Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 318
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 10 Alternative Futures As described in Chapters 3-5, the stance of the United States toward cyberattack against adversary foreign nations is one that puts no constraints on its use apart from those imposed by the law of armed conflict and related customary international law. But such a stance is not the only possible one, and from time to time proposals emerge that, if adopted, would constrain activities related to cyberattack for some or all nations, including the United States. This chapter explores some of the issues that arise in considering such proposals, but does not take a stand one way or another on their inherent desirability. 10.1 REGULATORY REGIMES—BASIC PRINCIPLES The laws of armed conflict acknowledge an inevitability to conflict and seek to put restraints on what might otherwise be unrestrained behavior. In addition, nations that may engage in armed hostilities with one another sometimes enter into legal regimes that regulate the development, testing, production, acquisition, deployment, or use of certain kinds of weapons. Such regimes—generically arms control regimes—are generally regarded as having some mix of three broad purposes: to reduce the likelihood that conflict will occur, to reduce the destructiveness of any conflict that does occur, and to reduce the costs associated with the acquisition of the weapons that are the subject of the agreement or with defense against those weapons. Arms control agreements can be bilateral between two nations (such
OCR for page 319
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities as the Strategic Arms Reduction Treaties between the United States and the Soviet Union/Russia) or multilateral among multiple nations (such as the Limited Test Ban Treaty signed and ratified by 94 nations). They can be cast formally as treaties, informally as memorandums of understanding, or even more informally as coordinated unilateral policies. They may place limits on the acquisition of certain kinds of weapons, where acquisition can be understood to mean research, development, testing, production, or some combination thereof (e.g., a ban on the development, testing, production, and deployment of intermediate-range ballistic missiles); on the deployment of certain weapons (e.g., no nuclear weapons in space); on the use of such weapons (e.g., prohibitions on the use of laser weapons specifically designed, as their sole combat function or as one of their combat functions, to cause permanent blindness to unenhanced vision1); or on the circumstances of weapons use (e.g., an agreement to refrain from “first use” of nuclear weapons). In many cases, and especially when they involve the use of certain kinds of weapons, arms control agreements are seen by the signatories as confidence-building measures, that is, actions taken or not taken that are intended to provide a potential adversary with reassurances that some other action is not hostile in intent. For example: The United States and the Soviet Union maintained a “hot line” to facilitate direct contact between the respective national leaders during times of crisis on the theory that direct contact would be valuable in reducing misunderstanding about national activities that were ongoing or imminent. The United States and the Soviet Union signed an agreement in 1989 that bound each side to take steps to prevent interference with command and control networks in a manner that could cause harm to personnel or damage to equipment of the armed forces of the other side.2 The United States and Russia have another agreement to notify each other 24 hours in advance prior to the launch of a strategic ballistic missile.3 The intent of this agreement is to reassure the other party that 1 Note that the United States has not ratified the Protocol on Blinding Laser Weapons (Protocol IV to the Convention on Certain Conventional Weapons). 2 Agreement of the Government of the United States of America and the Government of the Union of Soviet Socialist Republics on the Prevention of Dangerous Military Activities, June 1989, available at http://en.wikisource.org/wiki/Prevention_of_Dangerous_Military_Activities_Agreement. 3 Agreement Between the United States of America and the Union of Soviet Socialist Republics on Notifications of Launches of Intercontinental Ballistic Missiles and Submarine-Launched Ballistic Missiles, available at http://www.state.gov/t/ac/trt/4714.htm.
OCR for page 320
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities in the event that a strategic ballistic missile is launched by the first party, such a launch is not misunderstood as a prelude to hostilities. The United States and Russia have agreed to various measures to reduce the likelihood of an incident at sea between the naval forces of the two countries, and to reduce the likelihood of escalation in the event that one occurred. Such measures include steps to avoid ship collisions, avoiding maneuvers in areas of heavy sea traffic, requiring surveillance ships to maintain a safe distance from the object of investigation, refraining from simulating attacks at the other party’s ships, and so on.4 Arms control agreements often contain measures to enhance verification—a process by which one signatory can develop confidence that the other side is indeed living up to its obligations under the agreement. Some agreements, such as confidence-building measures, are self-verifying—each nation undertakes to enact or engage in those measures when they are called for in the agreement, and if the nation does not do so when appropriate, the other nation draws whatever conclusions it may draw about the other side’s intentions. Other agreements provide for the use of “national technical means” (i.e., various technical intelligence assets) and/or various kinds of inspections to verify compliance. Still other agreements make no provision for verification at all (such as the Biological Weapons Convention), but nevertheless serve as statements regarding international norms of acceptable conduct that constrain, at the very least, the declaratory policies of the signatories to be consistent with the agreements in question. Many critics of arms control agreements point to a lack of verification provisions as a fatal flaw in an agreement. They argue that when the United States is party to such an agreement, it is invariably bound by both the spirit and the letter of the agreement, but that the other party—usually an adversary or a potential adversary of the United States—is likely to violate the agreement in the absence of adequate verification provisions, thus leaving the United States at a relative disadvantage. These basic principles of arms control regimes can be applied to understanding possible approaches to developing international agreements regulating cyberattack. 4 Agreement Between the Government of the United States of America and the Government of the Union of Soviet Socialist Republics on the Prevention of Incidents On and Over the High Seas, available at http://www.state.gov/t/ac/trt/4791.htm.
OCR for page 321
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 10.2 REGULATORY REGIMES FOR CYBERATTACK 10.2.1 Direct Approaches Based on Traditional Arms Control What purposes could be served by a regulatory regime for cyberattack? Traditional arms control theory generally indicates that three broad purposes could be served in principle,5 presuming that the restrictions of the regime are observed by all signatories: Reducing the likelihood that conflict will occur. Confidence-building measures—arrangements in which signatory parties agree to refrain from or to notify other signatories prior to conducting certain activities that might be viewed as hostile or escalatory or to communicate directly with each other during times of tension or crisis—are explicitly intended to reduce the likelihood of conflict due to accident or misunderstanding. In addition, agreements to eschew the use of cyberattack may have some value in reducing the likelihood of kinetic conflict in those cases in which cyberattack is a necessary prelude to a kinetic attack.6 Reducing the destructiveness of any conflict that does occur. Limitations on targeting cyberattack weapons could prevent damage to the prohibited entities, presuming that the scope of a cyberattack can be delimited with confidence. Moreover, limiting damage to those entities might prevent escalation from occurring—and such escalation could include escalation to kinetic or even nuclear conflict. Reducing destructiveness might also facilitate a more rapid cessation of cyberhostilities. Reducing financial costs. Limitations on acquisition of weapons for cyberattack would not have a significant impact on financial costs, simply because these weapons are so inexpensive in the first place. Nor would a particular adversary’s agreement to refrain from conducting cyberattack relieve the United States from needing to defend against other nations or subnational entities that could use such weapons. Given the possibilities for cyberattack to disrupt national economies or to distort the activities of individual companies as well (especially large 5 These three purposes can be found in Thomas C. Schelling and Morton H. Halperin, Strategy and Arms Control, Pergamon-Brassey’s, Washington, D.C., 1985. 6 Such cases may well be rare. If and when they exist, they are based on the idea that cyberattack is to be used for shaping battlefield conditions and introducing delay and disruption into adversary planning. (See, for example, the discussion in Chapter 9 (escalation), Chapter 3 (how the United States is likely to use information warfare should it become necessary), and Section 10.3 (regarding China).) If a kinetic attack requires the kind of battlefield conditions and the delay or disruption that only a cyberattack can provide, then the kinetic attack might be inhibited. On the other hand, an adversary may well have alternative (non-cyber) means for accomplishing these tasks.
OCR for page 322
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities companies that are very important to a nation), a regulatory regime for cyberattack might also reduce the likelihood of economic warfare using this military tool. As an example of an international agreement involving the use of cyberattack, Davis Brown, a former deputy staff judge advocate of the U.S. Defense Information Systems Agency,7 has proposed to extend the law of armed conflict to account explicitly for the use of information systems in armed conflict (Box 10.1). The argument for the United States entering into an international agreement regarding cyberattack8 is based on the notion that the United States would be relatively worse off than any other nation if all nations could carry out cyberattacks without restriction because the United States is significantly more dependent on information technology than any other nation that is likely to be involved in a major cyberconflict. Whether this relative disadvantage will endure over the long term depends on whether the dependence of other nations on information technology is increasing more rapidly than that of the United States—but it is undeniable from any perspective that the United States would have much to lose in all-out cyberconflict whether or not that loss would be greater or less than that suffered by an adversary. In this view, an agreement regarding cyberattack weapons is based in large part on a desire to delegitimize such use against the United States, precisely because the United States has so much to lose from a large-scale cyberconflict. Conversely, aggressive pursuit of cyberattack capabilities by the United States is seen as legitimizing cyberattack as a military weapon and indeed as encouraging other nations to develop such capabilities for use against the United States and its interests. Others argue that other nations need no prodding from the United States to develop cyberattack weapons for use against it, and that adversary development of such weapons is inevitable regardless of what the United States chooses to do in this arena. Another benefit of a formal agreement regarding use of cyberattack is that it can help to make explicit many of the concerns that military operators will have (or, at least, should have) in using cyberattack as an operational weapon. If certain operational practices are prohibited, questions about whether or not an operator can engage in those practice are easier to resolve. 7 Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal 47(1):179-221, Winter 2006. 8 A possible platform on which such an agreement might be constructed is the Convention on Conventional Weapons, an international agreement that regulates a number of individual weapons, including lasers intended to blind humans.
OCR for page 323
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 10.1 An Illustrative Draft Convention Regulating the Use of Information Systems in Armed Conflict Davis Brown, a former deputy staff judge advocate of the U.S. Defense Information Systems Agency, proposes to extend the law of armed conflict to account explicitly for the use of information systems in armed conflict. Brown accepts conventional LOAC as the initial point of departure and is guided by the principle that an act that violates LOAC if carried out by conventional means also violates LOAC if carried out by cyberattack. Under Brown’s proposal: The activities of patriotic hackers against an adversary would be prohibited. The military forces conducting cyberattack should not be commingled with civilians in their workplaces. Cyberattacks on dual-use infrastructure (e.g., railroads, communications centers, pipelines) are legitimate as long as the military advantage gained by attacking such targets outweighs the harm to civilians. The use of cyberattack to attack civilian infrastructure or targets whose destruction would cause severe environmental damage would be prohibited. The use of cyberattack weapons whose impact is indiscriminate—that cannot distinguish between military and civilian targets—or that cannot self-destruct or be rendered harmless after hostilities terminate would be prohibited. Cyberattacks on the military payroll system or on non-combatant families of military personnel or posting the Social Security numbers of individual servicemen and servicewomen to increase their vulnerability to identity theft would be prohibited. Active threat neutralization would be permitted even if it involved damage to innocent third parties whose computers had been compromised, if passive defense was insufficient to defend against the threat. Only certain kinds of false identities would be prohibited. These prohibited false identities would include masquerading as an official in the government or armed forces of the target state or of any third state, and masquerading as originating from any third state, or as originating with any medical or religious establishment in any location. Belligerents would be forbidden to use for military purposes domain names or computer systems associated with neutral nations, to launch cyberattacks from computer systems in neutral states, or to take control of neutral systems in order to conduct cyberattacks. SOURCE: Adapted from Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal 47(1):179-221, Winter 2006.
OCR for page 324
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities What about the verifiability of any such agreement? Consider first the feasibility of verifying an agreement to refrain from acquiring cyberattack capabilities. Many factors suggest that such an agreement would not be verifiable in any meaningful way. The technology—hardware technology—of certain kinds of cyberattack is easily available at Staples, Best Buy, and Dell.com, and its acquisition cannot be limited. The knowledge needed to conduct such cyberattacks is more difficult to acquire but is also available on the Internet, to say nothing of knowledge developed by sophisticated computer scientists. Code—software tools—to carry out cyberattack can be transmitted over the Internet and reproduced trivially, and is available from many sources. Restricting the development of the expertise needed to conduct cyberattacks is equally implausible, because the expertise needed to develop defenses against cyberattacks is intimately related to the expertise needed to develop cyberattacks themselves. Nor would any acceptable inspection regime have a meaningful chance to find software-based cyberattack weapons. Finally, the human and technical infrastructure needed to conduct cyberattack would be much smaller than (and could easily be embedded within) that needed to conduct cyberdefense on a large scale, and thus could be easily hidden. An agreement might also involve restrictions on the use of cyberattack weapons. For example, signatories might agree to refrain from striking at national financial systems or power grids, much as nations might avoid targeting hospitals in a kinetic attack, or to refrain from using lasers intended to blind soldiers. In order to facilitate the non-attack of such facilities, nations might agree to take measures to electronically identify systems as being associated with prohibited targets,9 much as the “robots.txt” protocol today is used to signal search engines to refrain from indexing a given website.10 A more limited agreement might obligate signatories to refrain from first-use cyberattacks on national financial systems or power grids. Obviously, an attacker can ignore such electronic indicators, just as a kinetic attacker can ignore red crosses painted on the sides of ambulances in times of war. Moreover, such agreements are not “verifiable” in advance, in the sense that no amount of information collected before a conflict can guarantee that restrictions on use will be observed during conflict. But such agreements do create international norms regarding the acceptability of such behavior, and they do something to inhibit training 9 Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal 47(1):179-221, Winter 2006. 10 For more on this protocol, see http://www.robotstxt.org/.
OCR for page 325
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities that calls for such use. The threat of reciprocal use during conflict may also serve as a deterrent to first use. In the case of cyberattack, restrictions on use are complicated by many factors. For example, subnational groups under the nominal jurisdiction of a signatory may take actions independently of the government. A nation’s military forces may refrain from targeting the power grids of an adversary, but patriotic hackers or terrorist groups on that nation’s soil might do so without explicit government approval. Thus, compliance with such an agreement might entail a somewhat bizarre scenario in which two nations are in conflict, perhaps kinetic conflict, but each is simultaneously conducting actions (perhaps involving law enforcement) to suppress subnational cyber actions intended to advance their respective causes. On the other hand, such agreements are likely to be more effective prior to the onset of conflict, because a signatory would have incentives to take suppressing actions in order to avoid undue and unwanted escalation. Moreover, arms control agreements have in the past presumed a state monopoly on the arms being regulated. But in the case of tools that might be used for cyberattack, the private sector owns and operates much of the infrastructure through which cyberattacks might be conducted. Indeed, the behavior of individual citizens might be directly affected by a traditional arms control agreement—and the degree of intrusiveness on the behavior of individuals and the private sector more generally might be large indeed depending on the nature of the agreement. Furthermore, the technology with which to conduct cyberattacks is most assuredly not exclusively or even mostly controlled by governments. Private citizens (hackers) conduct many cyberattacks on their own every day. Non-state actors such as terrorist groups or transnational criminal organizations could develop significant cyberattack capabilities as well, but would be unlikely to adhere to any agreement between the United States and any of the nations that might harbor them.11 Under such cir- cumstances, domestic laws in the relevant nations may be the only legal means of regulating the activities of such parties (and even then, the effectiveness of domestic laws depends on the availability of some enforcement mechanism, which may not be present in some of these nations). Another complication is the functional similarity between cyberexploitation against an adversary’s information systems and cyberattack against those information systems. A cyberexploitation may well be interpreted by the target as a damaging or destructive act (or at least the prelude to such an act), and yet to eschew the former actions would be to 11 Jason Barkham, “Information Warfare and International Law on the Use of Force,” New York University International Law and Politics 34:57-113, 2001.
OCR for page 326
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities contradict what amounts to standard operating procedure for essentially all nations. A final complication discussed in this report arises from the difficulty of tracing cyberattacks to their ultimate origin. If the ultimate origin of a cyberattack can be concealed successfully, holding the violator of an agreement accountable becomes problematic. One technological approach is to deploy a supporting infrastructure more capable than that of today which could support a “use control” regime—a more technologically secure network on a different physical infrastructure whose use would be restricted to those willing to subject themselves to a more constrained regime regarding behavior (e.g., who would agree to be strongly authenticated) and classified as critical to national well-being. But deploying such an infrastructure has many potential drawbacks, such as preventing any connection, physical or logical, to the regular Internet through which cyberattacks might be launched; retaining the economies of the present-day Internet; and preventing the compromise of the strongly authenticated machines. Agreements might also take place among allies, though in such instances they may take the form of what might be called coordinated unilateral declaratory policies. For example, the NATO nations could collectively agree to refrain from using large-scale cyberattacks against the entire critical infrastructure of an adversary nation as a matter of declaratory policy. Any such agreement—or more precisely, discussions leading to such an agreement—will inevitably stimulate dialogue and debate regarding the topic of cyberattack. Finally, the history of arms control agreements is that they often suffer from the too-early/too-late problem. That is, the desirability of an agreement may be anticipated, but the technology, doctrine, and so on are not well developed at the time, so it is premature to enter into an agreement. Then technology and doctrine advance rapidly, and before it is widely realized, it has become too late to enter into an agreement because the potential signatories to such an agreement have so much at stake in using the weapons that would be controlled by the putative agreement. 10.2.2 Indirect Approaches Based on Regulation of Non-military Domains The United States has been a party to many international agreements that are not arms control agreements. For example, nations have sometimes agreed on the need to protect some area of international activity such as airline transport, telecommunications, maritime activities, and so on, and also on standards for such protection. They may declare certain purposes collectively with regard to a given area of activity on which
OCR for page 327
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities they agree, often in the form of a multilateral treaty, and then establish consensus-based multilateral institutions (generally referred to as “specialized agencies” composed of experts rather than politicians) to which to delegate (subject to continuous review) the task of implementing those agreed purposes. Sofaer and Goodman argue that it has been easier to obtain agreement among the nations involved on standards and methods for regulating the civilian (commercial) aspects of a given activity than to obtain agreement on standards and methods for regulating the military (governmental) aspects of the same activity.12 For example, civil aviation is regulated internationally through agencies that have promulgated numerous agreements and regulations, all by consensus. Over the years, some precedents, and some forms of regulation, have been established, again largely by consensus, that have enhanced the protection of civilian aviation and reduced the uncertainties regarding governmental (military) aviation. A similar pattern of international regulation has resulted in increased maritime safety. In both areas, states have agreed to criminalize terrorist attacks, and to prosecute or extradite violators. These commitments have not uniformly been kept, but security has been enhanced in these areas of international commerce because of the virtually universal support given to protecting these activities from identified threats. Sofaer and Goodman proposed a draft multilateral treaty that would have initiated a similar process to help improve cybersecurity internationally, even though it would have initially excluded any direct application of rules and standards developed to the national security activities of member states. The proposed treaty would have included: Agreed principles on the use and protection of cyberspace; Maximum emphasis on protecting the system, rather than on preventing its use for socially unacceptable objectives such as pornography; Agreement of all parties to cooperate in preventing, prosecuting, and cooperating against improper conduct by any non-government group; Maximum coverage, so as to limit use of “rogue” territories as bases for attacks; A program to develop cyber capacities of developing states; and Substantial involvement and authority given to the private sector in developing and approving standards. 12 Abraham D. Sofaer and Seymour E. Goodman, A Proposal for an International Convention on Cyber Crime and Terrorism, Center for International Security and Cooperation, Stanford University, August 2000.
OCR for page 328
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities However, the U.S. government rejected the concept of a multilateral treaty with comprehensive aims in favor of a narrower treaty with European allies limited to establishing certain cyber-system crimes and securing commitments for cooperation in dealing with those activities—the Convention on Cybercrime described in Section 7.2.6. Sofaer and Goodman argue that the approach they propose would, over the long run, provide greater, broad-based international support for a meaningful international cybersecurity regime than will result from a more limited approach. 10.3 FOREIGN PERSPECTIVES ON CYBERATTACK The potential impact of cyberattacks on a nation’s defense posture has not gone unnoticed in other nations or in the world community. For example, in September 1998, then-Russian foreign minister Igor Ivanov wrote to Kofi Annan, United Nations secretary-general, warning that the effect of information weapons “may be comparable to that of weapons of mass destruction.”13 Likely in response to that letter, the United Nations General Assembly subsequently considered an item entitled “Developments in the Field of Information and Telecommunications in the Context of International Security”14 and has adopted a resolution on this topic several times since then. These resolutions have variously called on member states to further promote the multilateral consideration of existing and potential threats in the information security field, as well as possible measures to limit emerging threats, consistent with the need to preserve the free flow of information. In addition, they have invited all member states to inform the secretary-general of their views on several topics, including a “general appreciation of the issues of information security”; “definition of basic notions related to information security that would include unauthorized interference with or misuse of information and telecommunications systems and information resources”; and “relevant international concepts aimed at strengthening the security of global information and telecommunications systems.”15 Although several member states have indeed submitted views on this topic, the efforts of the General Assembly have been spearheaded by the 13 See letter from Ivanov to Annan, September 30, 1998, available at http://www.un.org/ga/search/view_doc.asp?symbol=A/C.1/53/3&Lang=E. 14 UN Document A/RES/53/70, “Developments in the Field of Information and Telecommunications in the Context of International Security,” January 4, 1999, available at http://daccess-ods.un.org/TMP/7333411.html. 15 United Nations Disarmament Handbook, United Nations Publications, New York City, 2004, available at http://www.un.org/disarmament/HomePage/ODAPublications/Yearbook/2004/Html/Ch%20V6.html.
OCR for page 329
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Russian Federation, and it is not coincidental that important source documents contributing to the UN General Assembly discussion of the topic are authored by senior scholars and others from Russia. For example, some Russian thinkers have noted the potentially strategic significance of information warfare and have connected the consequences of information attacks to potentially nuclear responses: From a military point of view, the use of information warfare means against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not. … Considering the possible catastrophic consequences of the use of strategic information warfare means by an enemy, whether on economic or state command and control systems, or on the combat potential of the armed forces, … Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state itself.16 In stating its views on the subject of information security to the United Nations, Russia defined information war as “confrontation between States in the information area for the purpose of damaging information systems, processes and resources and vital structures, undermining political, economic and social systems as well as the massive psychological manipulation of a population in order to destabilize society and the State.” Information weapons were regarded as the “ways and means used for the purpose of damaging the information resources, processes and systems of a State, exerting an adverse influence, through information, on the defence, administrative, political, social, economic and other vital systems of a State, as well as the massive psychological manipulation of a population in order to destabilize society and the State.” The Russian Federation has set forth to the United Nations a document articulating what it describes as “Principles of International Information Security.”17 (Selected principles are listed in Box 10.2.) The document appears to be intended as a draft resolution of the United Nations General Assembly. The intent of the Russian statement of principles appears to be an outright prohibition on the national development, creation, and use of tools for cyberattack (Principle II.a), on interfering with or unlawfully 16 V. I. Tsymbal, “Kontseptsiya `Informatsionnoy Voiny’” (Concept of Information Warfare), speech given at a Russian-U.S. conference, “Evolving Post–Cold War National Security Issues,” Moscow, September 12-14, 1995, p. 7, cited in Timothy L. Thomas, “Deterring Information Warfare: A New Strategic Challenge,” Parameters 26(Winter):82, 1996-1997. 17 United Nations General Assembly A/55/140, Developments in the Field of Information and Telecommunications in the Context of International Security, Fifty-fifth session, Item 69 of the provisional agenda, July 20, 2000, available at http://www.un.org/documents/ga/docs/55/a55140.pdf.
OCR for page 330
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 10.2 Selected Russian Principles of International Information Security Principle II States shall strive to restrict threats in the field of international information security and with that end in view shall refrain from: The development, creation and use of means of influencing or damaging another State’s information resources and systems; The deliberate use of information to influence another State’s vital structures; The use of information to undermine the political, economic and social system of other States, or to engage in the psychological manipulation of a population in order to destabilize society; Unauthorized interference in information and telecommunications systems and information resources, as well their unlawful use; Actions tending to establish domination or control in the information area; Preventing access to the most recent information technologies and the creation of conditions of technological dependency in the information field to the detriment of other States; Encouraging the activities of international terrorist, extremist or criminal associations, organizations, groups or individual law breakers that pose a threat to the information resources and vital structures of States; Formulating and adopting plans or doctrines envisaging the possibility of waging information wars and capable of instigating an arms race as well as causing tension in relations between States and specifically giving rise to information wars; The use of information technologies and tools to the detriment of fundamental human rights and freedoms in the field of information; The transboundary dissemination of information in contravention of the principles and norms of international law and of the domestic legislation of specific countries; The manipulation of information flows, disinformation and the concealment of information in order to corrupt the psychological and spiritual environment of society, and erode traditional cultural, moral, ethical and aesthetic values; Expansion in the field of information and the acquisition of control over the national information and telecommunications infrastructures of another State, including the conditions for their operation in the international information area.
OCR for page 331
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Principle III The United Nations and appropriate agencies of the United Nations system shall promote international cooperation for the purpose of limiting threats in the field of international information security and creating, for that purpose, an international legal basis to: Identify the defining features of information wars and to classify them; Identify the characteristic features of information weapons, and of tools that may be regarded as information weapons, and to classify them; Restrict traffic in information weapons; Prohibit the development, dissemination or use of information weapons; Prevent the threat of the outbreak of information wars; Recognize the danger of using information weapons against vital structures as being comparable to the threat of use of weapons of mass destruction; Create conditions for the equitable and safe international exchange of information based on the generally recognized rules and principles of international law; Prevent the use of information technologies and tools for terrorist or other criminal purposes; Prevent the use of information technologies and tools to influence social consciousness in order to destabilize society and the State; Develop a procedure for the exchange of information on and the prevention of unauthorized transboundary influence through information; Create an international monitoring system for tracking threats that may arise in the information field; Create a mechanism for monitoring compliance with the conditions of the international information security regime; Create a mechanism to resolve conflict situations in the area of information security; Create an international system for the certification of information and telecommunications technologies and tools (including software and hardware) with a view to guaranteeing their information security; Develop a system of international cooperation among law enforcement agencies with a view to preventing and suppressing crime in the information area; Harmonize, on a voluntary basis, national legislation in order to ensure information security. SOURCE: United Nations General Assembly A/55/140, Developments in the Field of Information and Telecommunications in the Context of International Security, Fifty-fifth session, Item 69 of the provisional agenda, July 10, 2000, available at http://www.un.org/documents/ga/docs/55/a55140.pdf.
OCR for page 332
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities using information systems or resources (II.d), and on developing plans or military doctrines intended to wage “information wars” (II.h). To support these goals, the Russian statement calls on the United Nations to create an international legal basis to identify the characteristic features of information weapons, and to classify them (III.b); to restrict traffic in information weapons (III.c); and to prohibit the development, dissemination, or use of information weapons (III.d). Official Russian position statements to the United Nations notwithstanding, it is widely believed that Russia is fully engaged in, or at least developing, the capability for launching cyberattacks, regardless of its UN stance. China’s view on the topic of cyberconflict appears to be radically different from that of the Russian Federation. One analyst of Chinese military forces identifies 10 “information operations” methods that the Chinese anticipate using:18 Planting information mines, Conducting information reconnaissance, Changing network data, Releasing information bombs, Dumping information garbage, Disseminating propaganda, Applying information deception, Releasing clone information, Organizing information defense, Establishing network spy stations. China apparently sees great value in acquiring information warfare capabilities and developing facility in their use, and indeed sees information warfare as an equalizer in potential military conflicts with a technologically superior adversary such as the United States.19 For example, Mulvenon argues that the Chinese see information warfare against the information systems of the U.S. military as a way to degrade and delay the mobilization of U.S. forces and/or their deployment to Taiwan in the event of a crisis over that territory.20 18 Timothy L. Thomas, “China’s Electronic Strategies,” Military Review (May-June), 2001. Available at http://leav-www.army.mil/fmso/documents/china_electric/china_elec-tric.htm. 19 James C. Mulvenon, “The PLA and Information Warfare,” in James C. Mulvenon (ed.), The People’s Liberation Army in the Information Age, Conference Proceedings, The RAND Corporation, 1998. 20 Two PLA authors explicitly endorse what they call “asymmetric information offensives.” See Wang Jianghuai and Lin Dong, “Viewing Our Army’s Quality Building from the
OCR for page 333
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities The Eligible Receiver exercise of 1997 underscores this point. According to Government Executive,21 the exercise—designed to expose weaknesses in computer security in unclassified DOD computer systems using off-the-shelf technology and software downloaded from hacker websites—demonstrated how hackers might disrupt troop deployments. But the Chinese also believe that political and economic targets as well as military targets are fair game for information warfare. Indeed, disruption of these institutions is an important element in demoralizing an adversary and reducing its will to fight, and so the Chinese view it as entirely reasonable to attack financial systems, power generation and transmission facilities, and other elements of critical infrastructure as part of conflict with another nation (whether or not that conflict has become kinetic). Finally, the Chinese also see information warfare as a way of enabling the citizenry to participate in a military conflict,22 in which any citizen with a computer can participate in information warfare against an adversary. Indeed, according to Thomas, the information warfare mission is an ideal one for the reserve military forces of China, which can enlist many individuals who are not qualified or eligible to be frontline soldiers. The Chinese perspective suggests that the Chinese are likely to view any attempt to restrict the use of cyberattack as a way to undermine one of China’s few advantages in competing militarily with an adversary such as the United States. Perspective of What Information Warfare Demands,” Jiefangjun bao, March 3, 1998, p. 6, in FBIS-CHI-98-072, March 13, 1998; cited in Mulvenon, 1998. 21 Katherine McIntire Peters, “Information Insecurity,” Government Executive, April 1, 1999, available at http://www.govexec.com/features/0499/0499s1.htm. 22 Timothy L. Thomas, “Like Adding Wings to the Tiger: Chinese Information War Theory and Practice,” Foreign Military Studies Office, Fort Leavenworth, Kans. Undated publication, available at http://fmso.leavenworth.army.mil/documents/chinaiw.htm.
OCR for page 334
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities This page intentionally left blank.