[ISN] Perspective: The first 'e-war'

From: InfoSec News (isnat_private)
Date: Tue Feb 04 2003 - 02:50:39 PST

  • Next message: InfoSec News: "[ISN] Some truths are too callous to be told"

    Forwarded from: William Knowles <wkat_private>
    By Declan McCullagh 
    February 3, 2003
    WASHINGTON -- Not long ago, I had dinner with a former military
    officer who participated in information warfare "what-if" exercises
    that the Pentagon and the White House ran in the late 1990s.
    "If Saddam ever attacks the U.S. through the Internet and takes out a
    telecommunications firm, we'll be in a state of war," my dinner
    companion told me. "All bets are off. The Fourth Amendment is on hold.  
    If EarthLink is attacked, the Army could show up and seize control of
    their servers."
    That was news to me. Might a shadowy corps of U.S. hacker-soldiers be
    ready to defend my e-mail in-box from an angry Saddam Hussein seeking
    revenge for a strike on Iraq? Would using the military to defend U.S.  
    companies even be legal? Or was this a bad knockoff of a Tom Clancy
    It turns out that the best thinking about cyberwar remains in flux,
    even after military wonks and nicely compensated Beltway contractors
    have spent the better part of a decade noodling over it. The reason:  
    We're still waiting for the first real cyberwar between nations to
    take place.
    Public discussions go back at least as far as 1995, around which time
    Richard Aldrich, an Air Force staff judge advocate, wrote a paper
    called "The International Legal Implications of Information Warfare."  
    Aldrich pointed to how the staid Law of Armed Conflict, formalized in
    the 1949 Geneva Conventions, doesn't jibe well with communications
    that are ephemeral, global and difficult to trace.
    For example, a nation violates international treaties by falsely
    claiming to surrender. "Suppose Iraq sent a bogus e-mail message to
    low-level (U.S.-led) coalition force commanders in the Gulf purporting
    to be from the commander of all coalition forces indicating that Iraq
    has surrendered and all hostilities are to cease immediately," Aldrich
    wrote. "If a commander acted on this message believing it to be real,
    and suffered heavy casualties from an Iraqi force he thought was
    surrendering but was actually attacking, would Iraq be guilty of
    violating the Law of Armed Conflict?"
    Another implication is that it may not be permissible for a nation to
    deploy blunt offensive tactics like the recent Sapphire worm that
    snarled Microsoft SQL servers. Unless the creature was crafted to
    disable only legitimate enemy targets, it might violate international
    Since those early discussions, the Pentagon has done what it does
    best: It has institutionalized and bureaucratized the study of
    computer warfare, making it a part of the larger field of information
    warfare. The Navy's Fleet Information Warfare Center has, for example,
    added "computer network defense" to its charter, and the Naval
    Postgraduate School conducts "red team" intrusion exercises for
    The Air Force runs a "battlelab" that invented early-warning systems
    to alert operators when a network attack is about to take place and a
    "Software Agent for Operations Security" that scours dot-mil sites for
    classified documents. (Perhaps it works: There has been no verified
    report of classified files leaking through the Web.) Information
    warfare has even crept, oddly, into a "hazard list" compiled by
    Florida's Division of Emergency Management--alongside civil disorders,
    riots and various weapons of mass destruction.
    "Kill Americans and you're in trouble," a Defense Department spokesman
    told me on Friday. "Whether it's treated as a felony, an act of
    terrorism or an act of war, you're in for serious consequences. Of
    course, behind the scenes, we would be having a spirited policy
    discussion of the relevant laws before a decision was reached."
    One serious problem that governments face when responding to
    electronic assaults is that, because their origin may be unknown, the
    appropriate response depends on whether the culprit is a malicious
    hacker, a terrorist network--or the dictator of Iraq keyboarding
    furiously from a bunker deep below Baghdad. Depending on the source
    and the intent, the same type of intrusion could be a criminal offense
    or a declaration of war.
    It's worth noting here that, as my colleague Robert Lemos has
    explained, the threat of so-called cyberwarfare may be overhyped:  
    True, it's possible for electronic intruders to damage infrastructure
    and threaten physical harm, but seizing control of systems from the
    outside is extremely difficult--often impossible--and typically
    requires inside knowledge. Remember, it's always easier to bomb a
    target than to hack a PC.
    Still, how would the Pentagon respond to a serious electronic attack
    on U.S. infrastructure? "It's yet another one of those issues where
    you would have to decide what the Internet is like," says Eugene
    Fidell, president of the National Institute of Military Justice. "The
    law often moves by analogy. Is the Internet like newspapers, like the
    water supply or like the power grid? Is it like the banking system?  
    Issues like these have not been seriously explored, at least in terms
    of the law of war."
    Robert Turner, the associate director of the Center for National
    Security Law at the University of Virginia, says President George W.  
    Bush and the executive branch would have broad authority to respond to
    electronic onslaughts. "We're really in a gray area here," Turner
    says. "The theory of the Constitution was we don't like war. Before
    the president can make a decision to go from peace to war, he needs to
    have the permission of both houses of Congress. But if we are
    attacked, as commander of chief, the president wields executive power
    and does not need approval from Congress (to initiate a defense)."
    Translation: If things get bad enough, say goodbye to civil liberties
    for a while, including the Fourth Amendment's protection against
    "unreasonable searches and seizures." Turner adds: "The Supreme Court
    has always held that what is reasonable depends on context. If you're
    in a situation where people are being killed and you're trying to save
    lives, you can be more intrusive...Protecting the state is a higher
    duty. To say otherwise is to sacrifice the ends to the means. If
    you're unwilling in times of crisis to depart from the law, and you
    lose your freedom, you've done no service to anyone."
    That's the conventional wisdom among military officers and
    Washingtonians. But even though a successful electronic attack is
    implausible, we should still remember to remain skeptical about
    governmental overreaching in times of apparent crisis. Once gained,
    additional surveillance power is not readily relinquished, and new
    data-mining centers like the one Bush announced last week bear close
    Besides, at the same time that al-Qaida was plotting its successful
    suicide hijackings, the top U.S. spooks were busy fretting about the
    dire threat of Fidel Castro hacking our computers. In February 2001,
    Adm. Tom Wilson, head of the Defense Intelligence Agency, warned
    Congress: Castro's armed forces could initiate an "information warfare
    or computer network attack" that could "disrupt our military."
    We're still waiting.
    Declan McCullagh is the Washington correspondent for CNET News.com,
    chronicling the ever-busier intersection between technology and
    politics. Before that, he worked for several years as Washington
    bureau chief for Wired News. He has also worked as a reporter for The
    Netly News, Time magazine and HotWired.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 05:40:02 PST