Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

8 Insights from Related Areas This chapter seeks to contrast and compare cyberconflict with con- flict/warfare involving certain other kinds of weapons: nuclear, space, biological, and non-lethal. 8.1  Nuclear Weapons and Nuclear War As noted in Chapter 6, nuclear history and policy are useful points of departure—framing notions and metaphorical checklists—for under- standing issues related to cyberattack, in large part because of the effort that has been devoted to the subject of nuclear conflict over the years. In particular, many questions asked regarding nuclear conflict are relevant to cyberattack, even though the answers to these questions will be very different in the two cases. Consider first some important differences. Perhaps the most impor- tant difference is that the use of a nuclear weapon provides a very impor- tant threshold—there is no sense in which the use of even a single nuclear weapon could be regarded as unimportant or trivial. Indeed, a nuclear explosion anywhere in the world, especially one that does damage, is unambiguously detectable even if it is not attributable. By contrast, cyber- attacks are being used all the time, not necessarily with government sponsorship or approval, but by criminals and hackers and on a large scale as well. Cyberexploitation also occurs on a large scale, often with no one noticing. A second key difference relates to attribution. For much of the Cold 293 

294 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES War, the bipolar nature of the world—the United States and Soviet Union—would have made it relatively easy for the United States to attri- bute a nuclear attack. Although a number of other nations had achieved nuclear capabilities as well, these nations either were allies of the United States (and thus could be presumed to not have hostile intent that might lead to the use of nuclear weapons against it) or were generally incapable of striking the United States. To the extent that the latter proposition is not true, then the United States would have two techniques to determine the identity of an attacking state. First, a network of satellites keeps track of missile launches around the world, and thus the national origin of missile launches can be ascer- tained. (Missiles launched from the sea are more difficult to attribute.) In addition, radiological analysis of a nuclear explosion‘s residues might identify the nation responsible for manufacturing the weapon, provided there is on file a record of the radiological “signatures” that would be pro- vided by nuclear weapons from various nations. And nuclear weapons are generally presumed to be under the tight control of the nation’s national command authority, and thus the use of a Zendian nuclear weapon could be presumed to be a willful act of the Zendian government. None of these conditions applies to attribution of cyberattack, as noted in Chapter 2. When it comes to cyberconflict, the world is distinctly not bipolar, and indeed nation-states are not the only relevant actors. The true geographic origin of a cyberattack is very difficult to identify. There are no characteristic technical signatures of a given cyberattack that can be unambiguously associated with a specific nation. Finally, a cyberattack cannot be presumed to have been undertaken at the direction of a national government, regardless of where it originates. Yet another important difference is that the acquisition of nuclear weapons requires an enormous and expensive infrastructure for develop- ment, testing, and deployment of those weapons, and thus the threshold for obtaining nuclear weapons is much higher than that for cyberweap- ons. The elements of such an infrastructure are much easier to observe and identify than the infrastructure needed to acquire cyberweapons. Cyber- weapons can be acquired on a small budget behind closed doors using technology that is widely and easily available. In theory, both nuclear weapons and cyberweapons can be purchased, but the sale of a nuclear weapon would be much more visible to national intelligence agencies than the sale of a cyberweapon (some of which can be downloaded for free on the Internet). Consequently, deterrence through the threat of retaliation has much less credibility for cyberwarfare than for nuclear warfare, a point that in itself is an important difference between cyber and nuclear warfare. (Of course, it is also true that as some of the features of a bipolar adversarial 

INSIGHTS FROM RELATED AREAS 295 regime become less relevant or applicable to the state of nuclear affairs today, traditional theories of nuclear deterrence also begin to fray around the edges.) Finally, from an analytical point of view, theories and simulations of escalation dynamics and control have been developed to help understand how a nuclear conflict might unfold—how conflict might transition from non-nuclear to nuclear, the scale and scope of first nuclear use, how such use might lead to subsequent nuclear use, and how nuclear conflict might be terminated. There are few similar theories (at least not in the public literature) about how cyberconflict might unfold, but given the lack of real-world experience with cyberconflict, such theoretical development might well be worthwhile. Chapter 9 provides a few sketchy specula- tions on this matter. There are also a number of similarities between the two domains. From a technical standpoint, one similarity between nuclear weapons and cyberweapons is the superiority of the offense over defense. In both instances, attack operations—i.e., operations that result in destruction or damage—are much easier to undertake than defensive operations, i.e., operations to prevent an attacker from inflicting damage. But the consequences of this similarity are very different in the two cases. In the nuclear domain, this undeniable technical reality has forced the nuclear- armed nations of the world to rely on a strategy of deterrence by threat of retaliation. In the cyber domain, the difficulties of attack attribution leave a comparable threat with far less credibility. From an operational perspective, military planners have consid- ered the use of nuclear weapons for both strategic and tactical purposes (though debates rage about the wisdom of using nuclear weapons for tactical purposes). In targeting, they can be aimed at adversary military capabilities (counterforce targeting) and societal infrastructure (counter- value targeting). Both can be used in first-use and second-use scenarios. It is technically possible to create automated responses to nuclear attack or cyberattack. At the same time, there are many difficulties in develop- ing a highly reliable and automated assessment regarding both the actual fact of an attack and the appropriate party against which to respond, and thus, the wisdom of such responses in both cases is subject to some con- siderable question. Finally, both nuclear attack and cyberattack can lead to unintended and unforeseen consequences as well as cascading effects  See, for example, David E. Sanger and Thom Shanker, “U.S. Debates Deterrence for Nuclear Terrorism,” New York Times, May 8, 2007.  Of course, the validity of theories of nuclear escalation and control—or of U.S. nu- clear doctrine for that matter—has not been tested empirically. Some might regard the net ­ outcome—many untested theories of nuclear conflict and a scarcity of theories of c ­ yberconflict—as more of a similarity between the two domains than a difference. 

296 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES and liabilities, and attack scenarios involving nuclear weapons and cyber- weapons are highly complex. From an organizational point of view, both nuclear attack and cyber- attack are complex subjects. They both require deep understanding of technology and policy available only in specialized communities. A great deal of intelligence-based preplanning is needed to construct plausible and realistic attacks with both kinds of weapon, and options can be created in each case for a range of desired effects. Institutionally, both are managed under the U.S. Strategic Command, and the reach of both nuclear weapons and cyberweapons is potentially global. Other adversary nations and subnational groups are drawn to nuclear weapons and cyberweapons (as well as to other weapons of mass destruc- tion) at least in part because they may serve as equalizers that afford the ability to compete directly but asymmetrically with the United States in conflict situations. Finally, cyberwarfare and nuclear conflict may be intimately related under some circumstances. For example, the command and control net- works used to control nuclear weapons might be targets of cyberattack. A large-scale use of cyberattack weapons that threatens the survival of the targeted nuclear-armed nation could result in its use of nuclear weap- ons. As noted in Section 6.1.1, U.S. declaratory policy regarding nuclear weapons suggests that the United States could respond to certain kinds of cyberattacks against it with nuclear weapons. The last point also raises the possibility that the United States might, under some circumstances, choose to refrain from using cyberattacks that are intended to have large-scale, society-damaging effects, at least against nuclear-armed states. This point is explored further in Section 9.2 on esca- lation dynamics and control. 8.2  Space Operations in space provide a few lessons for understanding cyberat- tack and cyberexploitation. (For purposes of this discussion, operations in space are limited to operations involving satellites.) Satellites can be attacked in a number of ways. They can be destroyed by kinetic impact (such as by a direct-ascent missile) or by directed energy weapons (either land-based or space-based) that cause the satellite to overheat or that destroy on-board optical or infrared sensors. Such “hard- kill” options render a satellite permanently inoperative. “Soft-kill” options interfere with the satellite’s operation, rendering it non-functional, but in a reversible manner. One might, for example, jam its command uplink so that it cannot receive commands from the ground. In the absence of such commands, a satellite might not be able to execute 

INSIGHTS FROM RELATED AREAS 297 a given mission or it might even drift out of position. A satellite may use an unencrypted command link, so that an adversary could manipulate the satellite’s functions. A more fanciful approach for soft kill might entail the unfurling of a large aluminized Mylar bag around the adversary satellite that prevented commands from reaching it or from using its on-board sen- sors. Attacks on the ground control stations of a satellite could also render a satellite non-functional, although a nation that relied on satellites heavily would be likely to have backup ground stations for such contingencies. Apart from attacks on ground stations, attacks on satellites would almost certainly be non-lethal—there would be no military value in attacking a crewed space vehicle. But an attack on an important satellite would undoubtedly have strategic impact. That is, if undertaken before kinetic conflict had broken out, such an attack would be regarded by the satellite-owning nation as a major provocation, and it undoubtedly would qualify as a hostile “use of force” against that nation. If it were undertaken after kinetic conflict had broken out, it would inevitably be regarded as a significant escalation of the conflict. Some kinds of cyberattack share some of these characteristics. As noted in Chapter 2, the immediate effects of cyberattack are almost always non-lethal, but the consequences of certain kinds of cyberattack, such as attacks on the infrastructure of a nation, could have large-scale strategic impact. And, depending on how they were configured, cyberattacks may result in hard kill or soft kill of their targets. Intelligence collection is another point of legal similarity between operations in space and cyber operations. Today, there is broad interna- tional acceptance of the principle that reconnaissance satellites can transit freely and without prior approval over national boundaries. Similarly, cyberexploitations have not traditionally been regarded as violations of international law. 8.3  Biological Weapons Biological weapons and cyberweapons share a number of similarities— indeed, the term “virus” as an instrument of cyberattack was adopted in recognition of a mode of large-scale attack with certain similarities to how biological viruses spread and attack hosts. It is helpful to consider biological weapons and cyberweapons with respect to two categories—characteristics of the weapons themselves,  Public opinion and perceptions of these two acts are quite different—there is little public outcry against the reconnaissance satellites of other nations directed against the United States, but there is a great deal of public outcry against cyberexploitations directed against the United States. 

298 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES and characteristics of the infrastructure needed to produce and use such weapons. One major similarity of biological weapons and cyberweapons is that the release of the weapons agent and/or its effects may well not be imme- diately detectable. A biological virus can be released quietly in a crowded football stadium (no loud explosions), and people will become sick days later. A computer virus can be released on the Internet without notice, and can lie dormant on targeted computers for extended periods without anyone noticing symptoms such as degradation in computer performance and so on. And its effects will be noticed only if the virus is triggered. In both cases, the weapon can replicate without requiring human intervention—biological viruses or bacteria can multiply; computer viruses and worms copy themselves. One result is that weapons effects may continue after and beyond the point of the initial attack. The disease caused by a bioweapon may propagate through secondary contagion (i.e., human carriers of a disease), whereas the effects of a cyberattack may propagate or cascade beyond the point of the initial attack (as other computers are attacked). It is possible for cyberattack weapons to be selective about the targets on which they inflict damage—for example, a virus or a worm may be configured to cause damage only to selected systems even if it propagates to a large number of systems. In principle, biological weapons might be tailored to cause disease only in individuals with a certain biological sig- nature, even if it infects others without causing disease. Furthermore, much of society is constructed in ways that enhance the efficacy of biological weapons and cyberweapons. The effective- ness of biological weapons is enhanced by high population densities in urban areas and by poor health care and public health/epidemiological reporting systems; the effectiveness of cyberweapons is enhanced by high dependence on interconnected information technology and a lack of con- certed attention to cybersecurity on a societal scale. “Blowback” from biological weapons and from cyberweapons is an important concern. Blowback refers to the phenomenon in which a weapon loosed on an enemy blows back against the weapons user. A See, for example, British Medical Association, Biotechnology, Weapons and Humanity, Harwood Academic Publishers, Amsterdam, the Netherlands, 1999; and Claire M. Fraser and Malcolm R. Dando, “Genomics and Future Biological Weapons: The Need for Pre- ventive Action by the Biomedical Community,” Nature Genetics 29(3):253-256, November 2001, available at http://cmbi.bjmu.edu.cn/news/report/2001/insight-anthrax/feature/­ Genomics%20and%20future%20biological%20weapons.pdf. The issue of such targeted weapons was raised as early as 1970 in the professional military literature. See Carl Larson, “Ethnic Weapons,” Military Review 50(11):3-11, November 1970, available at http://usacac. army.mil/CAC/Repository/Materials/MilitaryReview-197011300001-DOC.pdf. 

INSIGHTS FROM RELATED AREAS 299 biological virus used by Zendia against Ruritania may, in an unknown period of time, affect Zendian citizens en masse. Similarly, a Zendian computer virus targeted against Ruritanian computers may eventually infect Zendian computers. 8.4  Non-Lethal Weapons Non-lethal weapons constitute yet another area from which some rel- evant insights may be gleaned. Box 8.1 provides some illustrative exam- ples of non-lethal weapons. A preliminary similarity is the struggle over appropriate terminology regarding non-lethal weapons, a struggle that reprises the analogous issue BOX 8.1  Non-lethal Weapons—Illustrative Examples Traditional Instruments • Night sticks and truncheons • Water cannons that shoot jets of water at high pressure • Rubber bullets • Tear gas • Pepper spray • Dogs Today’s Instruments • Tasers • Flashbangs (which create loud sounds or sudden bursts of light or bad smells) • Projectile netting • Carbon filaments (for use against electrical grids, to short out switching stations) • Loud music (e.g., Noriega and the use of Nancy Sinatra's “These Boots Are Made for Walking”) Future Systems • Sticky or slippery foams • Non-nuclear electromagnetic pulse weapons for use against vehicles • Malodorants • Sound cannons (for projecting loud sounds at standoff distances, e.g., against small boats) • Active denial systems (e.g., a vehicle-mounted millimeter-wave heat ray that creates intense heat pain through clothing without actually causing burns) 

300 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES raised in Chapter 1 about information warfare, information operations, cyber operations, and so on. Non-lethal weapons have come to desig- nate a category of weapons that are explicitly designed and primarily employed so as to incapacitate personnel or materiel while minimiz- ing fatalities, permanent injury to personnel, and undesired damage to property and the environment. But there are no assurances or guarantees of non-lethality—no matter how carefully designed or carefully used, a given “non-lethal” weapon may result in fatalities if it is used against a particularly vulnerable person. One proposed alternative calls such weap- ons “less lethal,” but objections have been raised to that term as well as indicating that such weapons would be used to create undead zombies. A clumsy term might be “weapons with significantly reduced probability of lethality,” but clumsy terms are hard to use in discourse. One policy issue raised by non-lethal weapons involves a seductive quality about them that has the potential of lulling users into a sense of complacency about their use. For example, the New York Times reported on a study by the sheriff’s office in Orange County, Florida, in which the officers on patrol were all equipped with tasers and were trained to use them. One immediate effect was that the number of citizen fatalities due to police action decreased dramatically—the hoped-for effect. A second immediate effect was a dramatic increase in the frequency of police use of force overall. That is, prior to the introduction of tasers, the police might not have used force in any way—they might have talked the person down or waited him out or might have found some way to resolve the matter without using force. But with tasers in hand, they were more willing to use force (that is, to use a weapon) than before. This effect had not been anticipated. A similar issue arises with cyberweapons, which are also non-lethal with respect to their immediate effects. Perhaps more importantly, they offer the opportunity to avoid the use of traditional lethal weapons—and for policy makers seeking to take actions short of the use of such weap- ons, they may be similarly seductive. That is, if policy makers see them as weapons without lethal effects, they may be more inclined to favor options calling for their use or to specify rules of engagement for using them in the field that are more permissive than would be the case for kinetic weapons.  Alex Berenson, “As Police Use of Tasers Soars, Questions Over Safety Emerge,” New York Times, July 18, 2004.  The search for actions that are “short of force” is apparent in almost every instance in which economic sanctions are proposed against some nation. That is, economic sanctions are almost always the first actively adversarial action taken against nations that offend the international order. 

INSIGHTS FROM RELATED AREAS 301 A related point is whether the existence of non-lethal weapons (or perhaps cyberweapons) places legal or moral/ethical obligations to use them before lethal weapons are used. Similar questions have arisen in the context of using smart versus dumb bombs. It can be argued that both morality and the law of armed conflict requires the use of the weapons that are the most discriminating in their ability to minimize collateral damage—by this argument, a military force would be required to use smart bombs (that is, weapons that can be more accurately aimed) before it used dumb bombs (weapons that are less discriminate in their destruc- tion). To date, the United States and other nations have resisted any such argument, but these issues may recur from time to time in the future as weapons become even more discriminate. Finally, both law enforcement agencies and the Department of Defense have equities and interests in the area of non-lethal weapons. But their interests and priorities are different, and it is hard to point to a single authoritative voice within the U.S government on the subject. Similarly, the U.S. Air Force and the National Security Agency (and perhaps other intelligence agencies as well) also have an interest in cyberattack and offensive cyber operations, and the different interests and priorities of these institutions will have to be reconciled.