8 July 1998
Source: Hardcopy The Washington
Post, July 8, 1998 pp. A1, A10
Cyberwar: A New Weapon Awaits a Set of Rules Military, Spy Agencies Struggle to Define Computers' Place in U.S. Arsenal By Bradley Graham Washington Post Staff Writer Intent on developing more powerful weapons for penetrating enemy computer networks, U.S. military and intelligence authorities are struggling to define new rules for deciding when to launch cyber attacks, who should authorize and conduct them and where they fit into an overall defense strategy. Not since the advent of nuclear bombs half a century ago have national security officials confronted weapons with such potential to alter the means for waging war, according to those involved in the planning. But the consequences of their use remain largely unexamined and problematic. The full extent of U.S. offensive capabilities is among the most tightly held national security secrets. According to various accounts, the government has explored ways of planting computer viruses or "logic bombs" in foreign networks to sow confusion and disruption. It has considered manipulating cyberspace to disable an enemy air defense network without firing a shot, shut off power and phone service in major cities, feed false information about troop locations into an adversary's computers and morph video images onto foreign television stations. Pentagon officials say they are at an early stage of thinking about the various applications for cyber weapons and the legal, ethical and operational consequences of employing them. But because of secrecy concerns, many of the programs remain known only to strictly compartmented groups, inhibiting the drafting of general policy or specific rules of engagement. "It's a little bit like medical ethics," said a high-ranking Defense Department official who requested anonymity. "The technology gives you the capabilities that go a lot further than the ethical context for using them sometimes. This is a very tough area." A presidential decision directive last month outlining a plan for raising U.S. defensive barriers against computer attack made no mention of the offensive side of the issue. Senior administration officials say no presidential directive about offensive capabilities is even in the works that might help resolve definitional and operational differences between the Pentagon and intelligence agencies. Similarly, Congress has held next to no public debate on the direction the United States should be heading in inventing cyber weapons, writing guidelines for their use or weighing the potential international repercussions of unleashing them. At a Senate hearing last month that focused on the vulnerability of America's own information systems to unauthorized entry, Sen. Carl M. Levin (D-Mich.) gingerly ventured a question about whether the United States is developing offensive capabilities. In a one-sentence reply, George J. Tenet, the director of central intelligence, said the nation can rest assured that "we're not asleep at the switch in this regard." "It's my sense that the policy in this area is at a fairly immature stage of development," said a Senate staff member with oversight responsibility. "But part of the problem in discussing information operations is that whenever you get into the offensive stuff, you very quickly run into a security brick wall. The Defense Department has next to nothing to say about this in an unclassified form." For all the heightened interest in cyber warfare, specialists cautioned that yawning gaps exist between what the technology promises and what practitioners can deliver. Large-scale computer attacks require an extraordinary amount of detailed intelligence about a nation's hardware and software systems, as well as about the habits and decision-making processes of foreign political and military authorities. Moreover, cyber operations can become unwieldy. "Frequently, we like to think of electronic attack as the ultimate in precision weapons," said Vice Adm. Arthur K. Cebrowski, a leading Navy authority on the subject. "But these are not necessarily very precise instruments." Further, much still is unknown about how a major cyber attack would play out. "We don't understand the cascading effects on decision-making of what providing defective data to an enemy may mean," said a colonel responsible for the Air Force's information warfare plans. "That's a hard thing to model." Other critical questions surround these largely untested weapons, according to experts inside and outside government. Given their broad destructive potential, for instance, should cyber weapons be treated the way nuclear bombs have been and placed under a special military command authority, similar to the Strategic Command that manages targeting plans for the U.S. atomic arsenal? When should the United States justifiably consider taking down chunks of the information infrastructure of a foreign country? What are the risks of inviting retaliation against U.S. computer networks? How should intrusions into foreign systems be conducted in peacetime for the benefit of intelligence gathering, and when does such passive snooping -- which often involves the same computer techniques as offensive action -- cross some boundary into outright aggression? "What constitutes an act of war in this area? It's never been made clear," said Brenton C. Greene, a former Pentagon specialist in information operations who served on the presidential commission that studied U.S. vulnerabilities last year. Several government sources also spoke of an ongoing interagency dispute over when a cyber break-in requires special presidential approval, with the intelligence community arguing the need for the White House to sign off on such covert actions but the Pentagon preferring to view some of its peacetime cyber operations less formally as "prepping the battlefield." By traveling across global networks and flitting in and out of countries without assuming a physical presence, cyber warriors pose a new challenge to old notions of national sovereignty. Their assaults on societal information networks blur traditional distinctions between military and civilian targets. Michael McConnell, a retired three-star admiral who stepped down two years ago as head of the National Security Agency, said he knows more than a dozen people who could "do major damage" to a nation by mounting a computer attack with just a few weeks of preparation. "The question is, what's the legal framework for some of these things?" said Dan Kuehl, a former Air Force officer who now heads the National Defense University's department of information operations. "The answer is, we don't know." Senior Defense Department officials say they are attempting to define what classes of targets might be appropriate for cyber weapons and sorting out the legal issues with Justice Department and intelligence community officials. Congressional sources also report that the House and Senate intelligence committees have pressed behind closed doors for greater clarity in the kinds of cyber operations under consideration and for improved coordination between the Pentagon, CIA and FBI to keep their hackers from tripping over one another in cyberspace abroad. The Pentagon has restructured units under the Office of Secretary of Defense and on the Joint Staff to give greater attention to offensive as well as defensive computer operations. And regional military commanders have been instructed to review their war plans for ways in which cyber weapons can be substituted for conventional munitions. "That's causing some pretty aggressive thinking about how they might be able to go after some targets with electrons instead of iron bombs," said one informed congressional staff member. Last year, military and intelligence officials overcame turf concerns and set up a joint Information Operations Technology Center at the National Security Agency, the supersecret organization responsible for spying on foreign communication networks. But there appears to be little inclination on the part of senior Pentagon officials to establish a special command for conducting cyber operations. "I don't think there's a special requirement to create a special process to deal with cyber weapons," said a general on the Pentagon's Joint Staff. "Clearly, the basic processes for getting approval are in place, the same ones we use for execution of any military plan." Ultimately, U.S. defense officials envision using cyber weapons as much to forestall conflict as to wage war. They see computer tools as part of a larger package of "information operations" -- including more traditional psychological operations, electronic warfare measures and deception actions -- that can be applied in conjunction with diplomatic efforts to help dissuade a potential opponent from fighting. This notion was tested in a pioneering series of military exercises in 1996 and 1997 dubbed Evident Surprise and run by Marine Gen. John Sheehan, who headed the Atlantic Command. As perhaps the most energetic four-star proponent of information operations until his retirement last autumn, Sheehan also held periodic Saturday meetings on the Washington campus of the National Defense University with a group of top Pentagon and intelligence officials, pressing them for clearer policy guidance. In one scenario posed by Sheehan two years ago, with striking parallels to the present, India and Pakistan were assumed to have acquired nuclear capabilities and were preparing to use them. The United States also was assumed to have gained access to the information systems of both nations. "I said to the group, as a matter of policy, do you want to alter their command and control capability to the point where neither side has a clear picture of the battlefield, thereby preempting their use of nuclear weapons?" Sheehan recounted. "Who decides? We never got an answer to that question." © Copyright 1998 The Washington Post Company