There is a consensus that aggression by one nation against another is a serious matter, but there is no comparable consensus about what constitutes aggression. Waging aggressive war was one charge against Nazi leaders at the 1946 Nuremberg war crimes trials, but 70 years later it is unclear that aggression, properly understood, must involve war, as commonly understood. Or that war, in today’s context of novel destructive capabilities, must involve “the use of armed force,” which the Rome Statute of the International Criminal Court says is constitutive of an “act of aggression.”
Cyberskills can serve espionage — the surreptitious acquisition of information — which is older than nations and not an act of war. Relatively elementary cyberattacks against an enemy’s command-and-control capabilities during war were a facet of U.S. efforts in Operation Desert Storm in 1991, in the Balkans in 1999 and against insurgents — hacking their emails — during the “surge” in Iraq. In 2007, Israel’s cyberwarfare unit disrupted Syrian radar as Israeli jets destroyed an unfinished nuclear reactor in Syria. But how should we categorize cyberskills employed not to acquire information, and not to supplement military force, but to damage another nation’s physical infrastructure?
In World War II, the United States and its allies sent fleets of bombers over Germany to destroy important elements of its physical infrastructure — steel mills, ball-bearing plants, etc. Bombers were, however, unnecessary when the United States and Israel wanted to destroy some centrifuges crucial to Iran’s nuclear weapons program. They used the Stuxnet computer “worm” to accelerate or slow processes at Iran’s Natanz uranium-enrichment facility, damaging or even fragmenting centrifuges necessary for producing weapons-grade material. According to Slate columnist Fred Kaplan, by early 2010, approximately 2,000 of 8,700 “were damaged beyond repair,” and even after the Iranians later learned what was happening, another 1,000 of the then-remaining 5,000 “were taken out of commission.”
For fascinating details on the episodes mentioned above, and to understand how deeply we have drifted into legally and politically uncharted waters, read Kaplan’s new book, “Dark Territory: The Secret History of Cyber War.” Three of its lessons are that cyberwar resembles war, much of it is very secret and everything essential to the functioning of modern society is vulnerable.
The things controlled by or through computers include not just military assets (command-and-control systems, the guidance mechanisms of smart munitions, etc.) but also hospitals, electric power grids, water works, the valves of dams and the financial transactions of banks. And, Kaplan notes, unlike nuclear weapons or the ballistic missiles to deliver them, cyberweapons do not require large-scale industrial projects or concentrations of scientists with scarce skills. All that is needed to paralyze a complex society and panic its population is “a roomful of computers and a small corps of people trained to use them.”
Clearly the United States needs a cyberdeterrent capacity — the ability to do unto adversaries anything they might try to do unto us. One problem, however, is that it can be difficult to prove the source of a cyberattack, such as that which Vladimir Putin did not acknowledge launching, but almost certainly did launch, in 2007 to punish Estonia for annoying Russia.
To appreciate how computer keystrokes can do damage comparable to a sustained air campaign using high explosives, consider what happened in 1995 in the private sector. Barings, founded in 1762, was Britain’s oldest merchant bank, having weathered the Napoleonic wars and two world wars, and its clients included Queen Elizabeth II. One of its young traders, Nick Leeson, in the bank’s Singapore office, was so skillful at navigating the derivatives markets that at one point he produced 10 percent of the bank’s profits. Inadequately supervised, he created a secret Barings account from which he made risky bets, including a huge one on Japan’s stock market rising. He did not, however, anticipate the Kobe earthquake. Japan’s stock market plunged, causing enormous losses in Leeson’s account that Barings could not cover. The bank quickly collapsed and was bought by a Dutch company for one British pound.
If one rogue trader’s recklessness, motivated by mere avarice, can quietly and quickly annihilate a venerable institution, imagine what havoc can be wrought by battalions of militarized cyberwarriors implacably implementing a nation’s destructive agenda. It is long past time for urgent public discussion of the many new meanings that can be given to Shakespeare’s “Cry ‘Havoc!’ and let slip the dogs of war.”