Cyberattacks: Computer Warfare Looms as Next Big Conflict in International Law
Near the Iranian village of Natanz, lying by the nation’s Karkas mountain range, a compound of tan-colored, block-shaped buildings sprawls with in a 25-acre enclosure. In a complex 25 feet underground, encased by walls 8 feet thick, 5,000 centrifuges churn out enriched uranium as they spin at almost 100,000 revolutions per minute.
This is one of the Islamic republic’s nuclear facilities, capable of producing the source for high-powered energy—or for nuclear weapons.
Sometime in late 2009, a computer worm known as Stuxnet crawled into the data language of the system’s programmable logic controllers, the computers that run the complex’s vast operations.
Stuxnet packs a ravenous appetite for software made by the German technology company Siemens—software that was embargoed from Iran, but that the nuclear facility had procured clandestinely.
Once the worm grabs hold of the computer’s mechanics, it sets out to destroy the system. First, it wildly alters the rotational speed of the centrifuge motors, shifting them up and down. The fluctuations can blow the system apart. If a crash occurs when the centrifuges are packed with hot uranium-hexafluoride gas, the sabotage could end in catastrophe.
But that was only part of Stuxnet’s brilliant physiology. While busily annihilating the centrifuges, it sent images back to computer operators cagily telling them that everything was going along just fine.
By early 2010, the Iranians had to trash almost 1,000 centrifuges. Although the worm didn’t destroy Tehran’s aim of stockpiling enriched uranium, it was a considerable setback.
As might have been expected, the Iranians cried foul, blaming their enemies—the U.S. and Israel—for releasing the malware. And it wasn’t a long leap in logic. Israel reportedly had been working on centrifuges similar to Iran’s for years. Meanwhile, Siemens had been supplying computers to an American nuclear facility in Idaho.
Both nations were officially mum. But Gary Samore, a White House arms control specialist, admitted to the New York Times that he was “glad to hear [the Iranians] are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to try to make sure that we complicate matters for them.”
The cyberworld “becomes more important in the conflict between nations,” Israeli Deputy Prime Minister Dan Meridor reportedly said at a conference in Jerusalem last year. “It is a new battleground, if you like, not with guns but with something else.”
That “something else” is a digital invader like Stuxnet, a code that “is not about sending a message or proving a concept,” said Ralph Langner, a German technology expert who deciphered it, in the Times. “It is about destroying its targets with utmost determination in military style.”
Welcome to the world of cyberwarfare, a new age and a new form of combat. Technology pros man the front lines, with a command of computer code and a knowledge of the intricacies of information mechanics. Instead of combat firepower, malicious digital information sneaks into the delicate structure of computer operations.
With a code like Stuxnet, writes national security reporter Spencer Ackerman, “there’s no broader conventional assault, but an adversary’s most important military asset gets compromised.”
The future is likely to see more viruses like Stuxnet. “Stuxnet may represent the so-called high end of cyberwarfare: a stealthy, stand-alone capability to knock an opponent’s queen off the board before more traditional military hostilities can kick in,” writes Ackerman, a senior reporter for Wired.
“It wouldn’t be taking out a particular ship’s radar system or even a command-and-control satellite. … But this would be the first instance of cyberwarfare aimed at a truly strategic target.”
Although it’s a brave new world, cyberwar nevertheless carries familiar lessons. Just as the development of the airplane foretold the future of aerial bombardment, changing the tactics of World War II, and just as the discovery of nuclear power led to Hiroshima and Nagasaki, so too has the worldwide spread and facility of information technology put nations in the uneasy position of learning how to deal with the cyberworld’s threatening consequences.
And, as with earlier developments of powerful and unimagined weaponry, experts are debating how best to master digital domination and defense, and how to make cyberwar accord with international law.
One debate focuses on whether the U.S. should learn the practicalities of winning a cyberwar—and then ask lawyers for their input—or, instead, set the legal ground rules before conducting cyberwarfare.
The debate is among several featured in the upcoming book Patriots Debate: Contemporary Issues in National Security Law, sponsored by the American Bar Association’s Standing Committee on Law and National Security. The book, featuring essays from experts in various fields of national security, is expected to be published this spring.
The committee invited Washington, D.C., attorney Stewart A. Baker, who argues that policymakers and military planners should develop a strategy for dealing with cyberwar before allowing lawyers to set up guidelines and restrictions.
“Once we have a strategy for winning a cyberwar, we can ask the lawyers for their thoughts. We can’t do it the other way,” writes Baker, a partner at Step toe & Johnson in D.C. and former assistant secretary for policy and technology at the Department of Homeland Security. “The lesson for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.”
But Charles J. Dunlap Jr., a former U.S. Air Force judge advocate general, argues that “military commanders have seen the no-legal-limits movie before, and they do not like it.”
Dunlap, a retired major general who teaches at Duke University School of Law, was also invited by the committee to pose his argument: That laws can both guide military operations effectively and help them avoid disaster.
“Experience shows that following the law is actually what works in war, not ignoring its limits,” Dunlap says. “It is a very practical, pragmatic way to avoid catastrophes like Abu Ghraib and other incidents that are so tremendously destructive to mission success. Illegalities, such as the recent murders in Afghanistan, carry the potential to unravel the entire effort there.”
To Baker, however, lawyers have become so involved in military planning that it’s hard to know where legal ideas end and war strategy begins.
“Lawyers across the government have raised so many showstopping legal questions about cyberwar that they’ve left our military unable to fight, or even plan for, a war in cyberspace.”
Over the last 60 years, the U.S. has fought “relatively low-stakes limited wars to win the hearts and minds” of our allies, Baker says in a telephone interview. The government has embedded lawyers deep within the military and intelligence system, overseeing every strategic move and weapon purchase.
What have emerged are turf fights among government lawyers over which branch oversees which action and how involved the U.S. should become. “There are a whole bunch of people who want to create limits on fighting because they want a different outcome,” he says. “So there’s an ideological battle within the war itself.”
The resulting documents are overly broad, with vague wording and little policy direction. For example, last year the federal government published at least three statements: the White House’s International Strategy for Cyberspace, issued in May; the Department of Defense’s Strategy for Operating in Cyberspace in July; and the DOD’s Cyberspace Policy Report (PDF) to Congress in November.
The latter document deals generally with maintaining a deterrent policy, the difficulty of finding the digital attacker, managing escalation, engaging allies, transporting cyberweapons, and assessing how the War Powers Act complies with a counter attack to a digital confrontation.
But, Baker says, it lacks a plan of action. “If you don’t have a single person like the president demanding a plausible plan, what you tend to get is everyone coming around the table protecting their roles,” Baker says. “They end up with a bunch of abstract papers, none of which produces a workable plan.”
Lawyer control abounds in the Legal Reviews of Weapons and Cyber Capabilities (PDF), issued in July by the U.S. Air Force JAG office. Among its stipulations is that the office will ensure that each weapon or “cybercapability” is reviewed under the law of armed conflict, domestic law and other international laws.
Baker writes in his Patriots Debate essay that the Air Force “surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for ‘legality’ … before cyberwar capabilities are even acquired.”
The U.S. has responded to cyberwarfare, Baker adds, “with an outpouring, not of technology or strategy, but of law review articles, legal opinions and legal restrictions.”
It isn’t like the U.S. has never been there before. The development of airpower in the 1930s presaged a future of massive bombing and tactical dogfights. While the British were “realists about air war,” Baker says, the “American tool of choice was international law.”
President Franklin D. Roosevelt at first pressed the legal response. He had a good case, says Baker. The Hague Conventions, among other early 20th century treaties, cautioned against harm to civilians as well as to “edifices devoted to religion, art, science and charity.”
“It began to look like a great victory for the international law of war,” Baker says. We know what happened: the Nazi blitzkrieg of Europe, the Luftwaffe’s bombing of London, the Japanese attack on Pearl Harbor.
Instead of legalisms, Baker says, we need an offensive strategy that may deter cyberspace adversaries, and a defense that imposes a “resilience and redundancy into our infrastructure.”
Cyberwar is a reality, Baker says in his essay: “Cyberweapons went mainstream when the developers of Stuxnet sabotaged [Iran], proving that computer network attacks can be more effective than 500-pound bombs. In war, weapons that work get used again.”
But adherence to the law isn’t some extravagant notion, Dunlap replies. The law adds legitimacy, “a practical, hard-nosed necessity for success in contemporary military operations.” To do otherwise “would deprive the U.S. of the international cooperation that countering a cyberthreat (especially) absolutely requires.”
One issue lawyers face, Dunlap says, is communicating to technology experts—educated in the exact sciences of math and physics—about the subjective nature of decision-making. “Too often,” he writes, “it seems as if cyberstrategists, schooled in the explicit verities of science, expect a level of assurance in legal matters rivaling mathematical equations. All law, but especially [the law of armed conflict], necessarily involves subjectivity in human reasoning that may be troubling to those of a technical mindset accustomed to the precision that their academic discipline so often grants.”
While Dunlap stands up for legal guidance, he stresses that deciding whether to go to war is not an issue for lawyers. Instead, it is for policy- and decision-makers to discern. An act of war “is a political phrase, not a legal term,” he says in a 2011 law review article, “Perspectives for Cyber Strategists on Law for Cyberwar.”
“The real difficulty with respect to the law and cyberwar is not any lack of ‘law,’ per se,” Dunlap writes in the article, “but rather in the complexities that arise in determining the necessary facts which must be applied to the law to render legal judgments.”
Nevertheless, Dunlap notes, “many observers believe the need for a new legal regime designed for cyberwar is urgent.”
For example, technology expert Bruce Schneier suggests a “cybertreaty” that would “stipulate a no-first-use policy, outlaw unaimed weapons or mandate weapons that self-destruct at the end of hostilities.”
Some experts, Dunlap writes, prefer an “effects-based” decision on a cyberincident to determine whether it “equates to” an armed attack. The more damage that a digital attack can cause, the closer the nation gets to declaring legitimate war.
Use of force can be considered as part of a continuum, says U.S. Navy JAG Cmdr. Todd Huntley, with armed attacks leading to a right to self-defense on one end, and “coercive but permissible acts,” such as disruption of transportation and communications, on the other.
“Modern warfare,” he writes in a 2010 law review article, “Controlling the Use of Force in Cyber Space: The Application of the Law of Armed Conflict During a Time of Fundamental Change in the Nature of Warfare,” “… is beginning to move away from this 20th century paradigm and is becoming more ‘effects-based.’ That is, military thinking is beginning to move away from the focus on tools/weapons and [toward] thinking about consequences and how to achieve those which are desired.”
In his 2011 article, former JAG Dunlap also cites Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College. Schmitt writes that the “essence of an ‘armed’ operation is the causation, or risk thereof, of death or injury to persons, or damage or destruction of property and other tangible objects.”
One problem with defining cyberattacks is the broad description that some nations use. Many countries claim that dissident writing, which experts call “ideological aggression,” is also part of information warfare.
What may compel a new definition is the secret nature of a digital code that can infiltrate practically every computer in the world. “The very element that makes the Internet such a valuable resource,” Huntley writes, “is also its greatest weakness, its interconnectedness.” Cyberattack sources are hidden, yet they can penetrate information systems anywhere in the world.
The secrecy of the viral source makes “attribution the No. 1 factual issue,” Dunlap says in an interview. As with conventional wars, “lawyers want to know, if you are shooting at someone, why you are shooting that person.” With Stuxnet, while Iran may suspect Israel and the U.S. of sending it, they can’t be sure.
Another critical question is whether international cyberattacks amount to traditional acts of war. Are such confrontations compatible with the laws of armed conflict, which are based on the increasingly old-fashioned notion that wars demand two nations marching uniformed soldiers on specific battlefields? Or does cyberwarfare require a new set of guidelines that apply to the peculiar tactics of digital attacks and defenses?
More directly, was Stuxnet officially an act of war, allowing Iran to respond militarily? Could Iran respond as a means of self-defense, allowed under the United Nations Charter?
“Iran may be entitled to say that is an act of war,” Baker says. Stuxnet “had a dramatic and physical response. I can’t say it would be illegal, and I wouldn’t be surprised if they attacked control systems in the U.S.”
Even if Stuxnet amounts to a “use of force,” it doesn’t necessarily rise to a casus belli, says Dunlap. “Regardless, a more fundamental issue is whether or not our fear of cyberattack should make us abandon the limits the law imposes on war, cyber or otherwise, and whether lawyers are doing the right thing–legally, ethically and practically–in insisting upon compliance with the restrictions that the law of war demands.”