A report in the New York Times recently revealed that the U. S. military has already engaged to a limited degree in "cyberwar": attacks on an enemy's communications and computer networks. On two separate occasions, attempts were made to disrupt communications networks: one in Serbia in the late 1990s, and another during the early hours of the attack on Iraq in 2003. Both missions were at least partly successful, but both also caused collateral damage in the form of communications disruptions in nations that were not targeted for attack. The same report also described a much more ambitious plan to freeze Iraq's financial system electronically, but the Bush administration vetoed the idea over fears that it might cause a widespread financial panic. As was demonstrated last fall, inaction can just as easily cause widespread financial panic, but that is worlds away from deliberately fouling up a country's banking system. Nevertheless, the fact that we are already in a world where cyberwar is part of the armamentarium may be news to many people, including engineers.
As we mentioned in this space not long ago, the technology of cyberwar has outpaced the legal and moral traditions that govern, or at least address, the conduct of conventional warfare. Clearly, doing something to the Internet that would disrupt services to large numbers of people outside the territory under attack is not a good idea, which is one reason the Bush administration may have restrained themselves from putting Iraq's financial system in the deep freeze. But other issues related to cyberwar are less clear-cut than this.
Consider the principle that military forces should be clearly identifiable (wearing uniforms, etc.). This idea is routinely violated by terrorists, who like to fade into the background of ordinary citizenry, and also by cyberattackers, who are experts at hiding their true identity and whereabouts. I suppose you could leave return addresses in plain text in viruses designed to attack enemy networks, but I somehow doubt anyone is worrying about this.
A more serious consideration is the distinction between civilian and military populations. Until about 1900, it was not considered cricket to target civilian populations in warfare. This rule went by the board in a big way during World War II, when bombers on both sides began carpet-bombing attacks on cities without special regard for limiting their targets to sites of strategic significance. Since then, the principle of no attacks on civilians has received occasional lip service, but that's about all. It's very hard to imagine how a cyberattack could sort out only strategically important computers from those belonging to the average citizen, but maybe as the technology progresses, this sort of thing would be easier to do. The planned but never executed attack on Iraq's financial system would not have discriminated between a paycheck for a general and a payment for a bottle of milk, so clearly we have a ways to go in this regard.
The Obama Administration has said it is going to name a cyberwar czar who will try to centralize activities concerning cybersecurity and related matters. But so far no one has been nominated to the post, and we'll have to wait and see what happens once that person is in place. If history is any guide, this office will languish in obscurity until a major cyberattack causes serious damage to U. S. interests. Then there will be enough political steam generated to get something done, although the horse will have left the barn by then.
Fortunately, defending against cyberattacks is something that we have lots of experience with, since the field of computer science seems to have been born with a native proclivity to spawn hackers of all descriptions who like nothing better than to tear down what other programmers have spent months or years constructing. I don't know why this field is so hacker-prone, but the practical outcome is that we have lots of private-enterprise expertise already that knows how to defend against a variety of attacks, and these experts even work in a coordinated fashion most of the time. Let's hope that whatever the government does will not cripple this advantage, but instead will build upon it and encourage even better cooperation than we have already.
I wish the world was a place where computers and networks were used only for good and productive purposes. But anytime something of value comes into being, somebody is going to get jealous or greedy and want to use it as a pawn in conflicts and wars. The Internet and modern telecommunications systems are a part of our lives now, and so we need to think about how to defend them, and if need be, attack them along with other kinds of infrastructure that is the focus of war. So far, the worst consequences of cyberattacks have been financial losses and inconvenience. Let's hope that with wise planning and forethought, nothing worse will happen to us in this area.
Sources: The New York Times article " Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk" appeared in the Aug. 1, 2009 online edition at http://www.nytimes.com/2009/08/02/us/politics/02cyber.html. Full disclosure: as I will mention every now and then, my wife works for About.com, a division of the New York Times Company.