Team Infidel
Forum Spin Doctor
Wall Street Journal
August 14, 2008
Pg. 6
By Siobhan Gorman
WASHINGTON -- The cyberattacks in Georgia are re-energizing a debate over whether the laws of war apply in cyberspace. Among the biggest questions: When is a cyberattack an act of war?
As Russia continued military actions inside Georgia, in apparent violation of a Tuesday cease-fire agreement, some Georgian government Web sites, including the president's office, remained under attack.
Cyberweapons are becoming a staple of war. The Georgian conflict is perhaps the first time they have been used alongside conventional military action. Governments and private cyberwarriors can exploit Internet security gaps to not only take down government Web sites but also take control of power grids and nuclear reactors.
U.S. officials have begun to consider the legal and policy problems that cyberwarfare presents, but cybersecurity experts said the government has been slow to resolve them in the face of an increasing likelihood that cyberattacks will be used to augment, or even supplant, typical military action.
"We are in a world where governments have not decided yet whether the tools of cyberattacks are weapons," said Scott Borg, director of the U.S. Cyber Consequences Unit, a think tank that advises governments and companies. "We don't have any really clear international understandings about these matters."
The Pentagon doesn't have a policy on whether a cyberattack can be an act of war, said Pentagon spokesman Lt. Col. Eric Butterbaugh, adding, "it's ultimately the perception of the country under attack as to whether an act of war was committed." The Pentagon has, however, assigned its Strategic Command to head up cyberprotection and cybercounter-attack operations.
To begin to develop policies, officials from the U.S. State Department, the Pentagon and intelligence agencies have been tapping the private sector and academia for ideas. They convened a meeting two months ago to bring experts from the private sector together to discuss the foreign-policy implications of cyberwarfare. They considered the similarities between a bioterror attack and a cyberattack and agreed that cybersecurity needs to be seen as a major national security issue.
Among the group's conclusions was that because no government entity is responsible for establishing foreign policy on cyberwarfare, it isn't getting done, said O. Sami Saydjari, president of the Cyber Defense Agency, a consulting firm.
"Everyone was, in an unspoken way, looking forward to the next presidency to try to resolve the ownership issue," he said, noting that he had attended a similar meeting about five years ago.
So far, one policy the U.S. has established is that cyberattack capabilities won't be considered part of arms-control agreements. Russia has repeatedly argued to include it.
After Estonia was hit in 2007 with a cyberattack that disabled many government and bank Web sites, it made a formal request to the North Atlantic Treaty Organization to come to its defense. NATO declined to make a finding on the request, but it did accelerate its work on a common approach to cybersecurity. Earlier this year, the organization approved a cyberdefense policy that establishes a set of common principles recognizing the importance of cyberdefense and directing agencies within NATO to establish a coordinated approach.
The policy doesn't resolve many of the difficult legal and policy issues, such as when a cyberattack is an act of war or when and how NATO allies should retaliate.
"The document is the first, and an important step," said Lauri Almann, Deputy Minister of Defense of Estonia. "What now has to stem from these guidelines and policy documents is concrete action." One key challenge, he said, is the difficulty of attributing the source of the attack. If countries are going to retaliate -- either militarily or with economic sanctions -- they need to be certain that they have the culprit.
Cybersecurity specialists and officials such as Mr. Almann said that the attacks on Georgia, because they were so public, will likely drive government leaders to better align the laws of war to cyberwarfare.
But it isn't clear how Georgia could retaliate. With such "asymmetric" attacks, Mr. Borg said, the government leaders need to decide whether a government can fire back at the country hosting the group believed to be responsible for an attack. "We've entered the cyberdefense era," he said. "It's just as big a transition as entering the nuclear-defense era."
August 14, 2008
Pg. 6
By Siobhan Gorman
WASHINGTON -- The cyberattacks in Georgia are re-energizing a debate over whether the laws of war apply in cyberspace. Among the biggest questions: When is a cyberattack an act of war?
As Russia continued military actions inside Georgia, in apparent violation of a Tuesday cease-fire agreement, some Georgian government Web sites, including the president's office, remained under attack.
Cyberweapons are becoming a staple of war. The Georgian conflict is perhaps the first time they have been used alongside conventional military action. Governments and private cyberwarriors can exploit Internet security gaps to not only take down government Web sites but also take control of power grids and nuclear reactors.
U.S. officials have begun to consider the legal and policy problems that cyberwarfare presents, but cybersecurity experts said the government has been slow to resolve them in the face of an increasing likelihood that cyberattacks will be used to augment, or even supplant, typical military action.
"We are in a world where governments have not decided yet whether the tools of cyberattacks are weapons," said Scott Borg, director of the U.S. Cyber Consequences Unit, a think tank that advises governments and companies. "We don't have any really clear international understandings about these matters."
The Pentagon doesn't have a policy on whether a cyberattack can be an act of war, said Pentagon spokesman Lt. Col. Eric Butterbaugh, adding, "it's ultimately the perception of the country under attack as to whether an act of war was committed." The Pentagon has, however, assigned its Strategic Command to head up cyberprotection and cybercounter-attack operations.
To begin to develop policies, officials from the U.S. State Department, the Pentagon and intelligence agencies have been tapping the private sector and academia for ideas. They convened a meeting two months ago to bring experts from the private sector together to discuss the foreign-policy implications of cyberwarfare. They considered the similarities between a bioterror attack and a cyberattack and agreed that cybersecurity needs to be seen as a major national security issue.
Among the group's conclusions was that because no government entity is responsible for establishing foreign policy on cyberwarfare, it isn't getting done, said O. Sami Saydjari, president of the Cyber Defense Agency, a consulting firm.
"Everyone was, in an unspoken way, looking forward to the next presidency to try to resolve the ownership issue," he said, noting that he had attended a similar meeting about five years ago.
So far, one policy the U.S. has established is that cyberattack capabilities won't be considered part of arms-control agreements. Russia has repeatedly argued to include it.
After Estonia was hit in 2007 with a cyberattack that disabled many government and bank Web sites, it made a formal request to the North Atlantic Treaty Organization to come to its defense. NATO declined to make a finding on the request, but it did accelerate its work on a common approach to cybersecurity. Earlier this year, the organization approved a cyberdefense policy that establishes a set of common principles recognizing the importance of cyberdefense and directing agencies within NATO to establish a coordinated approach.
The policy doesn't resolve many of the difficult legal and policy issues, such as when a cyberattack is an act of war or when and how NATO allies should retaliate.
"The document is the first, and an important step," said Lauri Almann, Deputy Minister of Defense of Estonia. "What now has to stem from these guidelines and policy documents is concrete action." One key challenge, he said, is the difficulty of attributing the source of the attack. If countries are going to retaliate -- either militarily or with economic sanctions -- they need to be certain that they have the culprit.
Cybersecurity specialists and officials such as Mr. Almann said that the attacks on Georgia, because they were so public, will likely drive government leaders to better align the laws of war to cyberwarfare.
But it isn't clear how Georgia could retaliate. With such "asymmetric" attacks, Mr. Borg said, the government leaders need to decide whether a government can fire back at the country hosting the group believed to be responsible for an attack. "We've entered the cyberdefense era," he said. "It's just as big a transition as entering the nuclear-defense era."