not very good at cyber defense, nor is anybody else; but the U.S. civilian infrastructure is more vulnerable, and thus the U.S. stands to suffer more from a broad national cyber attack than would most other nations. Because the U.S. military relies
on the civilian infrastructure, a ban on cyber attacks on civilian targets would protect the U.S. military, as well as what it would do to avoid inflicting harm on people in general and on the economy.

If the U.S. thought such a limited ban on cyber weapons was in its interest and either proposed it or agreed to it, there are two immediate follow on questions. First, how do you propose to verify it? Let’s get to that in a moment. Second, what does it mean with regard to “preparation of the battlefield”? Do we define an attack as including the penetration of a network, or the emplacement of a logic bomb, or is it just the
use
of a logic bomb or other weapon? Specifically, what is it that we would be willing to agree to stop doing?

Earlier, we came to the conclusion that a formal international agreement banning cyber espionage was probably not a good idea for the United States. So, we would not ban the penetration of networks to collect intelligence, and there is probably intelligence information that one could glean from hacking into a railroad’s control system. But what real intelligence value would there be to hacking into an electric grid’s controls? Hacking into an electric grid’s controls and leaving a trapdoor to facilitate easy return can have only one purpose: preparation for an attack. Leaving behind a logic bomb is even more obviously an act of cyber war.

Theoretically, you could write a ban on cyber war attacks on civilian infrastructure that would not explicitly prohibit placing trapdoors or logic bombs, but would rather just ban any act that actually causes a disruption. This narrow ban would allow the U.S. to be in position to retaliate quickly against another country’s civilian infrastructure if it attacked ours. Without preplacement of cyber weapons, it might be difficult and time-consuming to attack networks. But by allowing countries to go around lacing one another’s networks with logic bombs, we would be missing the chief value of a ban on cyber attacks on civilian infrastructure.

The main reason for a ban on cyber war against civilian infra
structures is to defuse the current (silent but dangerous) situation in which nations are but a few keystrokes away from launching crippling attacks that could quickly escalate into a large-scale cyber war, or even a shooting war. The logic bombs in our electric grid, placed there in all likelihood by the Chinese military, and similar weapons the U.S. may have or may be about to place in other nations’ networks, are as destabilizing as if secret agents had strapped explosives to transmission towers, transformers, and generators. The cyber weapons are harder to detect; and, with a few quick keystrokes from the other side of the globe, one disgruntled or rogue cyber warrior might be able to let slip the dogs of war with escalating results, the limits of which we cannot know.

Although we can imagine situations in which the U.S. might wish it had already put logic bombs in some nation’s civilian networks, the risks of allowing nations to continue this practice would seem to far outweigh the value of preserving for ourselves that one option to attack. Thus, as part of a ban on attacking civilian infrastructure with cyber weapons, we should probably agree that the prohibition include the penetration of civilian infrastructure networks for the purpose of placing logic bombs, and even the emplacement of trapdoors on networks that control systems such as electric power grids.

BEGINNING WITH THE BANKS?

Even an agreement limited to protecting civilian infrastructure may pose problems. Some nations, like Russia, might contend that a U.S. willingness to accept such an agreement confirms their point that cyber weapons are dangerous. They could hold out for a complete ban. Negotiating a verification arrangement for even a civilian-protection protocol could, as we will discuss shortly, open a Pandora’s box of complications. Therefore, the U.S. may want to
consider an even more limited scope for an initial international agreement on cyber weapons. One option might be an accord designed to preclude cyber attacks on the international financial system. Every major nation has a stake in the reliability of the data that underpin international bank clearinghouses, their major member banks, and the major stock and commodity trading exchanges. With few exceptions, such as the impoverished rogue state of North Korea, to launch an attack on an element of the international financial system would likely be self-defeating. The damage to the system could directly hurt the attacker, and certainly the financial retaliation that would result from the identification of an attacking nation could cripple a nation’s economy.

Because of the interlocking nature of major global financial institutions, including individual banks, even a cyber attack on one nation’s financial infrastructure could have a fast-moving ripple effect, undermining confidence globally. And, as one Wall Street CEO told me, “It is confidence in the data, not the gold bullion in the basement of the New York Fed, that makes the world financial markets work.”

The belief that cyber attacks on banks could unravel the entire global financial system has prevented successive U.S. administrations from approving proposals to hack into banks and steal funds from terrorists and dictators, including Saddam Hussein. As Admiral McConnell has noted, “What happens if someone who is not deterred attacks a large bank in New York and contaminates or destroys the data? Suddenly there is a level of uncertainty and loss of confidence. Without confidence that transactions are safe and will reconcile, financial transactions will stop.” Thus, since we seem to have a self-imposed ban anyway, it would probably be in the interest of the United States to propose or participate in an international agreement to forswear cyber attacks targeted on financial institutions. (Such an agreement need not prohibit
cyber espionage. There might be intelligence value from observing financial transactions in banks, such as identifying the money of terrorists. The U.S. may already be doing just that. It apparently came as a shock to European financial institutions in 2006 that the U.S., seeking to track terrorist funds, may have been covertly monitoring the international financial transactions of the SWIFT bank-clearing system.)

INSPECTORS IN CYBERSPACE

The value of international agreements to ban certain kinds of cyber warfare activities, or pledges not to engage in such attacks first, may depend in part upon whether violations can be detected and whether blame can be assigned. Traditional arms control verification is very different from anything that would work in cyberspace. To verify compliance with numerical limits on submarines or missile silos, nations had only to fly their space-based surveillance platforms overhead and take photographs. It’s hard to hide a submarine-building shipyard or a missile base. For smaller objects, such as armored combat vehicles, inspection teams were permitted into military bases to conduct inventories. To ensure no improper activity at nuclear reactors, the International Atomic Energy Agency’s inspectors install surveillance cameras and place seals and identification tags on nuclear material. International teams sample chemicals at corporations’ chemical plants, looking for signs of covert chemical weapons production. To monitor for nuclear weapons tests, an international network of seismic sensors has been netted together, with nations sharing the data they detect.

Only that seismic network, and perhaps the IAEA teams, offers any useful precedent for cyber arms control verification. You cannot detect or count cyber weapons from space, or even by driving
around an army base. No nation is likely to agree to having international teams of inspectors plowing through what programs are on computer networks designed to protect classified information. Even if in some parallel universe, nations did permit such intrusive inspection of their military or intelligence computer networks, a nation could hide its cyber weapons on thumb drives or CDs anywhere in the country. A ban on development, possession, or testing of cyber weapons on a closed network (such as the National Cyber Range being developed by Johns Hopkins University and Lockheed Martin) is not something that could be verified.

The actual use of cyber weapons, however, may be more clear-cut. The effects of an attack can often be easily discerned. Computer forensic teams can generally determine what attack techniques were used, even if they may not be able to determine how the penetration into the network occurred. The attribution problem would persist, however, even in the case of an attack that has already taken place. Trace-back techniques and ISP records may indicate that a particular nation is involved, but they would not usually be able to prove a government’s guilt with high confidence. A nation, perhaps the U.S., could easily be framed. Cyber attacks against Georgia, probably orchestrated by Russia, came from a botnet control computer in Brooklyn.

Even if a nation admitted that an attack came from computers on its territory, the government could claim the attacks were from anonymous citizens. This is precisely the claim that the Russian government did make in the case of the cyber attacks on Estonia and Georgia. It is exactly what the Chinese government claimed when U.S. networks were hit from China in 2001, following the alleged penetration of Chinese airspace by a U.S. electronic spy plane. It may even be true that the hackers would turn out to be people without government jobs or offices, although they may have been encouraged and enabled by their governments.

One way to address the attribution problem is to shift the burden from the investigator and accuser to the nation in which the attack software was launched. This same burden shifting has been used in dealing with international crime and with terrorism. In December 1999, Michael Sheehan, then the U.S. ambassador for counterterrorism, had the job of delivering a simple message to the Taliban. Sheehan was instructed to make it clear to the Taliban that they would be held responsible for any attack perpetrated by al Qaeda against the United States or its allies. Late at night, Sheehan delivered the message through an interpreter by telephone to a representative of the Taliban leader Mullah Omar. To drive home the point, Sheehan used a simple analogy: “If you have an arsonist in your basement; and every night he goes out and burns down a neighbor’s house, and you know this is going on, then you can’t claim you aren’t responsible.” Mullah Omar did not evict the arsonist in his basement, indeed he continued to harbor bin Laden and his al Qaeda followers even after 9/11. Now it is Mullah Omar who is huddling in a basement somewhere, hunted by NATO, U.S., and Afghan armies.