The Cyber Bomb in Yugoslavia
But I have learned from high-level Defense Department sources that the U.S. did not penetrate any banking networks. What is more, the Pentagon's own top legal office believes that such attacks may be unlawful.
Operations against Yugoslav computer systems were focused on military air defense systems. Gen. John Jumper, commander of U.S. air forces in Europe, confirmed this to Aviation Week and Space Technology in August.
Concerns about international legal constraints on electronic information warfare have so far deterred American government hackers from exercising their full capabilities. Moreover, the Pentagon says it is hampered by a lack of a national information operations vision and strategy. "The conduct of an integrated campaign was delayed by the lack of both advance planning and strategic guidance defining key objectives," its Kosovo after-action review released this month says.
Have Your Lawyer Call My General
While bombs were falling in Yugoslavia, the Pentagon Office of General Counsel finished a 50-page internal "Assessment of International Legal Issues in Information Operations." Though it notes that it is "by no means clear what information operations (IO) techniques will end up being considered to be 'weapons'" in the eyes of the international community, the traditional law of war applies to military-inspired "computer network attack."
"Offensive IO are governed by the same legal principles" that govern the use of force, according to retired Marine Corps lawyer Walter "Gary" Sharp, Shelton's former deputy legal counsel responsible for information war. These include maintaining the distinction between combatants and noncombatants, and the doctrine of military necessity. "What we cannot do kinetically we cannot do electronically," Sharp says.
Accordingly, the Pentagon's May assessment states that "stock exchanges, banking systems, universities, and similar civilian infrastructures may not be attacked simply because a belligerent has the ability to do so." Under the principle of military necessity, to go after Milosevic's and his cronies' bank accounts, whether with bombs or bits, requires that "the attacking force can demonstrate that a definite military advantage is expected from the attack."
Noting the "current formative period" of information warfare, the Pentagon appraisal warns of the possibility that "efforts will be made to restrict or prohibit information operations by legal means."
Your Wish is Our Command
Knowledgeable military sources say that Yugoslavia is not the first American penetration of foreign computer networks. Computers were broken into and exploited during Operation Uphold Democracy in Haiti in 1994, according to sources. President Clinton personally approved the operation.
Since Haiti, these same sources said, a number of "relatively low key" computer exploitations have accompanied other peacekeeping operations. Many of these have been little more than high-tech intelligence collection missions. In many other cases, says one insider, the Joint Staff office of "special technical operations" prepared "approval packages" for the Secretary of Defense and the President, but the "process took so long the operations were overtaken by events and we didn't engage in them."
System Access To What End
When Yugoslavia turned into a hot war, air planners at U.S. European headquarters worked in San Antonio with the Joint Command and Control Warfare Center (JC2WC--known as "jake-wick" in the military) to devise a scheme to insert false messages and targets into the centralized air defense command network. But political hesitations in the approval process stood in the way of the operation beginning with the opening bombing salvos on March 24.
A Top Secret U.S.-only operation to penetrate the Yugoslav air defense system was approved soon after the bombing began, Air Force sources say. Here would be the first test of a new weapon and capability in combat. At the same time though, NATO was surprised when Yugoslav radar operators did not turn on their systems. Evidently learning from Iraq, they kept a low "electronic profile," thus thwarting the traditional electronic attack with anti-radiation missiles and jammers. This was fortunate for the cyber-warriors, for it made a computer penetration all the more important if it could confuse or disable the network of surface-to-air missiles.
But by the time all of the pieces of the information war were in place, enough physical damage had been done to Yugoslav bunkers and command lines, it became difficult to isolate and assess the impact of the cyber attack.
For Gary Sharp and other legal specialists in this burgeoning field of information warfare, Yugoslavia merely stands as another demonstration that computer network attack will eventually become an integral part of the way warfare is waged. "We have not fully realized the breadth of the capabilities and the potential," Sharp says.
The General Counsel report agrees. It concludes that there are "no show-stoppers in international law" for the types of information operations "as now contemplated" by the Pentagon as long as existing legal obligations are followed. The Counsel's report is silent on covert cyber-warfare that might be "contemplated" by other agencies.
William M. Arkin can be reached for comment at firstname.lastname@example.org