Michael Vatis is currently a partner in the law firm Steptoe & Johnson LLP. He served as Executive Director of the Markle Foundation Task Force on National Security in the Information Age. From 2001 to 2003, he was the Director of the Institute for Security Technology Studies at Dartmouth College.
Cyber Warfare
During a military conflict, foreign countries can also be expected to mount cyber attacks not only to steal information but also to damage or shut down critical infrastructure systems that underlie the civilian economy, the functioning of government agencies, and military operations. The majority of military communications—critical to command and control of US forces and to their logistical systems—rely on commercial networks. The United States’ very ability to project force during a military conflict is, therefore, dependent upon an inherently vulnerable civilian infrastructure.
Foreign nations might also seek to alter information in order to spread propaganda or misinformation, in order to sow fear, sap public support for military action, or undermine confidence in information vital to the functioning of markets. They would, in short, attempt to accomplish by cyber means many of the same things militaries have always done.
Several foreign nations have already developed cyber warfare or “information warfare” doctrine, programs, and capabilities for use against each other and the United States or other nations. Russia and China are the clearest examples; other oft-cited candidates include France, Israel, India, and Pakistan. Media reports, though, quoting unspecified CIA sources, have claimed that as many as 100 nations may currently possess some cyber warfare capabilities, while the Defense Department’s Foreign Technology Assessment (FTA) for 2000 suggested that around 25 countries may now have the ability to carry out significant cyber warfare attacks. Knowing they cannot defeat the United States in a head-to-head military encounter, foreign nations see cyber attacks as a way to strike a vulnerability. In that sense, cyber warfare is the contemporary equivalent of guerilla warfare—only rather than fighting on their turf, the guerillas fight on their enemies’.
A country could engage in cyber attacks as an adjunct to more conventional forms of attack. The United States itself is reported to have used cyber attacks in the initial stages of the war in Iraq in order to degrade Iraqi command-and-control functions and possibly to shut down electrical power.
Because a cyber attack offers the potential for anonymity—or at least plausible deniability—a nation might also engage in a cyber attack during a situation short of open military conflict. A nation might do this to send a message about the potential costs of engaging in military action against it. Because it is easy to disguise the origin of a cyber attack, a country could also pretend that an attack is coming from a third country, either to avoid a possible retaliatory response by the target or to cause the target to attack the third country.
What Is To Be Done?
The broad diversity of potential sources of attacks, US reliance on information systems that are inherently insecure, and the international dimensions of both cyber attacks and governmental responses raise a host of complicated policy questions. These include how best to improve the state of cyber security; what can be done to improve international cooperation on stemming cyber crime and preventing and responding to cyber terrorism; and whether an international treaty or other measures should be taken to prevent or contain cyber warfare.
At a bare minimum, the United States needs to improve the state of cyber security of its critical infrastructures so that it is less vulnerable to attack from any source. A key question, though, is what more the government can and should do to promote better cyber security. Since 9/11, cyber security has been significantly downgraded as a government priority. The Administration of US President George W. Bush has taken over a year to nominate Greg Garcia to fill the post of Assistant Secretary of Homeland Security. Further, no previous occupant of the post, or predecessor posts, lasted more than one year, apparently due to frustration over the lack of attention to or resources for the issue within the government. Without concerted leadership from Washington, it is unlikely that industry will take adequate measures, particularly to deal with the large-scale attacks that no individual company can prevent or defend against on its own.
This is not to say that cyber security has not improved. Software manufacturers have tried to reduce vulnerabilities in their products, and companies have attempted to improve their information security practices and procedures. Part of the motivation has been the sheer cost of dealing with viruses and intrusions. But part of it has also been the result of federal mandates, at least for the financial services and health industries. State laws require companies to notify affected persons when they suffer a breach that leads to the disclosure of personal information. These regulations have given more attention to the issue and have caused companies to increase security to avoid the need to make embarrassing notifications. Still, given the extent of cyber insecurity, much more needs to be done, including research and development of new security technologies and policies designed to promote greater security across all critical industries.
A second issue is improving international cooperation in preventing and responding to cyber attacks. Cyber attackers today can hop from computer to computer as they route their attack from the point of origin to the ultimate targets. A cyber investigation therefore typically involves multiple countries and requires tracing an evidentiary trail across international borders. This makes effective international cooperation essential to cyber crime investigations.
Some steps have already been taken to address this problem. Since the late 1990s, the US government has been urging other nations to strengthen their cyber investigative capacity and to pass domestic laws criminalizing computer viruses and intrusions. The FBI has also trained foreign counterparts to make them more effective partners in international cyber crime investigations. Recently, the US Senate ratified the Council of Europe Convention on Cybercrime, which binds all signatory nations to cooperate with one another and to ensure that they are able to investigate and prosecute cyber crimes effectively. But more must be done to enlarge the community of cooperation, such as including developing nations that are less equipped to deal with cyber crime and do not have a history of cooperation with the United States on criminal investigations.
Finally, the United States must consider whether an international treaty regarding cyber warfare is in its long-term interests. There is presently no treaty that bans or limits cyber warfare. To date, the United States has not been willing even to consider this issue, presumably because it wants to preserve its own option to engage in offensive cyber warfare and espionage. With the United States enjoying a technological edge, this stance is understandable. But it is clear that, as a technologically advanced nation incredibly reliant on information systems in its economy and civil society, the United States is also among the most vulnerable to cyber attack, with the most to lose. Because the United States does not have a monopoly on cyber power, it should seriously consider where its best interests lie in the long term.
