The war room of our cinematic nightmares (Stanley Kubrick's masterpiece, "Dr. Strangelove," 1964)
According to new Pentagon cyber strategy, state-of-war conditions now exist between the US and China
Posted by Thomas P. M. Barnett
Wednesday, June 1, 2011 at 5:04 am
China has been pre-approved for kinetic war strikes from the United States at any time. Let me explain how.
First off, what the strategy says (according to the same WSJ front-page article Mark cited yesterday):
The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
In other words, if you, Country C, take down or just plain attack what we consider a crucial cyber network, we reserve the right to interpret that as an act of war justifying an immediately "equivalent" kinetic response (along with any cyber response, naturally). If this new strategy frightens you, then you just might be a rational actor.
Theoretically, this means if you, Country C, hack and disable the net of crucial US installation X, America can fire missiles at your equivalent civilian or military installation (C)X. Of course, by responding to your "act of war," we are initiating our own war response, meaning we'd need presidential approval to start the fireworks. But the key point is, by hacking something that we consider to be national security-sensitive, you leave yourself open to a state-of-war response from the United States at the time of its choosing, so be forewarned.
Which facilities fall into this "eye for an eye (or ear or . . .)" category? Naturally, America shouldn't say, so as to keep Country C in the dark (the essence of deterrence), but putting us in the dark (take-down of an electric grid) is an obvious one cited in the WSJ piece. Again, theoretically, almost anything can be described as crucial on some national security scale (e.g., hack Monsanto in just the right way and maybe you put US food security at risk), because the small damage that you, Country C, choose to create in our nets might easily cascade into something far larger, so virtually any hack emanating from your networks puts you at risk for a US war response.
Second, while we can make all sorts of arguments about various governments and non-state actors giving us a hard time, we all know that the only player that matters in this new strategy is China.
Third, we know that China does this sort of hacking all the time. On any day of the week, we could justify any number of equivalent attacks - kinetic or otherwise. Inside the national security community, you hear about these attacks constantly, ones that involve all sorts of sensitive companies, technologies, networks, etc. Virtually all of them track back to China, truth be told. I'm not talking secrets. This is common knowledge - day-to-day operational reality.
Point being, China is now essentially - and at all times - pre-approved for retaliatory strikes, unless it were to immediately cease and desist all such hacking activity. Of course, the Chinese government can always pretend that any hacking attacks that are traced back to its nets reflect non-state activity beyond its control, but this new cyber strategy basically pre-loads the Tommy Lee Jones response from "The Fugitive":
Time to jump, doc. ("The Fugitive," 1993)
Dr. Richard Kimble: I didn't kill my wife!
Deputy Marshal Samuel Gerard: I don't care!
This is an destabilizing step sideways in our security relationship with China: Beijing is being warned that its current and ongoing behavior can - at any time - be loosely interpreted as an act of war. Whatever situations or crises ensue, that handy rationale is now always sitting in the Pentagon's back pocket, because I guarantee you, whenever big-war enthusiasts want to play that card, the Defense Department will be able to muster - at a moment's notice - a long list of Chinese hacking attacks over the previous X hours/days/weeks/months. So when the President asks, "Do we have evidence that the Chinese are targeting us at this time for cyber-sabotage?" The answer will always be yes.
Are you fearful of a "Guns of August" scenario erupting with the Chinese? You should be now. "Archduke Ferdinand" currently lives inside virtually any US cyber network you care to cite.
Black Swan, meet the War Powers Act, because now nobody is in charge of initiating great-power war anymore. It has all been pre-approved - like some credit card application.
The timing here on the announcement (long anticipated) couldn't be better: with Osama dead, America is now empowered to launch pre-emptive/retaliatory kinetic strikes against China whenever the President wants to. Talk about a quick strategic pivot!
Just so you're clear on what I'm implying here: This is the most serious scaling back of the threshold of great-power war since Mutually Assured Destruction - in its meme-like spread across the 1960s/1970s - basically outlawed such high-end conflict for all but the strategically nutty. Fast-forward to Sarah Palin being sworn-in on 20 January 2013 and you've got yourself a real party.
Of course, all such concerns will be downplayed by sensible national security types: "This doesn't mean . . .." But the underlying capacity will remain. Hence the resulting need for some sort of "arms control" understanding with the Chinese (brought up at the end of the solid WSJ piece) before one or both sides blunders the world into a shooting war nobody wants.
Bottom line? Strangelove has re-entered the Building.
MAY 31, 2011
Cyber Combat: Act of War
Pentagon Sets Stage for U.S. to Respond to Computer Sabotage With Military Force
By SIOBHAN GORMAN And JULIAN E. BARNES
WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
The Pentagon's first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country's military.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.
Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.
The report will also spark a debate over a range of sensitive issues the Pentagon left unaddressed, including whether the U.S. can ever be certain about an attack's origin, and how to define when computer sabotage is serious enough to constitute an act of war. These questions have already been a topic of dispute within the military.
One idea gaining momentum at the Pentagon is the notion of "equivalence." If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation.
The War on Cyber Attacks
Attacks of varying severity have rattled nations in recent years.
June 2009: First version of Stuxnet virus starts spreading, eventually sabotaging Iran's nuclear program. Some experts suspect it was an Israeli attempt, possibly with American help.
November 2008: A computer virus believed to have originated in Russia succeeds in penetrating at least one classified U.S. military computer network.
August 2008: Online attack on websites of Georgian government agencies and financial institutions at start of brief war between Russia and Georgia.
May 2007: Attack on Estonian banking and government websites occurs that is similar to the later one in Georgia but has greater impact because Estonia is more dependent on online banking.
The Pentagon's document runs about 30 pages in its classified version and 12 pages in the unclassified one. It concludes that the Laws of Armed Conflict—derived from various treaties and customs that, over the years, have come to guide the conduct of war and proportionality of response—apply in cyberspace as in traditional warfare, according to three defense officials who have read the document. The document goes on to describe the Defense Department's dependence on information technology and why it must forge partnerships with other nations and private industry to protect infrastructure.
The strategy will also state the importance of synchronizing U.S. cyber-war doctrine with that of its allies, and will set out principles for new security policies. The North Atlantic Treaty Organization took an initial step last year when it decided that, in the event of a cyber attack on an ally, it would convene a group to "consult together" on the attacks, but they wouldn't be required to help each other respond. The group hasn't yet met to confer on a cyber incident.
Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.
The move to formalize the Pentagon's thinking was borne of the military's realization the U.S. has been slow to build up defenses against these kinds of attacks, even as civilian and military infrastructure has grown more dependent on the Internet. The military established a new command last year, headed by the director of the National Security Agency, to consolidate military network security and attack efforts.
The Pentagon itself was rattled by the 2008 attack, a breach significant enough that the Chairman of the Joint Chiefs briefed then-President George W. Bush. At the time, Pentagon officials said they believed the attack originated in Russia, although didn't say whether they believed the attacks were connected to the government. Russia has denied involvement.
The Rules of Armed Conflict that guide traditional wars are derived from a series of international treaties, such as the Geneva Conventions, as well as practices that the U.S. and other nations consider customary international law. But cyber warfare isn't covered by existing treaties. So military officials say they want to seek a consensus among allies about how to proceed.
"Act of war" is a political phrase, not a legal term, said Charles Dunlap, a retired Air Force Major General and professor at Duke University law school. Gen. Dunlap argues cyber attacks that have a violent effect are the legal equivalent of armed attacks, or what the military calls a "use of force."
"A cyber attack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same," Gen. Dunlap said Monday. The U.S. would need to show that the cyber weapon used had an effect that was the equivalent of a conventional attack.
James Lewis, a computer-security specialist at the Center for Strategic and International Studies who has advised the Obama administration, said Pentagon officials are currently figuring out what kind of cyber attack would constitute a use of force. Many military planners believe the trigger for retaliation should be the amount of damage—actual or attempted—caused by the attack.
For instance, if computer sabotage shut down as much commerce as would a naval blockade, it could be considered an act of war that justifies retaliation, Mr. Lewis said. Gauges would include "death, damage, destruction or a high level of disruption" he said.
Culpability, military planners argue in internal Pentagon debates, depends on the degree to which the attack, or the weapons themselves, can be linked to a foreign government. That's a tricky prospect at the best of times.
The brief 2008 war between Russia and Georgia included a cyber attack that disrupted the websites of Georgian government agencies and financial institutions. The damage wasn't permanent but did disrupt communication early in the war.
A subsequent NATO study said it was too hard to apply the laws of armed conflict to that cyber attack because both the perpetrator and impact were unclear. At the time, Georgia blamed its neighbor, Russia, which denied any involvement.
Much also remains unknown about one of the best-known cyber weapons, the Stuxnet computer virus that sabotaged some of Iran's nuclear centrifuges. While some experts suspect it was an Israeli attack, because of coding characteristics, possibly with American assistance, that hasn't been proven. Iran was the location of only 60% of the infections, according to a study by the computer security firm Symantec. Other locations included Indonesia, India, Pakistan and the U.S.
Officials from Israel and the U.S. have declined to comment on the allegations.
Defense officials refuse to discuss potential cyber adversaries, although military and intelligence officials say they have identified previous attacks originating in Russia and China. A 2009 government-sponsored report from the U.S.-China Economic and Security Review Commission said that China's People's Liberation Army has its own computer warriors, the equivalent of the American National Security Agency.
That's why military planners believe the best way to deter major attacks is to hold countries that build cyber weapons responsible for their use. A parallel, outside experts say, is the George W. Bush administration's policy of holding foreign governments accountable for harboring terrorist organizations, a policy that led to the U.S. military campaign to oust the Taliban from power in Afghanistan.