In the last several years, cyber security has been the focus of a great deal of media attention that has reflected public policy concerns worldwide about this topic. For example, the Sunday Times of London quoted Israeli Prime Minister Binyamin Netanyahu as saying that "Israel must turn into a global cyber superpower."2 Through the National Computer Network Emergency Response Coordination Center of China, the Chinese government reported China experienced nearly a half-million cyber attacks in 2010, about half of which originated abroad.a
Of particular note is the May 2011 publication of the White House's International Strategy for Cyberspace, in which it asserted: "when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country... We reserve the right to use all necessary meansdiplomatic, informational, military, and economicas appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."7 Amplifying these sentiments, a number of news stories subsequently appeared reporting the U.S. believed a cyber attack on the U.S. could be regarded as an act of war, and that the U.S. could respond to such an act using traditional military force (for example, see Gorman1).
Some have been skeptical of such statements. One argument is that it is impossible to attribute a cyber attack to any specific nation-state, so against what party would any nation retaliate in the wake of a devastating cyber attack on it? Another argument is that the strategy assumes state sponsorship is necessary for such an attack. What prevents a non-state actor from conducting such an attack? Indeed, the necessary technology is available at big-box stores, and much of the necessary knowledge is freely available on the Internet.
But such arguments oversimplify both the threat and the strategy.
Consider first the threat. Most of what is discussed in the popular media as "cyber attacks" is really espionage of various kinds. What is "lost" is information: technical documents, political memos, credit card numbers, Social Security numbers, money in bank accounts, business plans, and so on. As most computer scientists know, these are breaches of confidentialitythe legitimate owner still has the information, but someone else has it as well, someone who should not have it and who might be able to use it against the legitimate owner.
These acts are undeniably unfriendlybut do they amount to "acts of war"? Espionage is not traditionally regarded as a violation of international lawprimarily because all nations do it. They do violate domestic law, which is why such acts are (properly) regarded as criminal actsappropriate for investigation and prosecution by law-enforcement authorities.
But the fact that what we have mostly seen to date is cyber espionage should not blind us to the fact that the range of possibilities for something bad to happen to us is not at all limited to the loss of confidentiality for sensitive information. Computers manage electric power generation, airplanes, cars, heating and cooling systems, flood control gates, sewage systems, and so on. They are also central to a U.S. defense strategy that relies on having an information superiority on the battlefield that enormously increases the capabilities of existing forces.
A number of examples of actual cyber attacksactions taken to destroy, disrupt, or degrade computersare known publicly. It is alleged that in 1984, the U.S. modified software that was subsequently obtained by the Soviet Union in its efforts to obtain U.S. technology. Ostensibly designed to operate oil and gas pipelines, the Soviets used this software to operate a natural gas pipeline in Siberia. After a period in which all appeared normal, the software allegedly caused the machinery it controlled to operate outside its safety margins, at which point a large explosion occurred.6 And, in 2010, the Stuxnet worm disrupted industrial control systems in the Iranian infrastructure for enriching uranium, apparently destroying centrifuges by ordering them to operate at unsafe speeds.3
The attribution of any kind of cyber operation, whether for attack or exploitation, is technically difficult.
Compared to acts of espionage, such actions are closer to the boundary between peace and war because they achieved effects that could have been achieved through the use of traditional kinetic weaponry such as bombs. Do these acts amount to acts of war? To date, the international community has not made such a determination. But this fact does not suggest there is no possible cyber attack that would cross the line. Indeed, given the increasing dependence of much of an advanced nation's critical infrastructure on computers for safe and efficient operation, the possibility of a catastrophic cyber attack on an advanced nation cannot be ruled outwidespread power outages affecting hundreds of millions of people, a hacked air traffic control system causing airplanes to crash, military forces unable to deploy, and so on.
Are any of these catastrophic scenarios likely? Much of the public debate about such matters makes it seem these scenarios are imminent and they are easy to do, for example, by some lone teenage hacker/terrorist working in a basement in a far-off land. Nonsense. A long-lasting catastrophic effect on the U.S. through a cyber attack would be very difficult even for a major nation-state to achieve. Still, policymakers are paid to make contingency plans even for unlikely eventsand the policy question is this: If a catastrophic cyber attack against the U.S. such as I have described did occur, should the U.S. regard it as an act of war? For some sufficiently high level of damage and destruction to the U.S., surely the answer is yes. The 9/11 terrorists committed crimes against the U.S.but the international community supported the U.S. call for treating the events of 9/11 as an armed attack warranting a forceful military response.
What about attribution? What does an act of war mean if you cannot identify the responsible party? There is no question that the attribution of any kind of cyber operation, whether for attack or for exploitation, is technically difficult. If the particular techniques of any given operation have never before been seen, and if the perpetrator has concealed his tracks perfectly, and if no one else knows he is responsible for the operation, and if there are no circumstances to suggest he might be behind the operation, then attribution may well be impossible. And indeed all of these conditions do hold for many of the acts of cyber espionage and cyber attack we have seen to date.
Would these conditions be true for a cyber attack that might plausibly be regarded as an act of war? Perhaps, but perhaps not. For example, cyber attackers may make technical mistakes that leave behind clues about their identity on some of the systems they have compromised. They may use a technique that has been seen before. They may have discussed their plans on a bulletin board that is being monitored. An intelligence official who provided to the perpetrators information useful for conducting the attack may discuss his actions on an intercepted phone call. Political circumstances (such as international tensions) may suggest a particular national actor that might gain a significant advantage from conducting such an attack. Although they do not guarantee it, all of these possibilities increase the likelihood attribution could be established.
Computer scientists are in a position to play an important role in helping to shape national and international policies regarding cyber conflict.
Policymakers have some experience with many kinds of crises, but their understanding of the cyber world is, with some exceptions, sketchy and incomplete. Nevertheless, in the event of cyber crisis, they will make decisions with whatever information and knowledge they have. Computer scientists today are in a position to play an important role in helping to shape national and international policies regarding cyber conflict.
What might such a role entail? The issues are complex, from both technical and policy standpoints, and are worthy of serious intellectual attention. Some interesting issues include the following:
We are in the earliest stages of an ongoing policy debate about matters of war and peace in cyberspace.
The first four listed items address technical issues that are important to parties on either side of a cyber attack or exploitation (that is, as victim or as perpetrator).5 The last three items are some of the 50-plus policy-related questions relevant to conflict in cyberspace described in a 2010 report of the U.S. National Research Council,4 and the reader should notice that all of them transcend the individual concerns of any particular nation and require a degree of familiarity with concepts of computer science and information technology that is second nature to most Communications readers.
We are in the earliest stages of an ongoing policy debate about matters of war and peace in cyberspace, and the voice of professional computer scientists should be heard in that debate. Whatever one's views on the topic, dialog and discussion within the computer science community about this matter can help policymakers make more informed decisions in this area.
1. Gorman, S. Cyber combat: Act of war. Wall Street Journal (May 31, 2011); http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html#ixzz109BF3ADz.
3. Markoff, J. A code for chaos. New York Times (Oct. 2, 2010); http://www.nytimes.com/2010/10/03/weekinreview/03markoff.html?ref=stuxnet.
4. National Research Council. Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, National Academies Press, 2010; http://www.nap.edu/openbook.php?record_id=12886&page=1.
5. National Research Council. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, W.A. Owens, K.W. Dam, and H.S. Lin, Eds., National Academies Press, 2009; http://www.nap.edu/catalog.php?record_id=12651.
7. White House. International Strategy for Cyberspace, May 2011; http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
Figure. The U.S. Department of Homeland Security logo is reflected in the eyeglasses of a cybersecurity analyst in the watch and warning center at the Department of Homeland Security's cyber defense facility at Idaho National Laboratory.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2012 ACM, Inc.