[HACK] Bush Orders Guidelines for Cyber-Warfare

Roberto Pla pla at aire.org
Thu Mar 20 22:23:32 CET 2003


washingtonpost.com
Bush Orders Guidelines for Cyber-Warfare
Rules for Attacking Enemy Computers Prepared as U.S. Weighs Iraq Options

By Bradley Graham
Washington Post Staff Writer
Friday, February 7, 2003; Page A01


President Bush has signed a secret directive ordering the government to
develop, for the first time, national-level guidance for determining when
and how the United States would launch cyber-attacks against enemy computer
networks, according to administration officials.

Similar to strategic doctrine that has guided the use of nuclear weapons
since World War II, the cyber-warfare guidance would establish the rules
under which the United States would penetrate and disrupt foreign computer
systems.

The United States has never conducted a large-scale, strategic cyber-attack,
according to several senior officials. But the Pentagon has stepped up
development of cyber-weapons, envisioning a day when electrons might
substitute for bombs and allow for more rapid and less bloody attacks on
enemy targets. Instead of risking planes or troops, military planners
imagine soldiers at computer terminals silently invading foreign networks to
shut down radars, disable electrical facilities and disrupt phone services.

Bush's action highlights the administration's keen interest in pursuing a
new form of weaponry that many specialists say has great potential for
altering the means of waging war, but that until now has lacked presidential
rules for deciding the circumstances under which such attacks would be
launched, who should authorize and conduct them and what targets would be
considered legitimate.

"We have capabilities, we have organizations; we do not yet have an
elaborated strategy, doctrine, procedures," said Richard A. Clarke, who last
week resigned as special adviser to the president on cyberspace security.

Bush signed the order, known as National Security Presidential Directive 16,
last July but it has not been disclosed publicly until now. The guidance is
being prepared amid speculation that the Pentagon is considering some
offensive computer operations against Iraq if the president decides to go to
war over Baghdad's chemical, biological and nuclear weapons development
programs.

"Whatever might happen in Iraq, you can be assured that all the appropriate
approval mechanisms for cyber-operations would be followed," said an
administration official who declined to confirm or deny whether such
planning was underway.

Despite months of discussions involving principally the Pentagon, CIA, FBI
and National Security Agency, officials say a number of issues remain far
from resolved. "There's been an initial step by the president to say we need
to establish broad guidelines," a senior administration official said.
"We're trying to be thorough and thoughtful about this. I expect the process
will end in another directive, the first of its kind in this area, setting
the foundation."

The current state of planning for cyber-warfare has frequently been likened
to the early years following the invention of the atomic bomb more than a
half-century ago, when thinking about how to wage nuclear war lagged the
ability to launch one.

The full extent of the U.S. cyber-arsenal is among the most tightly held
national security secrets, even more guarded than nuclear capabilities.
Because of secrecy concerns, many of the programs remain known only to
strictly compartmented groups, a situation that in the past has inhibited
the drafting of general policy and specific rules of engagement.

In a first move last month to consult with experts from outside government,
White House officials helped arrange a meeting at the Massachusetts
Institute of Technology that attracted about 50 participants from academia
and industry as well as government. But a number of participants expressed
reservations about the United States engaging in cyber-attacks, arguing that
the United States' own enormous dependence on computer networks makes it
highly vulnerable to counterattack.

"There's a lot of inhibition over doing it," said Harvey M. Sapolsky, an MIT
professor who hosted the Jan. 22 session. "A lot of institutions and people
are worried about becoming subject to the same kinds of attack in reverse."

Government officials involved in drafting the new policy insist they are
proceeding cautiously, recognizing the risks of crossing the threshold into
cyber-warfare and acknowledging the difficulties still inherent in trying to
model how a major cyber-attack might play out. By penetrating computer
systems that control the communications, transportation, energy and other
basic services in a country, cyber-weapons can have serious cascading
effects, disrupting not only military operations but civilian life.

"There are questions about collateral damage," Clarke said. As an example,
he cited the possibility that a computer attack on an electric power grid,
intended to pull the plug on military facilities, might end up turning off
electricity to hospitals on the same network.

"There also is an issue, frankly, that's similar to the strategic nuclear
issue which is: Do you ever want to do it? Do you want to legitimize that
kind of weaponry?" Clarke added.

A sign of the Pentagon's commitment to developing cyber-weapons was its
decision in 1999 to assign responsibility in this area to a command under a
four-star general -- at the time, Space Command, which last year merged into
Strategic Command. In addition, a special task force headed by a two-star
general has been established to consolidate military planning for offensive
as well as defensive computer operations.

Maj. Gen. James David Bryan, who heads the Joint Task Force on Computer
Network Operations, said his group has three main missions: to experiment
with cyber-weapons in order to better understand their effects; to
"normalize" the use of such weapons, treating them "not as a separate
entity" but as an integral part of the U.S. arsenal; and to train a
professional cadre of military cyber-warriors.

The Pentagon's general counsel also attempted four years ago to establish
some legal boundaries for the military's involvement in computer attack
operations, issuing a 50-page document that a senior defense official said
in a recent interview remains "the basic primer" on the subject. It advised
commanders to apply the same "law of war" principles to computer attacks
that they do to the use of bombs and missiles -- namely, the principles of
proportionality and discrimination.

This means hitting targets that are of military necessity only, avoiding
indiscriminate attacks and minimizing civilian damage. So, for instance,
sending a computer virus through the Internet to destroy an enemy network
would be ruled out as too blunt a weapon, the senior defense official said.

One challenge that the Pentagon has been facing in exercises simulating
computer attacks is getting military commanders to specify just what effects
they would hope to achieve with a cyber-weapon.

"In the beginning, when we would ask, 'What do you want us to do for you,'
the answer would come back very general," Bryan said. More recently, Bryan
added, the stated objectives have become more specific, which has helped in
designing more precise cyber-weapons.

Even so, effective and predictable computer attacks depend heavily on
detailed intelligence about enemy networks and access to them. For all the
heightened attention to cyber-warfare, specialists contend large gaps exist
between what the technology promises and what practitioners can deliver.

"This whole area still leaves a lot to the imagination in terms of what can
be done," said John P. Casciano, a retired two-star general who supervised
Air Force computer operations.

Given the newness of the weapons, their potential power and the uncertainty
about how they would work, the Pentagon's Joint Staff has issued classified
"rules of engagement" that strictly require top-level approval for any
cyber-attack.

© 2003 The Washington Post Company



More information about the hacking mailing list