Are We Engaged in a Cyberwar?Differentiating Between Spying, Crime and Warfare
That's the reckoning of James Lewis, senior fellow at the public-interest policy group Center for International and Strategic Studies. "Spying and crime are not acts of war," Lewis said at last week's panel discussion - Cyberwar: Is Congress Preparing for the Common Defense? - at the State of the Net Conference sponsored by the Advisory Committee to the Congressional Internet Caucus. "I don't think we have seen a case of state-versus-state cyberwarfare. "
What would cyberwarfare entail? Some experts suggest that cyberwar - like kinetic war - must cause significant damage and disruption to critical physical infrastructures and human casualties, including deaths.
"We have not seen this type of kinetic attack. That does not mean that it won't happen if we get into a conflict with an advanced opponent," Lewis said. "They have done the reconnaissance, they have done the planning, they have built the tools to let them disrupt things like critical infrastructure. This will be part of warfare in the future. But we're in the stages before cyberwarfare. We are in the stages of people poking around. They're trying to figure out what are the rules, what are the thresholds, what's the other guy up to."
Conventional war has rules, and Congress should address the legal structure of cyberwarfare. "It's not like we're writing on blank slate here," said Greg Nojeim, senior counsel at Center For Democracy and Technology, a not-for-profit group that advocates a free and open Internet. "There are rules of war that would have to follow if there was an (cyber) attack."
Nojeim said the response to a cyberwar assault must be on a military target and have a military necessity. "You have to distinguish between combatants and noncombatants; your response has to be proportional to the attack," he said. "The whole area is very complicated and difficult to figure out what to do. I think that we ought to talk a lot more and focus a lot more on the defensive side than offensive side. We're not going to have so much clarity on the offensive side to act with the kind of authority you normally see in a military campaign."
Lewis said current laws governing warfare should apply to conflicts in cyberspace. "We just have to figure out how to apply them," he said.
The panelists differed on the strategy of cyberwarfare, with Nojeim favoring the United States take a more defensive posture, with Lewis calling for a combination of defensive and offensive capabilities.
Nojeim said the nation should harden its defenses to combat the threat of cyberwarfare. The current state of technology makes it difficult to identify with certainty the motive of an attack, where it originated or who launched it, he said. "We're not sure what's being seen is an attack or whether it's espionage," Nojeim said. "If it is an attack, we don't know for sure if it is a state actor or somebody else. And if we respond with attack, what collateral attack would be on us, on civilians in the country where we think the attack came from but are not sure and civilians in other places? So there is all of this uncertainty of what happened and what we should do about it."
Lewis said the United States had tried a defense-focused approach before, in the 1890s, when the government positioned the Navy only for coastal defense, which he characterized as a dreadful and utter failure. "A defense-only approach doesn't work," he said, adding that an offensive deterrence, like in the physical world, can act in the virtual world as well. "We have a (military) cyber command; how do we use it to increase deterrence? How do we take the offensive capability we have built and use it against some of these advance opponents, use it against other opponents. But we have to do it in the context of oversight and law and chain of command. I don't think a colonel or a two-star or even a three-star should be authorized to launch some sort of cyber attack. This is a big deal. Who makes the decision right now? It's not clear."
Nojeim agreed that Congress must define cyberwar-making powers. "When you look at the war-making power of the Constitution, the president has certain authorities as commander-in-chief; he's the one who decides how war would be waged. Congress is supposed to decide whether a war would be raged."
Congress enacted the War Powers Resolution in 1973 in the wake of the Vietnam War to require the president to consult with Congress if American troops become engaged abroad in hostile action. "What does a War Power Act in cyberspace look like?" Nojeim asked? "What kind of consultation is required ahead of time? Is there time for any kind of consultation at all? And, what kind of congressional permission ought there to be for continuing hostilities?"
Yet. cyber hostilities aren't the same as kinetic warfare. Take, for instance, the December attack on Google and other businesses, believed to have emanated from China. Should the victim be responsible for its own defense? Nojeim thinks so.
"Who knows Google's network, activities, systems better than Google? Who's better able to defend them than Google?" he asks. "Google ought to be charged to take steps to defend itself. And if there are pockets of information that intelligence agencies like the NSA (National Security Agency) have - if they have, for example, classified text signatures - maybe they need to be shared more readily with the Googles of world, so they can better to defend themselves."
Lewis is skeptical of that approach. "What if we got rid of the Air Force and got the airlines to defend our airspace. They have airplanes, and they can fly against (the enemy)," he said to the laughter of the audience. "When we talk about the sort of threats we face, particularly the military side of cyber warfare, no private-sector company can beat them.
"Google is a huge company, very wealthy, high-tech. They think they were invulnerable, and the Chinese creamed them."