How do you know you are at war in the information age?

• Author: Aldrich, Richard W.

It is not at all clear at this time whether information-warfare measures taken by a potential adversary ... would be readily detectable. The question of "how do you know you are at war" may be difficult to resolve in view of the potential ambiguity associated with Information Warfare.(1)

1. INTRODUCTION

   In earlier times the question, "How do you know you are at war?" would have seemed disingenuous. When the boulders came catapulting over the fortress wall, one could be fairly certain one was at war. Battering rams punching in the king's fortifications, rows of redcoats firing muskets in unison, and incoming cannonballs were all fairly clear indicators of war. Wars, at one time, were even formally declared, which of course took much of the guesswork out of it. But in recent times war has been become more difficult to define, and information warfare (IW) seems likely to be the most elusive yet.(2) Part of the reason is that IW can take place in an entirely new realm, that ethereal place some call "cyberspace"(3) and others call the "infosphere."(4) Another reason is that many of the weapons used can be bought in any computer store and look exactly like the tools used to produce term papers and generate spreadsheets. The weapons' effects may not be to produce immediate death and destruction of property, but to innocuously manipulate bits of data, changing ones to zeros and vice versa, to deleterious effect nonetheless. Finally, the objects of the attack are less likely to be traditional military targets, and more likely to be a nation's "commercial and industrial underpinnings," its telecommunications companies, power companies, financial centers, and the like.(5) Many believe that an "electronic Pearl Harbor" is inevitable.(6) This all requires a serious reevaluation of what constitutes an illegal use of force in the Information Age.(7)

   The importance of delineating what constitutes a "use of force" in the age of IW(8) is twofold. First, it assists in determining when the United States may be entitled to exercise self-defense or some lesser form of sanctions against one who uses certain infowar techniques against the United States.(9) Second, it puts the United States on notice as to when its own conduct may legitimately be described as a use of force, thereby entitling other nations to take self-defense or other appropriate measures.(10) Currently there is a dearth of guidance on the issue. Indeed, one prominent practitioner has opined, "Currently, we are unable to reliably forecast what kinds of electronic attack would be considered by a target country or by the international community to be an `act of war'."(11)

2. BACKGROUND

   This Article will begin by discussing the vulnerability of military systems within the United States, and the vulnerability of the U.S. information infrastructure, upon which the military relies heavily. The Article will then discuss some recent "attacks" and how their level of sophistication has improved markedly. Finally, it will address issues in detecting attacks, as well as the costs associated with such attacks.

   1. Scope of the Problem

      While some still speak of IW as a futuristic concept posing only a potential concern for future generations, the fact is that information warfare under its broadest definition has probably always been a part of warfare.(12) Some definitions of information warfare include the conventional bombing of a computer center, as well as propaganda ploys designed to confuse the enemy.(13) While I do not contest the potential breadth of the term "information warfare," this paper will primarily focus more narrowly on those aspects of IW dealing with the use of information systems as offensive or defensive weapons. Conventional uses of force against information systems, such as the bombing of a computer center, can largely be dealt with using established law of armed conflict constructs to assess military necessity, proportionality, collateral damage, and the like.(14) It is the use of nontraditional information weapons which raise the most interesting questions under current law, and which will be the focus of this paper.

      The threat of an information attack with serious military implications is very real.(15) For instance:

      A group of Dutch hackers calling themselves `High Tech for Peace' approached diplomats in the Iraqi embassy in Paris. For a payment of $1 million, the Dutch hackers offered to foul up the network handling logistics messages between bases in the United States and U.S. military units in Saudi Arabia. The Iraqis rejected the idea.(16) While it is not entirely clear what impact the Dutch hackers could have had on the Gulf War, the coalition's vulnerability was such that it may have been $1 million effectively spent.(17) Some twenty-five percent of the message traffic into Saudi Arabia during the Gulf War was "open, unencoded, [and] on the Internet."(18) Smart hackers would not have needed to debilitate the communications. Merely manipulating some of the communications could potentially have had a grave effect.(19) A few misdirected tanks and other armaments could have so foiled battle plans that all data would thereafter have become suspect, at least temporarily paralyzing operations? This potential for disaster did not go unnoticed.

      In the wake of the 1991 Gulf War the Department of Defense, having comprehensively dismantled Iraq's critical infrastructures, began to express concern at the vulnerabilities of its own infrastructures. A series of studies and war games, along with the well-publicised activities of hackers, demonstrated that the U.S. armed forces had left themselves wide open to disruption of their command, control, communications and logistics infrastructures as a result of their rush to adopt digital, wide area information networks.(21) How has the United States become so vulnerable? In large part, U.S. vulnerability to such attacks is a product of the fairly rapid computerization of America's businesses and military, and the even more revolutionary shift to large scale networking of computers.(22) The military has 2.1 million computers and 10,000 local area networks (LANs).(23) These facts caused the authors of the Defense Science Board Report to observe, "We have built our economy and our military on a technology foundation that we do not control and, at least at the fine detail level, we do not understand."(24) Few probably were aware of the heavy dependence upon a single satellite for pager communications until Galaxy 4 spun out of control in May 1998, resulting in lost service to approximately 35 million users.(25) Also affected were, among others, National Public Radio and a large number of private corporate networks.(26)

      1. Vulnerability of DOD Systems

         How often and how seriously the Defense Department is subjected to information attacks is subject to widely varying reports.(27) One report claimed the military's computers are probed by outsiders about five hundred times a day.(28) The same report indicates only about twenty-five percent of those intrusions were detected.(29) The General Accounting Office (GAO) reports about 250,000 suspected attacks occurred in 1995, with the number doubling each year.(30) Of those attacks, the GAO report stated sixty-five percent were successful.(31)

         The military conducted a classified exercise in the summer of 1997, which ran under the code name Eligible Receiver, in an attempt to assess its vulnerability.(32) The purpose of the exercise was to show the ease with which the military's 2.1 million computers, 10,000 local area networks and 100 long-distance networks could be disabled.(33) In an ironic good news/bad news release, the exercise was deemed a success beyond its planners' wildest dreams, because the attack team was so easily able to penetrate Department of Defense (DOD) systems that it dramatically demonstrated continuing widespread vulnerability.(34) Even before the exercise, "the government's Joint Security Commission called U.S. vulnerability to infowar `the major security challenge of this decade and possibly the next century'."(35)

      2. Level and Character of Attacks

         Two California teens (using code names Makaveli and TooShort and operating under the direction of Ehud Tenebaum, a.k.a. The Analyzer, a hacker in Israel) were arrested after a concentrated series of break-ins to military computers.(36) The hackers hit hundreds of sites, including the Air Force and the Navy.(37) At the time the attack was called "the most organized and systematic attack to date.(38)

         Just a couple of months later, the level was ratcheted up further when the Masters of Downloading (MOD), a group of older hackers revealed that they had broken into a sensitive Pentagon network in October of 1997.(39) MOD had allegedly stolen software which coordinated the military's Global Positioning System, a system of satellites "used to target missiles and ... enable troops to pinpoint their positions."(40) Shortly after this revelation, MOD alleged that it had also stolen NASA computer programs.(41) In an Internet chat interview, MOD members indicated they were willing to sell the sensitive computer programs.(42)

      3. Triggering an Appropriate Response

         Defining precisely what constitutes a "threat or use of force" as that term is used in the U.N. Charter, and therefore what triggers the offended nation-state's right to respond, whether diplomatically or through the employment of self-defense measures under Article 51, is necessarily complex and not subject to simplistic tests.(43) Similar complexities surround what constitutes an act of aggression under Article 39.(44)

         This is true whether one is evaluating suspected information attacks or more conventional kinetic attacks. Thus, this Article does not presume to set out a test that will yield a definitive black and white answer, but rather will address the factors that should go into evaluating such a determination, and the special complexities such a...