Bush Orders Guidelines for Cyber-Warfare

[Henk Elegeert]

REPLY TO: D66 at nic.surfnet.nl

http://www.washingtonpost.com/wp-dyn/articles/A38110-2003Feb6.html

"
washingtonpost.com

Bush Orders Guidelines for Cyber-Warfare
Rules for Attacking Enemy Computers Prepared as U.S. Weighs Iraq Options

By Bradley Graham
Washington Post Staff Writer
Friday, February 7, 2003; Page A01

President Bush has signed a secret directive ordering the government to
develop, for the first time, national-level guidance for determining
when and how the United States would launch cyber-attacks against enemy
computer networks, according to administration officials.

Similar to strategic doctrine that has guided the use of nuclear weapons
since World War II, the cyber-warfare guidance would establish the rules
under which the United States would penetrate and disrupt foreign
computer systems.

The United States has never conducted a large-scale, strategic
cyber-attack, according to several senior officials. But the Pentagon
has stepped up development of cyber-weapons, envisioning a day when
electrons might substitute for bombs and allow for more rapid and less
bloody attacks on enemy targets. Instead of risking planes or troops,
military planners imagine soldiers at computer terminals silently
invading foreign networks to shut down radars, disable electrical
facilities and disrupt phone services.

Bush's action highlights the administration's keen interest in pursuing
a new form of weaponry that many specialists say has great potential for
altering the means of waging war, but that until now has lacked
presidential rules for deciding the circumstances under which such
attacks would be launched, who should authorize and conduct them and
what targets would be considered legitimate.

"We have capabilities, we have organizations; we do not yet have an
elaborated strategy, doctrine, procedures," said Richard A. Clarke, who
last week resigned as special adviser to the president on cyberspace
security.

Bush signed the order, known as National Security Presidential Directive
16, last July but it has not been disclosed publicly until now. The
guidance is being prepared amid speculation that the Pentagon is
considering some offensive computer operations against Iraq if the
president decides to go to war over Baghdad's chemical, biological and
nuclear weapons development programs.

"Whatever might happen in Iraq, you can be assured that all the
appropriate approval mechanisms for cyber-operations would be followed,"
said an administration official who declined to confirm or deny whether
such planning was underway.

Despite months of discussions involving principally the Pentagon, CIA,
FBI and National Security Agency, officials say a number of issues
remain far from resolved. "There's been an initial step by the president
to say we need to establish broad guidelines," a senior administration
official said. "We're trying to be thorough and thoughtful about this. I
expect the process will end in another directive, the first of its kind
in this area, setting the foundation."

The current state of planning for cyber-warfare has frequently been
likened to the early years following the invention of the atomic bomb
more than a half-century ago, when thinking about how to wage nuclear
war lagged the ability to launch one.

The full extent of the U.S. cyber-arsenal is among the most tightly held
national security secrets, even more guarded than nuclear capabilities.
Because of secrecy concerns, many of the programs remain known only to
strictly compartmented groups, a situation that in the past has
inhibited the drafting of general policy and specific rules of
engagement.

In a first move last month to consult with experts from outside
government, White House officials helped arrange a meeting at the
Massachusetts Institute of Technology that attracted about 50
participants from academia and industry as well as government. But a
number of participants expressed reservations about the United States
engaging in cyber-attacks, arguing that the United States' own enormous
dependence on computer networks makes it highly vulnerable to
counterattack.

"There's a lot of inhibition over doing it," said Harvey M. Sapolsky, an
MIT professor who hosted the Jan. 22 session. "A lot of institutions and
people are worried about becoming subject to the same kinds of attack in
reverse."

Government officials involved in drafting the new policy insist they are
proceeding cautiously, recognizing the risks of crossing the threshold
into cyber-warfare and acknowledging the difficulties still inherent in
trying to model how a major cyber-attack might play out. By penetrating
computer systems that control the communications, transportation, energy
and other basic services in a country, cyber-weapons can have serious
cascading effects, disrupting not only military operations but civilian
life.

"There are questions about collateral damage," Clarke said. As an
example, he cited the possibility that a computer attack on an electric
power grid, intended to pull the plug on military facilities, might end
up turning off electricity to hospitals on the same network.

"There also is an issue, frankly, that's similar to the strategic
nuclear issue which is: Do you ever want to do it? Do you want to
legitimize that kind of weaponry?" Clarke added.

A sign of the Pentagon's commitment to developing cyber-weapons was its
decision in 1999 to assign responsibility in this area to a command
under a four-star general -- at the time, Space Command, which last year
merged into Strategic Command. In addition, a special task force headed
by a two-star general has been established to consolidate military
planning for offensive as well as defensive computer operations.

Maj. Gen. James David Bryan, who heads the Joint Task Force on Computer
Network Operations, said his group has three main missions: to
experiment with cyber-weapons in order to better understand their
effects; to "normalize" the use of such weapons, treating them "not as a
separate entity" but as an integral part of the U.S. arsenal; and to
train a professional cadre of military cyber-warriors.

The Pentagon's general counsel also attempted four years ago to
establish some legal boundaries for the military's involvement in
computer attack operations, issuing a 50-page document that a senior
defense official said in a recent interview remains "the basic primer"
on the subject. It advised commanders to apply the same "law of war"
principles to computer attacks that they do to the use of bombs and
missiles -- namely, the principles of proportionality and
discrimination.

This means hitting targets that are of military necessity only, avoiding
indiscriminate attacks and minimizing civilian damage. So, for instance,
sending a computer virus through the Internet to destroy an enemy
network would be ruled out as too blunt a weapon, the senior defense
official said.

One challenge that the Pentagon has been facing in exercises simulating
computer attacks is getting military commanders to specify just what
effects they would hope to achieve with a cyber-weapon.

"In the beginning, when we would ask, 'What do you want us to do for
you,' the answer would come back very general," Bryan said. More
recently, Bryan added, the stated objectives have become more specific,
which has helped in designing more precise cyber-weapons.

Even so, effective and predictable computer attacks depend heavily on
detailed intelligence about enemy networks and access to them. For all
the heightened attention to cyber-warfare, specialists contend large
gaps exist between what the technology promises and what practitioners
can deliver.

"This whole area still leaves a lot to the imagination in terms of what
can be done," said John P. Casciano, a retired two-star general who
supervised Air Force computer operations.

Given the newness of the weapons, their potential power and the
uncertainty about how they would work, the Pentagon's Joint Staff has
issued classified "rules of engagement" that strictly require top-level
approval for any cyber-attack.

© 2003 The Washington Post Company
"

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********