Sign In

Communications of the ACM

Viewpoint

Why Computer Scientists Should Care About Cyber Conflict and U.S. National Security Policy


DHS logo reflected in an analyst's eyeglasses

The U.S. Department of Homeland Security logo is reflected in the eyeglasses of a cybersecurity analyst in the watch and warning center at the DHS's cyber defense facility at Idaho National Laboratory.

Credit: Mark J. Terrill / AP Photo

In the last several years, cyber security has been the focus of a great deal of media attention that has reflected public policy concerns worldwide about this topic. For example, the Sunday Times of London quoted Israeli Prime Minister Binyamin Netanyahu as saying that "Israel must turn into a global cyber superpower."2 Through the National Computer Network Emergency Response Coordination Center of China, the Chinese government reported China experienced nearly a half-million cyber attacks in 2010, about half of which originated abroad.a

Of particular note is the May 2011 publication of the White House's International Strategy for Cyberspace, in which it asserted: "when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country... We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."7 Amplifying these sentiments, a number of news stories subsequently appeared reporting the U.S. believed a cyber attack on the U.S. could be regarded as an act of war, and that the U.S. could respond to such an act using traditional military force (for example, see Gorman1).

Some have been skeptical of such statements. One argument is that it is impossible to attribute a cyber attack to any specific nation-state, so against what party would any nation retaliate in the wake of a devastating cyber attack on it? Another argument is that the strategy assumes state sponsorship is necessary for such an attack. What prevents a non-state actor from conducting such an attack? Indeed, the necessary technology is available at big-box stores, and much of the necessary knowledge is freely available on the Internet.

But such arguments oversimplify both the threat and the strategy.

Back to Top

Threat and Strategy

Consider first the threat. Most of what is discussed in the popular media as "cyber attacks" is really espionage of various kinds. What is "lost" is information: technical documents, political memos, credit card numbers, Social Security numbers, money in bank accounts, business plans, and so on. As most computer scientists know, these are breaches of confidentiality—the legitimate owner still has the information, but someone else has it as well, someone who should not have it and who might be able to use it against the legitimate owner.

These acts are undeniably unfriendly—but do they amount to "acts of war"? Espionage is not traditionally regarded as a violation of international law—primarily because all nations do it. They do violate domestic law, which is why such acts are (properly) regarded as criminal acts—appropriate for investigation and prosecution by law-enforcement authorities.

But the fact that what we have mostly seen to date is cyber espionage should not blind us to the fact that the range of possibilities for something bad to happen to us is not at all limited to the loss of confidentiality for sensitive information. Computers manage electric power generation, airplanes, cars, heating and cooling systems, flood control gates, sewage systems, and so on. They are also central to a U.S. defense strategy that relies on having an information superiority on the battlefield that enormously increases the capabilities of existing forces.

A number of examples of actual cyber attacks—actions taken to destroy, disrupt, or degrade computers—are known publicly. It is alleged that in 1984, the U.S. modified software that was subsequently obtained by the Soviet Union in its efforts to obtain U.S. technology. Ostensibly designed to operate oil and gas pipelines, the Soviets used this software to operate a natural gas pipeline in Siberia. After a period in which all appeared normal, the software allegedly caused the machinery it controlled to operate outside its safety margins, at which point a large explosion occurred.6 And, in 2010, the Stuxnet worm disrupted industrial control systems in the Iranian infrastructure for enriching uranium, apparently destroying centrifuges by ordering them to operate at unsafe speeds.3


The attribution of any kind of cyber operation, whether for attack or exploitation, is technically difficult.


Compared to acts of espionage, such actions are closer to the boundary between peace and war because they achieved effects that could have been achieved through the use of traditional kinetic weaponry such as bombs. Do these acts amount to acts of war? To date, the international community has not made such a determination. But this fact does not suggest there is no possible cyber attack that would cross the line. Indeed, given the increasing dependence of much of an advanced nation's critical infrastructure on computers for safe and efficient operation, the possibility of a catastrophic cyber attack on an advanced nation cannot be ruled out—widespread power outages affecting hundreds of millions of people, a hacked air traffic control system causing airplanes to crash, military forces unable to deploy, and so on.

Are any of these catastrophic scenarios likely? Much of the public debate about such matters makes it seem these scenarios are imminent and they are easy to do, for example, by some lone teenage hacker/terrorist working in a basement in a far-off land. Nonsense. A long-lasting catastrophic effect on the U.S. through a cyber attack would be very difficult even for a major nation-state to achieve. Still, policymakers are paid to make contingency plans even for unlikely events—and the policy question is this: If a catastrophic cyber attack against the U.S. such as I have described did occur, should the U.S. regard it as an act of war? For some sufficiently high level of damage and destruction to the U.S., surely the answer is yes. The 9/11 terrorists committed crimes against the U.S.—but the international community supported the U.S. call for treating the events of 9/11 as an armed attack warranting a forceful military response.

What about attribution? What does an act of war mean if you cannot identify the responsible party? There is no question that the attribution of any kind of cyber operation, whether for attack or for exploitation, is technically difficult. If the particular techniques of any given operation have never before been seen, and if the perpetrator has concealed his tracks perfectly, and if no one else knows he is responsible for the operation, and if there are no circumstances to suggest he might be behind the operation, then attribution may well be impossible. And indeed all of these conditions do hold for many of the acts of cyber espionage and cyber attack we have seen to date.

Would these conditions be true for a cyber attack that might plausibly be regarded as an act of war? Perhaps, but perhaps not. For example, cyber attackers may make technical mistakes that leave behind clues about their identity on some of the systems they have compromised. They may use a technique that has been seen before. They may have discussed their plans on a bulletin board that is being monitored. An intelligence official who provided to the perpetrators information useful for conducting the attack may discuss his actions on an intercepted phone call. Political circumstances (such as international tensions) may suggest a particular national actor that might gain a significant advantage from conducting such an attack. Although they do not guarantee it, all of these possibilities increase the likelihood attribution could be established.


Computer scientists are in a position to play an important role in helping to shape national and international policies regarding cyber conflict.


Policymakers have some experience with many kinds of crises, but their understanding of the cyber world is, with some exceptions, sketchy and incomplete. Nevertheless, in the event of cyber crisis, they will make decisions with whatever information and knowledge they have. Computer scientists today are in a position to play an important role in helping to shape national and international policies regarding cyber conflict.

What might such a role entail? The issues are complex, from both technical and policy standpoints, and are worthy of serious intellectual attention. Some interesting issues include the following:

  • Attack assessment. Knowing that a nation or even a particular facility is under serious cyber attack is highly problematic given the background noise of ongoing cyber attacks occurring all the time. What information would have to be collected, from what sources should that information be collected, and how should it be integrated to make such a determination?
  • Geolocation of computers. Given that computers are physical objects, every computer is in some physical location. Knowledge of that location may be important in assessing the political impact of any given cyber attack.
  • Techniques for limiting the scope of a cyber attack. Associated with any bomb is a lethal radius outside of which a given type of target is likely to be unharmed—knowledge of a bomb's lethal radius helps military planners minimize collateral damage. What, if any, is the cyber analog of "lethal radius" for cyber weapons?
  • How could a penetration of an adversary's computer system be conducted so that the adversary knows the penetration is an exploitation rather than an attack?
  • Given a continuing and noisy background of criminal and hacker cyber attacks, how would two nations that agreed to a "cyber cease-fire" know the other side was abiding by the terms of the agreement?
  • How might catalytic cyber conflict between two nations be avoided? (Catalytic conflict refers to conflict between two parties initiated by a third party, perhaps by impersonating one of the two parties.)
  • How can small conflicts in cyberspace between political/military adversaries be kept from growing into larger ones?

We are in the earliest stages of an ongoing policy debate about matters of war and peace in cyberspace.


The first four listed items address technical issues that are important to parties on either side of a cyber attack or exploitation (that is, as victim or as perpetrator).5 The last three items are some of the 50-plus policy-related questions relevant to conflict in cyberspace described in a 2010 report of the U.S. National Research Council,4 and the reader should notice that all of them transcend the individual concerns of any particular nation and require a degree of familiarity with concepts of computer science and information technology that is second nature to most Communications readers.

Back to Top

Conclusion

We are in the earliest stages of an ongoing policy debate about matters of war and peace in cyberspace, and the voice of professional computer scientists should be heard in that debate. Whatever one's views on the topic, dialog and discussion within the computer science community about this matter can help policymakers make more informed decisions in this area.

Back to Top

References

1. Gorman, S. Cyber combat: Act of war. Wall Street Journal (May 31, 2011); http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html#ixzz109BF3ADz.

2. Mahnaimi, U. Israeli military plots to cripple Iran in cyberspace. Sunday Times (Aug. 7, 2011).

3. Markoff, J. A code for chaos. New York Times (Oct. 2, 2010); http://www.nytimes.com/2010/10/03/weekinreview/03markoff.html?ref=stuxnet.

4. National Research Council. Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, National Academies Press, 2010; http://www.nap.edu/openbook.php?record_id=12886&page=1.

5. National Research Council. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, W.A. Owens, K.W. Dam, and H.S. Lin, Eds., National Academies Press, 2009; http://www.nap.edu/catalog.php?record_id=12651.

6. Reed, T.C. At the Abyss: An Insider's History of the Cold War. Ballantine Books, New York, 2004.

7. White House. International Strategy for Cyberspace, May 2011; http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.

Back to Top

Author

Herbert Lin (hlin@nas.edu) is chief scientist at the Computer Science and Telecommunications Board of the National Academies, where he has been study director of major projects on public policy and information technology including the 2009 NRC study Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities and the 2010 NRC Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986–1990).

Back to Top

Footnotes

a. http://news.xinhuanet.com/english2010/china/2011-08/09/c_131038851.htm.

Back to Top

Figures

UF1Figure. The U.S. Department of Homeland Security logo is reflected in the eyeglasses of a cybersecurity analyst in the watch and warning center at the Department of Homeland Security's cyber defense facility at Idaho National Laboratory.

UF2Figure. Senator John Rockefeller spoke before the Senate Homeland Security Committee in February 2012 on the urgent need to pass comprehensive cybersecurity legislation.

Back to top


Copyright held by author.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2012 ACM, Inc.


 

No entries found

Comment on this article

Signed comments submitted to this site are moderated and will appear if they are relevant to the topic and not abusive. Your comment will appear with your username if published. View our policy on comments

(Please sign in or create an ACM Web Account to access this feature.)

Create an Account

Log in to Submit a Signed Comment

Sign In »

Sign In

Signed comments submitted to this site are moderated and will appear if they are relevant to the topic and not abusive. Your comment will appear with your username if published. View our policy on comments
Forgot Password?

Create a Web Account

An email verification has been sent to youremail@email.com
ACM veriŞes that you are the owner of the email address you've provided by sending you a veriŞcation message. The email message will contain a link that you must click to validate this account.
NEXT STEP: CHECK YOUR EMAIL
You must click the link within the message in order to complete the process of creating your account. You may click on the link embedded in the message, or copy the link and paste it into your browser.