Several nations, most prominently Russia, the People's Republic of China and North Korea, are already assembling cyber armies and attack weapons that could be used to attack other nations. Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack.
Although the United States likely has the best cyberwar capabilities in the world, "that offensive prowess cannot make up for the weaknesses in our defensive position," one-time presidential advisor Richard Clarke argues in his forthcoming book Cyber War.
Clarke -- who served as special advisor to the president for cybersecurity in 2001 and now teaches at Harvard's Kennedy School for Government and works at Good Harbor Consulting -- fears that any outbreak of cyber warfare would spill over into more violent conflict.
"Far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets and missiles," Clarke writes in his book, which is due out April 20.
Several nations, most prominently Russia, the People's Republic of China and North Korea, are already assembling cyber armies and attack weapons that could be used to attack other nations, he says. Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack.
With Russia and China as the adversaries to be most concerned about, Clarke notes that the Pentagon has established the U.S. Cyber Command to fight cyberwars and defend the Department of Defense against cyberattack. (The Department of Homeland Security [DHS] is tasked with defending other federal agencies.) But America's Achilles heel may be the corporate sector, which has been left largely on its own when it comes to cyber defenses; the public Internet and telecommunications infrastructures, which are operated largely by private companies; and the fact that much of the nation's tech manufacturing is done overseas.
According to Clarke, those vulnerabilities in the United States could give China the upper hand in a cyber conflict.
"The Chinese government has both the power and the means to disconnect China's slice of the Internet from the rest of the world, which they may very well do in the event of a conflict with the United States," he maintains, adding that China's cyber warriors have a mission to defend all of China's infrastructure, not just military-run pieces.
As a result, Clarke advocates both new international agreements aimed at preventing cyberwar and world cooperation to trace back attacks that appear to violate any agreements, even though finding an aggressor can be very hard on the Internet. Clarke also would like to see changes in the United States that would put the nation's ISPs in charge of proactively stopping attacks, albeit under government regulation and oversight.
As someone who was involved in negotiations over nuclear weapons and arms control in Europe during the Cold War, Clarke points out that diplomatic relations with Russia have never been easy. But Russia -- which has indicated it would consider a massive cyberattack from another nation as an act that could bring retaliation with traditional weapons -- has for several years been the main advocate of putting cyberwar on the table diplomatically in order to craft treaties about it.
Clarke notes that he rejected Russia's cyber arms control proposal, which also included a prohibition on spying through cyber-espionage, but is now giving some of these ideas fresh consideration.
While he doesn't favor a ban on cyber espionage, which he says is mainly about just getting information, he suggests in his book that he has come around to the idea of beginning a debate on international agreements aimed at keeping cyberattacks from escalating into full-fledged cyberwars.
In particular, he favors international agreements that limit cyberattacks to military targets, rather than disruption of electric power grids, banking and transportation systems that would cause huge harm to civilians. And he wants the U.S. president to be the one to approve the use of cyber weapons, including any use of logic bombs.
Clarke also dislikes the practice of hiding logic bombs in the electrical grid and other civilian infrastructures of potential adversaries for possible future detonation. Although it's a tactic he believes several nations, including the United States, have already used, Clarke sees it as a hostile act that heightens the prospects of both intentional and accidental cyberwar and inordinately affects civilians.
One of the issues about cyberwar yet to be addressed is how to define it in terms of domestic and international law. With some nations already accusing others of military cyberattacks, is it time to start negotiating treaties that ban first-use cyber strikes against civilian targets and bar the hiding of software-based logic bombs aimed at critical infrastructures?
"I'm not aware of a definition of cyberwar in international or domestic law," says Michael Vatis, partner in the New York office of law firm Steptoe & Johnson. Vatis was founding director of the National Infrastructure Protection Center at the FBI, one of the first efforts by the government to establish detection, warning and response efforts related to cyberattacks. "There's no formal discussion about it at the U.N. or any international body."
Vatis, a member of the National Academy of Science/National Research Council Committee on the Policy Consequences and Legal/Ethical Considerations of Offensive Information Warfare, worked on the landmark study last year, "Technology, Policy, Law and Ethics regarding U.S. Acquisition and Use of Cyberattack Capabilities."
That study argued that laws regarding armed conflict and the Charter of the United Nations apply to cyberattacks "though new analytical work may be needed to understand how these principles do or should apply to cyberweapons."
"The conceptual framework that underpins the U.N. Charter in the use of force and armed attacks and today's law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack," the report said, adding, "However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks."
Preventing a cyberconflict from breaking out, or keeping it from escalating to a physical one, needs to be better understood. But "secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattacks," the report said.
According to Duncan Hollis, associate professor of law at Temple University and a former U.S. State Department attorney working on treaty negotiations, the area of cyberattack and cyberwar remains too "cutting edge" right now.
In the government, most of the discussion is highly classified, with the director of the National Security Agency, Lt. Gen. Keith Alexander, overseeing the military function. More publicly, individuals such as Jonathan Zittrain and Jack Goldsmith, both Harvard law professors, have spoken out on the topic. Elsewhere, criminal-law specialists will occasionally take up the subject, Hollis notes.
"But we're really at the beginning of the conversation," he says. Part of the problem is that it's "not a legal black hole, no one's saying there are no rules -- but how do these existing rules apply in this context?"
The rules of war depend in large part on knowing who attacked you, Hollis says, and that can be hard to figure out when it comes to cyberattacks.
"There's a real risk of unintended escalation," he says. "There needs to be an international discussion, with the policy-making community in the public eye. Russia wants a treaty on this, but we're still figuring out whether we need new rules."