Military Grappling With Rules for Cyber Warfare
By Bradley Graham
During last spring's conflict with Yugoslavia, the Pentagon considered hacking into Serbian computer networks to disrupt military operations and basic civilian services. But it refrained from doing so, according to senior defense officials, because of continuing uncertainties and limitations surrounding the emerging field of cyber warfare.
"We went through the drill of figuring out how we would do some of these cyber things if we were to do them," said a senior military officer. "But we never went ahead with any."
As computers revolutionize many aspects of life, military officials have stepped up development of cyber weapons and spoken ominously of their potential to change the nature of war. Instead of risking planes to bomb power grids, telephone exchanges or rail lines, for example, Pentagon planners envision soldiers at computer terminals silently invading foreign networks to shut down electrical facilities, interrupt phone service, crash trains and disrupt financial systems. But such attacks, officials say, pose nettlesome legal, ethical and practical problems.
Midway through the war with Yugoslavia, the Defense Department's top legal office issued guidelines warning that misuse of cyber attacks could subject U.S. authorities to war crimes charges. It advised commanders to apply the same "law of war" principles to computer attack that they do to the use of bombs and missiles. These call for hitting targets that are of military necessity only, minimizing collateral damage and avoiding indiscriminate attacks.
Defense officials said concern about legalities was only one of the reasons U.S. authorities resisted the temptation to, say, raid the bank accounts of Yugoslav President Slobodan Milosevic. Other reasons included the untested or embryonic state of the U.S. cyber arsenal and the rudimentary or decentralized nature of some Yugoslav systems, which officials said did not lend themselves to computer assault.
U.S. forces did target some computers that controlled the Yugoslav air defense system, the officials said. But the attacks were launched from electronic jamming aircraft rather than over computer networks from ground-based U.S. keyboards.
No plan for a cyber attack on Yugoslav computer networks ever reached the stage of a formal legal assessment, according to several defense officials familiar with the planning. And the 50 pages of guidelines, prepared by the Pentagon general counsel's office, were not drafted with the Yugoslav operation specifically in mind.
But officials said the document, which has received little publicity, reflected the collective thinking of Defense Department lawyers about cyber warfare and marked the U.S. government's first formal attempt to set legal boundaries for the military's involvement in computer attack operations.
It told commanders to remain wary of targeting institutions that are essentially civilian, such as banking systems, stock exchanges and universities, even though cyber weapons now may provide the ability to do so bloodlessly.
In wartime, the document advised, computer attacks and other forms of what the military calls "information operations" should be conducted only by members of the armed forces, not civilian agents. It also stated that before launching any cyber assaults, commanders must carefully gauge potential damage beyond the intended target, much as the Pentagon now estimates the number of likely casualties from bomb attacks.
While computer attacks may appear on the surface as a cleaner means of destroying targets – with less prospect for physical destruction or loss of life than dropping bombs – Pentagon officials say such views are deceiving. By penetrating computer systems that control the communications, transportation, energy and other basic services in a foreign country, cyber weapons can have serious cascading effects, disrupting not only military operations but civilian life, officials say.
Other U.S. government agencies have sided with the Pentagon view that existing law and international accords are sufficient to govern information warfare. But Russia is challenging this view.
Over the past year, Moscow has tried to gather support for a United Nations resolution calling for new international guidelines and the banning of particularly dangerous information weapons. In comments to the U.N. secretary general published last month, Russia warned that information operations "might lead to an escalation of the arms race." It said "contemporary international law has virtually no means of regulating the development and application of such a weapon."
But the Russian initiative has drawn little backing. U.S. officials regard it as an attempt to forestall development of an area of weaponry in which Russia lags behind the United States.
In a formal response rejecting the Russian proposal, the Clinton administration said any attempt now to draft overarching principles on information warfare would be premature.
"First, you have extraordinary differences in the sophistication of various countries about this type of technology," said a State Department official involved in the issue. "Also, the technology changes so rapidly, which complicates efforts to try to define these things."
Instead of turning cyber assaults into another arms control issue, the administration prefers to treat them internationally as essentially a law enforcement concern. U.S. officials have supported several efforts through the United Nations and other groups to facilitate international cooperation in tracking computer criminals and terrorists.
For all the heightened attention to cyber warfare, defense specialists contend that there are large gaps between what the technology promises and what practitioners can deliver. "We certainly have some capabilities, but they aren't what I would call mature ones yet," a high-ranking U.S. military officer said.
The full extent of the U.S. cyber arsenal is among the most tightly held national security secrets. But reports point to a broad range of weapons under development, including use of computer viruses or "logic bombs" to disrupt enemy networks, the feeding of false information to sow confusion and the morphing of video images onto foreign television stations to deceive. Last month, the Pentagon announced it was consolidating plans for offensive as well as defensive cyber operations under the four-star general who heads the U.S. Space Command in Colorado Springs.
But complicating large-scale computer attacks is the need for an extraordinary amount of detailed intelligence about a target's hardware and software systems. Commanders must know not just where to strike but be able to anticipate all the repercussions of an attack, officials said.
"A recurring theme in our discussions with military operators is, well, if we can drop a bomb on it, why can't we take it out by a computer network attack," said a senior Pentagon lawyer specializing in intelligence. "Well, you may be able to. However, you've got to go through a few hoops and make sure that when you're choosing an alternative method, you're still complying with the law of armed conflict and making sure collateral damage is limited."
In their guidelines document, titled "An Assessment of International Legal Issues in Information Operations," the Pentagon's lawyers warned of such unintended effects of computer attacks as opening the floodgates of a dam, causing an oil refinery in a populated area to explode in flames or triggering the release of radioactivity. They also mentioned the possibility of computer attacks spilling over into neutral or friendly nations and noted the legal limits on deceptive actions.
"It may seem attractive for a combatant vessel or aircraft to avoid being attacked by broadcasting the agreed identification signals for a medical vessel or aircraft, but such actions would be a war crime," said the document, which was first reported last week by defense analyst William M. Arkin in a column on The Washington Post's online service. "Similarly, it might be possible to use computer morphing techniques to create an image of the enemy's chief of state informing his troops that an armistice or cease-fire agreement had been signed. If false, this also would be a war crime."
The document also addressed questions about whether the United States would be any more justified in using cyber weapons if a foreign adversary first hacked into U.S. computer networks. The answer: It depends on the extent of damage. One complicating factor, the defense lawyers wrote, is the difficulty of being certain about the real source and intent of some cyber attacks, whose origin can easily be disguised.
In the case of Yugoslavia, U.S. military authorities were slow to put together a plan for conducting information operations. But one was eventually assembled and approved by the middle of the 78-day war, the high-ranking officer said.
The plan involved many traditional information warfare elements – psychological operations, deception actions, electronic jamming of radar and radio signals – targeting not just Yugoslav military and police forces but Milosevic and his associates, the officer said. One tactic was to bombard the Yugoslav leadership with faxes and other forms of harassment.
© 1999 The Washington Post Company