Cyberwarfare

Cyberwarfare raises issues of growing national interest and concern.

Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.

A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.

Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.

Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.

Thursday, July 16, 2009

Federal Web sites knocked out by cyber attack

Federal Web sites knocked out by cyber attack
By LOLITA C. BALDOR

Associated Press Writer WASHINGTON (AP) -- A widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime, The Associated Press has learned.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Cyber attacks on South Korea government and private sites also may be linked, officials there said.

U.S. officials refused to publicly discuss details of the cyber attack. But Amy Kudwa, spokeswoman for the Homeland Security Department, said the agency's U.S. Computer Emergency Readiness Team issued a notice to federal departments and other partner organizations about the problems and "advised them of steps to take to help mitigate against such attacks."

The U.S., she said, sees attacks on its networks every day, and measures have been put in place to minimize the impact on federal Web sites.

It was not clear whether other federal government sites also were attacked.

Others familiar with the U.S. outage, which is called a denial of service attack, said that the fact that the government Web sites were still being affected three days after it began signaled an unusually lengthy and sophisticated attack. The officials spoke on condition of anonymity because they were not authorized to speak on the matter.

Web sites of major South Korean government agencies, banks and Internet sites also were paralyzed in a suspected cyber attack Tuesday. An initial investigation found that many personal computers were infected with a virus ordering them to visit major official Web sites in South Korea and the U.S. at the same time, Korea Information Security Agency official Shin Hwa-su said.

The South Korean sites included the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and top Internet portal Naver. They went down or had access problems since late Tuesday, said Ahn Jeong-eun, a spokeswoman at the Korea Information Security Agency.

Kudwa had no comment on the South Korean attacks.

Two government officials acknowledged that the Treasury and Secret Service sites were brought down, and said the agencies were working with their Internet service provider to resolve the problem.

Ben Rushlo, director of Internet technologies at Keynote Systems, called it a "massive outage" and said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.

Keynote Systems is a mobile and Web site monitoring company based in San Mateo, Calif. The company publishes data detailing outages on Web sites, including 40 government sites it watches.

According to Rushlo, the Transportation Web site was "100 percent down" for two days, so that no Internet users could get through to it. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70 percent of the time.

"This is very strange. You don't see this," he said. "Having something 100 percent down for a 24-hour-plus period is a pretty significant event."

He added that, "The fact that it lasted for so long and that it was so significant in its ability to bring the site down says something about the site's ability to fend off (an attack) or about the severity of the attack."

Denial of service attacks against Web sites are not uncommon, and are usually caused when sites are deluged with Internet traffic so as to effectively take them off-line. Mounting such an attack can be relatively easy using widely available hacking programs, and they can be made far more serious if hackers infect and use thousands of computers tied together into "botnets."

For instance, last summer, in the weeks leading up to the war between Russia and Georgia, Georgian government and corporate Web sites began to see "denial of service" attacks. The Kremlin denied involvement, but a group of independent Western computer experts traced domain names and Web site registration data to conclude that the Russian security and military intelligence agencies were involved.

Documenting cyber attacks against government sites is difficult, and depends heavily on how agencies characterize an incident and how successful or damaging it is.

Government officials routinely say their computers are probed millions of times a day, with many of those being scans that don't trigger any problems. In a June report, the congressional Government Accountability Office said federal agencies reported more than 16,000 threats or incidents last year, roughly three times the amount in 2007. Most of those involved unauthorized access to the system, violations of computer use policies or investigations into potentially harmful incidents.

The Homeland Security Department, meanwhile, says there were 5,499 known breaches of U.S. government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006.

Electricity Grid in U.S. Penetrated By Spies

Electricity Grid in U.S. Penetrated By Spies (Updated)

Spies from China and have hacked into a U.S. power grid. Experts fear a future cyber scare. From the Wall Street Journal:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.

This is not the first accusation of cyber-spying this year. From Telegraph:

The US government is however convinced China is endeavouring to overtake the US as the dominant force in cyberspace. Researchers at the University of Toronto recently revealed the presence of GhostNet, a global cyber-spy network run from China that has infiltrated 103 countries and infected dozens of computers every month.

The ten-month investigation by the Munk Centre for International Studies in Toronto started as an investigation into interference with computers on computers belonging to the Dalai Lama, the exiled Tibetan leader, and his supporters. It found that the Chinese had in many cases successfully searched computers, tapped into emails and turned on web cameras and microphones to record conversations within range.

Update: China has denied any role in the power grid hack. From Wall Street Journal:

“The intrusion doesn’t exist at all,” Chinese Foreign Ministry spokeswoman Jiang Yu said at a regular press conference. “We hope that the concerned media will prudently deal with some groundless remarks, especially those concerning accusations against China.”

“I have also noticed that the U.S. White House had denied the media reports,” she said.

A report in the state-run China Daily cited Chinese experts who rejected the so-called “China threat” theory and tied it to the financial crisis.

Cyber-Scare: President Obama called cyber-security

JULY/AUGUST 2009
Cyber-Scare
The exaggerated fears over digital warfare by Evgeny Morozov
http://s.wsj.net/public/resources/images/NA-AW949_CYBERu_F_20090407182454.jpg
The age of cyber-warfare has arrived. That, at any rate, is the message we are now hearing from a broad range of journalists, policy analysts, and government officials. Introducing a comprehensive White House report on cyber-security released at the end of May, President Obama called cyber-security “one of the most serious economic and national security challenges we face as a nation.” His words echo a flurry of gloomy think-tank reports. The Defense Science Board, a federal advisory group, recently warned that “cyber-warfare is here to stay,” and that it will “encompass not only military attacks but also civilian commercial systems.” And “Securing Cyberspace for the 44th President,” prepared by the Center for Strategic and International Studies, suggests that cyber-security is as great a concern as “weapons of mass destruction or global jihad.”

Unfortunately, these reports are usually richer in vivid metaphor—with fears of “digital Pearl Harbors” and “cyber-Katrinas”—than in factual foundation.

Consider a frequently quoted CIA claim about using the Internet to cause widespread power outages. It derives from a public presentation by a senior CIA cyber-security analyst in early 2008. Here is what he said:

We have information, from multiple regions outside the United States, of cyber-intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber-attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.

So “there is information” that cyber-attacks “ have been used.” When? Why? By whom? And have the attacks caused any power outages? The CIA may have some classified information, but very little that is unclassified suggests that such cyber-intrusions have occurred.

Or consider an April 2009 Wall Street Journal article entitled “Electricity Grid in U.S. Penetrated By Spies.” The article quotes no attributable sources for its starkest claims about cyber-spying, names no utility companies as victims of intrusions, and mentions just one real cyber-attack, which occurred in Australia in 2000 and was conducted by a disgruntled employee rather than an external hacker.

It is alarming that so many people have accepted the White House’s assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration’s claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

Cyber-security fears have had, it should be said, one unambiguous effect: they have fueled a growing cyber-security market, which, according to some projections, will grow twice as fast as the rest of the IT industry. Boeing, Raytheon, and Lockheed Martin, among others, have formed new business units to tap increased spending to protect U.S. government computers from cyber-attacks. Moreover, many former government officials have made smooth transitions from national cyber-security policy to the lucrative worlds of consulting and punditry. Speaking at a recent conference in Washington, D.C., Amit Yoran—a former cyber-security czar in the Bush administration and currently the C.E.O. of NetWitness, a cyber-security start-up—has called hacking a national security threat, adding that “cyber-9/11 has happened over the last ten years, but it’s happened slowly, so we don’t see it.” One way for the government to protect itself from this cyber-9/11 may be to purchase NetWitness’s numerous software applications, aimed at addressing both “state and non-state sponsored cyber threats.”

From a national security perspective, cyber-attacks matter in two ways. First, because the back-end infrastructure underlying our economy (national and global) is now digitized, it is subject to new risks. Fifty years ago it would have been hard—perhaps impossible, short of nuclear attack—to destroy a significant chunk of the U.S. economy in a matter of seconds; today all it takes is figuring out a way to briefly disable the computer systems that run Visa, MasterCard, and American Express. Fortunately, such massive disruption is unlikely to happen anytime soon. Of course there is already plenty of petty cyber-crime, some of it involving stolen credit card numbers. Much of it, however, is due to low cyber-security awareness by end-users (you and me), rather than banks or credit card companies.

Second, a great deal of internal government communication flows across computer networks, and hostile and not-so-hostile parties are understandably interested in what is being said. Moreover, data that are just sitting on one’s computer are fair game, too, as long as the computer has a network connection or a USB port. Despite the “cyber” prefix, however, the basic risks are strikingly similar to those of the analog age. Espionage has been around for centuries, and there is very little we can do to protect ourselves beyond using stronger encryption techniques and exercising more caution in our choices of passwords and Wi-Fi connections.

To be sure, there is a war-related caveat here: if the military relies on its own email system or other internal electronic communications, it is essential to preserve this capability in wartime. Once more, however, the concern is not entirely novel; when radio was the primary means of communication, radio-jamming was also a serious military concern; worries about radio go back as far as the Russo-Japanese War of 1904-1905.

Before accepting the demands of government agencies for new and increased powers, we should look more closely at well-defined dangers.

The ultimate doomsday scenario—think Live Free or Die Hard—could involve a simultaneous attack on economic e-infrastructure and e-communications: imagine al Qaeda disabling banks, destroying financial data, disrupting networks, and driving the American economy back to the nineteenth century. This certainly sounds scary—almost as scary as raptors in Central Park or a giant asteroid heading toward the White House. The latter two are not, however, being presented as “national security risks” yet.

There are certainly genuine security concerns associated with the Internet. But before accepting the demands of government agencies for new and increased powers to fight threats in cyberspace and prepare for cyber-warfare, we should look more closely at well-defined dangers and ask just where existing technological means and legal norms fall short. Because the technologies are changing so quickly, we cannot expect definitive answers. But cyber-skeptics—who argue that cyber-warfare is still more of an urban legend than a credible hazard—appear to be onto something important.

One kind of cyber-security problem grows out of resource scarcity. A network has only so much bandwidth; a server can serve only so much data at one time. So if you want to disable (or simply slow down) the computer backbone of a national economy, for example, you need to figure out how to reach its upper limit.

It would be relatively easy to protect against this problem if you could cut your computer or network off from the rest of the world. But as the majority of governmental and commercial services have moved online, we expect them to be offered anywhere; Americans still want to access their online banking accounts at Chase even if they are travelling in Africa or Asia. What this means in practice is that institutions typically cannot shut off access to their online services based on nationality of the user or the origin of the computer (and in the case of news or entertainment sites, they do not want to: greater access means more advertising income).

Together, these limitations create an opportunity for attackers. Since no one, not even the U.S. government, has infinite computer resources, any network is potentially at risk.

Taking advantage of this resource scarcity could be an effective way of causing trouble for sites one does not like. The simplest—and also the least effective—way of doing this is to visit the URL and hit the “reload” button on your browser as often (and for as long) as you can. Congratulations: you have just participated in the most basic kind of “denial-of-service” (DoS) attack, which aims to deny or delay the delivery of online services to legitimate users. These days, however, it would be very hard to find a site that would suffer any noticeable damage from such a nuisance; what is missing from your cyber-guerilla campaign is scale.

Now multiply your efforts by a million—distribute your attacks among millions of other computers—and this could be enough to cause headaches to the administrators of many Web sites. These types of attacks are known as “distributed denial-of-service” or DDoS attacks. Administrators may be able to increase their traffic and bandwidth estimates and allocate more resources. Otherwise they have to live with this harassment, which may disable their Web site for long periods.

DDoS attacks work, then, by making heavier-than-normal demands on the underlying infrastructure, and they usually cause inconvenience rather than serious harm. Not sure how to do it yourself? No problem: you can buy a DDoS attack on the black market. Try eBay.

In fact, your own computer may well be participating in a DDoS attack right now. You may, for example, have inadvertently downloaded a trojan—a hard-to-detect, tiny piece of software—that has allowed someone else to take control of your machine, without obvious effect on your computer’s speed or operations. Some computer experts put the upper limit of infected computers as high as a quarter of all computers connected to the Internet.

Because a single computer is inconsequential, the infected computers form “botnets”—nets of robots—that can receive directions from a command-and-control center—usually just another computer on the network with the power to give commands. What makes the latest generation of botnets hard to defeat is that every infected computer can assume the role of the command-and-control center: old-fashioned methods of decapitation do not work against such dispersed command-and-control. Moreover, botnets are strategic: when network administrators try to block the attacks, botnets can shift to unprotected prey. Commercial cyber-security firms are trying to keep up with the changing threats; thus far, however, the botnets are staying at least one step ahead.

DDoS threats have been far more commercial than political. The driving force has been cyber-gangs (many of them based in the former Soviet Union and Southeast Asia) which are in the extortion business. They find a profitable Internet business that cannot afford downtime and threaten to take down its Web site(s) with DDoS attacks. The online gambling industry—by some estimates, a $15-billion-a-year business—is a particularly appealing target because it is illegal in the United States: it cannot seek protection and take advantage of robust U.S. communications infrastructure. Thus, administrators of popular gambling sites commonly receive threats of DDoS attacks and demands for $40,000-$60,000 to “protect” the sites from attacks during peak betting periods (say, before big sporting events such as the Super Bowl). Many legitimate businesses fall victim to cyber-extortion, too. Since it is better to dole out a little cash to stop future attacks than to deal with the PR fallout—and possible drop in stock prices—that usually follows cyber-attacks, cyber-crime is underreported and underprosecuted.

The risks to online freedom of expression may be considerable: saying anything controversial may trigger cyber-attacks that your adversaries can purchase easily.

Another commercial opportunity for cyber-gangs is the creation of a large army of for-hire botnets, with extremely powerful attack capabilities. It is currently quite straightforward to rent the destructive services of a botnet ($1000/day is a going rate). The point was made forcefully by a controversial recent experiment: a group of BBC reporters purchased the services of a botnet 22,000 infected-computers strong from a vendor of cyber-crime services and used it to attack the site of a cyber-security company.

The commercial availability of DDoS-attack capability has generated excitement about political applications. The risks to online freedom of expression may be considerable: saying anything controversial may trigger a wave of cyber-attacks that your adversaries can purchase easily. These attacks are financially burdensome and politically disabling for the victim. Getting your server back online is usually the least of your problems. Your Web hosting company may kick you off its servers because the cost of dealing with the damage caused by cyber-attacks usually outweighs the monetary gains of hosting controversial groups, from political bloggers to LGBT groups to exiled media from countries such as Burma (just to mention some recent victims of DDoS attacks). Protection from DDoS is available, but usually too expensive for nonprofits.

An alternative to expensive DDoS protection is a kind of distributed defense network. Imagine an idealized world in which every computer has the latest anti-virus update and where users do not open suspicious attachments or visit dubious Web sites. Cyber-gangs would then be left to their own devices—to attacking with computers they own—and the security issues would be considerably diminished. This perfect world is impossible to achieve, but the right policies could get us pretty close. One option is to go “macro”—to ensure that all critical national infrastructure is prioritized and protected, with extremely flexible resource allocation for the key assets (part of the job of a cyber-czar). This, however, would do little to curb the DDoS market. Indeed, it might embolden the attackers to ratchet up their capabilities. An alternative is to go “micro”—ensure that people who are responsible for the creation of this market in DDoS attacks in the first place (i.e., you and me) are knowledgeable (or at least literate) in cyber-security matters and do not surf with their antivirus protection turned off. This latter solution could eliminate the problem at root: if all computers were secure and computer users careful, botnets would significantly shrink in size. This, however, is a big “if,” and most skepticism over whether the federal government is well-placed to educate about these threats is justified.

The security threats from DDoS attacks pale in comparison with the potential consequences of another kind of online insecurity, one more likely to be associated with terrorists than criminals and potentially more consequential politically: data breaches or network security compromises (I say “potential” because very few analysts with access to intelligence information agree to speak on the record). After all, with DDoS, attackers simply slow down everyone’s access to data that are, in most cases, already public (some data are occasionally destroyed). With data breaches, in contrast, attackers can gain access to private and classified data, and with network security compromises, they might also obtain full control of high-value services like civil-aviation communication systems or nuclear reactors.

Data breaches and network security compromises also create far more exciting popular narratives: the media frenzy that followed the detection of China-based GhostNet—a large cyber-spying operation that spanned more than 1250 computers in 103 countries, many of them belonging to governments, militaries, and international organizations—is illustrative. Much like botnets, cyber-spying operations such as GhostNet rely on inadvertently downloaded trojans to obtain full control over the infected computer. In GhostNet’s case, hackers even gained the ability to turn on computers’ camera and audio-recording functions for the purposes of remote surveillance, though we have no evidence that attackers used this function.

In fact, what may be most remarkable about GhostNet is what did not happen. No computers belonging to the U.S. or U.K. governments—both deeply concerned about cyber-security—were affected; one NATO computer was affected, but had no classified information on it. It might be unnerving that the computers in the foreign ministries of Brunei, Barbados, and Bhutan were compromised, but the cyber-security standards and procedures of those countries probably are not at the global cutting edge. With some assistance on upgrades, they could be made much more secure.

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.

Hype aside, what we do know is that there are countless attacks on the government computers in virtually every major Western country, many of them for the purpose of espionage and intelligence gathering; data have been lost, compromised, and altered. The United States may have been affected the most: the State Department estimates that it has lost “terabytes” of data to cyber-attacks, while Pentagon press releases suggest that it is under virtually constant cyber-siege. Dangerous as they are, these are still disturbing incidents of data loss rather than seriously breached data or compromised networks. Breakthroughs in encryption techniques have also made data more secure than ever. As for the data loss, the best strategy is to follow some obvious rules: be careful, and avoid trafficking data in open spaces. (Don’t put important data anywhere on the Internet, and don’t leave laptops with classified information in hotel rooms.)

Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Although there is a continuous spectrum of attacks, running from classified memos to nuclear buttons, we have seen no evidence that access to the latter is very likely or even possible. Vigilance is vital, but exaggeration and blind acceptance of speculative assertions are not.

So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; “cyber-squads” typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.

Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand. But what about genuine cyber-warfare? The cyber-attacks on Estonia in April-May 2007 (triggered by squabbling between Tallinn and Moscow over the relocation of a Soviet-era monument) and the cyber-dimension of the August 2008 war between Russia and Georgia have reignited older debates about how cyber-attacks could be used by and against governments.

The Estonian case is notable for the duration of the attacks—the country was under “DDoS-terror” for almost a month, with much of its crucial national infrastructure (including online banking) temporarily unavailable. The local media and some Estonian politicians were quick to blame the attacks on Russia, but no conclusive evidence emerged to prove this. The Georgian case—widely discussed as the first major instance of cyber-attacks (primarily DDoS) accompanying conventional warfare—has barely lived up to its hype. Many Georgian government Web sites were, in fact, targets of severe DDoS attacks. So was at least one bank. Yet, the broader strategic importance of such attacks within the Russian military operation is not clear at all, nor did Russia acknowledge responsibility for the attacks.

Although the attacks on Estonia and Georgia are often grouped together—perhaps because of the tentative Russian involvement in both—they are also very different. One important difference is in the degree of technological sophistication of the two countries. Attacking the Internet in Estonia, which made Internet access a basic human right in 2000, is like attacking the banks in Lichtenstein: the country’s economy, politics, and even some emergency services are pegged to it so tightly that being offline is a national calamity.

Georgia, on the other hand, is a technological laggard. When Georgia’s major government Web sites became inaccessible during the war, the Foreign Ministry was slow in finding a temporary home on a blog. The lapse may have gone largely unnoticed: 2006 Internet statistics gathered by the United Nations show that Georgia had about seven Internet users per one hundred population compared to 55 in Estonia and 70 in the United States. The Georgian case also highlights the danger of drawing too many strategic lessons from cyber-attacks. After all, one common result of the loss of Internet access is power outages, common during wartime regardless of cyber-attacks.

Moreover, both Georgia and Estonia are in a sense “cyber-locked,” with limited points of connection (even in Estonia) to the external Internet. This limited connectivity and the two country’s dependence on physical infrastructure heighten their vulnerability. Less cyber-locked nations do not face the same risk. As Scott Pinzon, former Information Security Analyst with WatchGuard Technologies, told me, “If Georgia or Estonia were enmeshed into the Internet as thoroughly as, say, the State of California, the cyber-attacks against them would have been reduced to the level of nuisance.” The smartest way to guard against future attacks may, then, be to build robust infrastructure—laying extra cables, creating more Internet exchange points (where Internet service providers share data), providing incentives for new Internet service providers, and attracting more players to sell connectivity in places that now have limited infrastructure. The United States has actually done quite a bit of this already, so the Estonian experience may have little to teach Americans. While it might benefit Estonia and some other countries to invest heavily in upgrades, the United States may be able to forego dramatic and costly changes in favor of regular maintenance and incremental improvements.

Quite apart from the technological issues of cyber-warfare, there is the question of what even constitutes cyber-war. How do existing legal categories apply in this new setting?

Using the metrics of conventional conflicts to assess these attacks is not easy. How severe must the damage be in order for the cyber-attacks to qualify as armed attacks?

For largely geopolitical reasons, Estonia initially called the cyber-attacks a cyber-war, a move that now seems ill-considered (on a recent trip to Estonia, I noticed that Estonian officials had replaced the term “cyber-war” with the more neutral “cyber-attacks”). The militarization of cyberspace that inevitably comes with any talk of war is disturbing, for there is no evidence yet to link the current generation of cyber-attacks to warfare, at least not in the legal sense of the term. However, the attacks on Estonia and Georgia did each pose an intriguing legal question, and neither has yet been answered definitively. First, do cyber-attacks constitute a “use of armed force” as understood by international law (the Estonian case)? Second, what kind of cyber-attacks are allowed under the laws of war once the conflict has already begun (the Georgian case)?

The first question is the trickiest. Commenting on the attacks, the Estonian defense minister said “such sabotage cannot be treated as hooliganism, but has to be treated as an attack against the state.” But did the cyber-attacks constitute the beginning of an armed conflict, as understood by the Geneva Conventions or Article 51 of the United Nations Charter? If the cyber-attacks constituted an armed attack, Estonia’s NATO allies should have followed Article 5 of the North Atlantic Treaty, which treats an attack against one member state as an attack against all and calls for collective defense. NATO only sent a team of experts to assess the damage. Using the metrics of conventional conflicts to assess the severity of these attacks is not easy. How intense and severe must the damage be in order for the cyber-attacks to qualify as armed attacks? Does damage in cyberspace qualify, even in the absence of offline damage? Is inconvenience to Internet users enough? What about the duration of the attacks?

However such questions are answered, the aggrieved party would still have to prove that a cyber-attack was state-sponsored, and it is unclear how one makes this argument in a legally convincing fashion. Are states only responsible for actions they directly control? Are they also responsible for all cyber-activity in their territory? And how far does that responsibility extend? At least one computer with an IP address belonging to the Russian government was identified as part of a botnet used in the Estonian attacks, but it is hard to build a case for Russian government responsibility on that IP address alone, since there were thousands of other participating computers.

If state involvement cannot be proven beyond doubt, cyber-attacks should be treated as crimes and dealt with under national and, in some cases, international criminal law. But there are difficulties on this front as well. For example, unlike Estonia and many countries, Russia has never signed the Council of Europe Convention on Cybercrime, which is the first international treaty seeking to harmonize national laws and facilitate cross-border cooperation among states on issues of cyber-crime. This makes it impossible to hold Russia to the standards envisioned in the Convention, and international law also provides few mechanisms for punishment.

The second question—what kinds of attacks would be allowed under the law of armed conflict?—presents another theoretical challenge, though for now at least, existing legal standards may suffice to address the issues.

Common sense dictates that the severity and targets of such attacks should be guided by international law, particularly the Geneva Conventions and associated protocols. Broadly speaking, current norms state that the conduct of war must meet three fundamental standards: belligerents must distinguish military from civilian objects when selecting targets; balance military necessity with humanitarian concern (the choice of weapons is not unlimited and must be made with the avoidance of unnecessary suffering in mind); and shun the use of force that is disproportionate, in the sense that it shows insufficient attention to the unnecessary suffering that might result. These principles have proved very hard, but not impossible, to interpret in conventional conflict; applying them to cyberspace is not an insurmountable challenge.

The careful application of these three principles to the conduct of war could explain why militaries might shy away from cyber-attacks. First, it is hard to predict the consequences of such attacks; cyber-attacks typically lack surgical precision and are notorious for side effects—a virus planted in a military network could easily spread to civilian computers, causing much unanticipated collateral damage.

Second, precisely targeted cyber-attacks could be a more humane way of conducting warfare. Instead of bombing a military train depot, with collateral civilian deaths, one can temporarily disable it by hacking into its dispatch system. However, the rules of war also stipulate that once a belligerent has used a more humane weapon, it ought to use that weapon in similar situations—and who would voluntarily abandon tanks in favor of computers only?

Third, most cyber-attacks are hard to justify in strategic terms and therefore would open associated personnel to prosecution for war crimes. For example, if there is little to be gained from attacking a poorly maintained Web site of the Georgian parliament, Russia could not justify an attack on it in military terms. If it went ahead with such an attack, its commanders woul risk prosecution for a disproportionate use of force.

The Internet does create one complexity worth considering in the context of applying existing laws of war: civilians on both sides can now participate in hostilities remotely. At the height of the war with Georgia, Russian blogs were full of detailed instructions on how to enlist in the cyber-war effort. Currently, humans are of little value in this process: a conventional botnet attack is more damaging. Yet, it is possible that human-powered botnets—or “meatbots”—could soon play a more serious role. Would participants then be liable for war crimes for their actions as civilians, who, unlike combatants, do not enjoy immunity under the law of war for their participation in hostilities? Would such civilian actions fall under the category of “direct participation in hostilities,” outlined in Commentary to Additional Protocol I to the Geneva Conventions (“Direct participation in hostilities implies a direct causal relationship between the activity engaged in and the harm done to the enemy at the time and the place where the activity takes place”)? We may need a special clarification of this concept for cyberspace, but other metrics—the damage caused, the targets chosen, and so forth—could still apply.

There is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The legal options are also complicated in the case of classical rather than meatbot-powered DDoS attacks because there are often at least five parties to it: attackers, computer users whose machines are enlisted by the attackers, target Internet sites, software vendors responsible for the exploited security vulnerabilities, and various Internet service providers who deliver the attack traffic. These parties have different degrees of responsibility, and some of them are liable for negligence, itself a murky legal area.

Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia’s ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government’s reliance on the Internet and underestimates how much international PR—particularly during wartime—is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks—particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The usefulness of cyber-attacks as a military tool is also contested. Some experts are justifiably skeptical about the arrival of a new age of cyber-war. Marcus J. Ranum, Chief Security Officer of Tenable Network Security, argues that it is pointless for superpowers to develop cyber-war capabilities to attack non-superpowers, as they can crush them in more conventional ways. As for non-superpowers, their use of cyber-capabilities would almost certainly result in what Ranum calls “the Blind Mike Tyson” effect: the superpower would retaliate with offline weaponry (“blind me, I nuke you”). If Ranum is right, we should forget about the prospect of all-out cyber-war until we have technologically advanced superpowers that are hostile to each other. Focusing on cyber-crime, cyber-terrorism, and cyber-espionage may help us address the more pertinent threats in a more rational manner.

In the meantime, those truly concerned about the future of the Internet, global security, and e-Katrinas would be advised to watch a recent South Park episode, in which the Internet suddenly disappears and hordes of obsessed families head to the Internet Refugee Camp in California, where they are allowed to browse their favorite Web sites for 40 seconds a day, while the military fights the no-longer-blinking giant Internet router. Finally, a nine-year-old boy plugs the router back in, and its magic green light returns. This would make a sensible strategy for many governments, which are all-too eager to adopt militaristic postures instead of focusing on making their own Internet infrastructures more robust.