[iwar] interesting piece

From: Fred Cohen (fc@all.net)
Date: 2001-05-03 07:50:18

Return-Path: <sentto-279987-1188-988917740-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 03 May 2001 12:23:09 -0700 (PDT)
Received: (qmail 9588 invoked by uid 510); 3 May 2001 18:23:28 -0000
Received: from b05.egroups.com ( by with SMTP; 3 May 2001 18:23:28 -0000
X-eGroups-Return: sentto-279987-1188-988917740-fc=all.net@returns.onelist.com
Received: from [] by b05.egroups.com with NNFMP; 03 May 2001 19:22:21 -0000
X-Sender: fc@all.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_1_2); 3 May 2001 19:22:18 -0000
Received: (qmail 45536 invoked from network); 3 May 2001 19:22:05 -0000
Received: from unknown ( by l10.egroups.com with QMQP; 3 May 2001 19:22:05 -0000
Received: from unknown (HELO all.net) ( by mta2 with SMTP; 3 May 2001 19:22:03 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id HAA04491 for iwar@yahoogroups.com; Thu, 3 May 2001 07:50:18 -0700
Message-Id: <200105031450.HAA04491@all.net>
To: iwar@yahoogroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 3 May 2001 07:50:18 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] interesting piece
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

by  James Adams

JAMES ADAMS is Co-founder and Chairman of iDefense, a cyber-intelligence
and risk-management firm, and serves on the National Security Agency
Advisory Board. He is the author of The Next World War: Computers Are the
Weapons and the Front Line Is Everywhere. 

Foreign Affairs May, 2001 / June, 2001 
Copyright 2001 Council on Foreign Relations, Inc. 


JUST AS World War I introduced new weaponry and modern combat to the
twentieth century, the information age is now revolutionizing warfare for
the twenty-first. Around the world, information technology increasingly
pervades weapons systems, defense infrastructures, and national economies.
As a result, cyberspace has become a new international battlefield.
Whereas military victories used to be won through physical confrontations
of weapons and soldiers, the information warfare being waged today
involves computer sabotage by hackers acting on behalf of private
interests or governments. The recent escalation of tension between Israel
and the Palestinians, for example, has had a prominent virtual dimension.
From October 2000 to January 2001, attacks by both sides took down more
than 250 Web sites, and the aggressions spread well beyond the boundaries
of the Middle East to the computer networks of foreign companies and
groups seen as partisan to the conflict.

A decade after the end of the Cold War, the U.S. military stands as an
uncontested superpower in both conventional and nuclear force. Ironically,
its overwhelming military superiority and its leading edge in information
technology have also made the United States the country most vulnerable to
cyber-attack. Other nations know that they have fallen behind in military
muscle, so they have begun to look to other methods for bolstering their
war-fighting and defense capacities -- namely, "asymmetrical warfare,"
which the Pentagon characterizes as "countering an adversary's strengths
by focusing on its weaknesses." 

Furthermore, the U.S. military is radically changing. The "revolution in
military affairs" seeks to apply new technology, particularly digital
information technology, to operational and strategic concepts. With plans
ranging from computer-based weapons research programs to software that
encrypts classified military data, from computer-guided "smart" bombs to a
space-based missile defense, America's military forces are coming to
depend more and more on computers and information networks. These two
factors -- the dominance of U.S. conventional forces and the military's
already extensive and growing use of information technology -- make
cyber-attack an increasingly attractive and effective weapon to use
against the United States.

But U.S. defense plans and policymakers' concept of national security have
not caught up to the new threats of computer warfare. Indeed, recent
warnings indicate that the United States remains highly vulnerable. To
address this challenge, Washington urgently needs to modernize its
thinking and transcend its strategies of deterrence and national security,
which remain fixed in the Cold War, pre-Internet world.


IN MARCH 1998, the Department of Defense detected the most persistent and
serious computer attack against the United States to date. In a still
ongoing operation that American investigators have code-named Moonlight
Maze, a group of hackers has used sophisticated tools to break into
hundreds of computer networks at NASA, the Pentagon, and other government
agencies, as well as private universities and research laboratories. These
cyber-intruders have stolen thousands of files containing technical
research, contracts, encryption techniques, and unclassified but essential
data relating to the Pentagon's war-planning systems.

Since Moonlight Maze was first discovered, the U.S. intelligence community
has been engaged in the largest cyber-intelligence investigation ever. But
more than three years of work have produced disturbingly few clues. The
attacks appear to be coming from seven Russian Internet addresses, but it
is unclear whether the initiative is state-sponsored. Last year,
Washington issued a demarche to the Russian government and provided
Russian officials with the telephone numbers from which the attacks
appeared to be originating. Moscow said the numbers were inoperative and
denied any prior knowledge of the attacks.

Meanwhile, the assault has continued unabated. The hackers have built "back
doors" through which they can re-enter the infiltrated systems at will and
steal further data; they have also left behind tools that reroute specific
network traffic through Russia. Despite all the investigative effort, the
United States still does not know who is behind the attacks, what
additional information has been taken and why, to what extent the public
and private sectors have been penetrated, and what else has been left
behind that could still damage the vulnerable networks.

Destructive as it is, Moonlight Maze is just a taste of dangers to come.
U.S. military leaders increasingly recognize that losing information
battles will undermine the country's ability to fight any battles at all.
Missile defense, for example, will not be worth the billions it will cost
if digital attacks undermine its software or infrastructure. And opponents
of missile defense could handicap the system at the development stage by
attacking the technology at its source -- breaking into the computer
networks of the corporations that design the system and making slight
modifications that ensure huge costs and long delays.

The U.S. military's vulnerability to cyber-attack became clear in June
1997, when the Joint Chiefs of Staff launched an exercise code-named
Eligible Receiver to test the nation's computer defenses. Their scenario
imagined a military crisis on the Korean Peninsula that forced Washington
to rapidly bolster South Korean forces with troops and aircraft.
Thirty-five men and women from the National Security Agency (NSA) were
split into four teams, three in the United States and one on a ship in the
Pacific, to simulate hackers hired by North Korea to subvert the American
operation. These hackers received no advance intelligence about U.S.
information networks and could use only publicly available equipment and
information. Even though they were not allowed to break U.S. law, they
could use any computer hacking programs they could find freely available
on the Internet. (Some 30,000 Web sites post hacker codes, which can be
downloaded to break passwords, crash systems, and steal data.)

Over the course of the next two weeks, the teams used the commercial
computers and hacking programs they downloaded from the Internet to
simultaneously break into the power grids of nine American cities and
crack their 911 emergency systems. This exercise proved that genuine
hackers with malicious intent could, with a couple of keystrokes, have
turned off these cities' power and prevented the local emergency services
from responding to the crisis.

Having ensured civilian chaos and distracted Washington, the NSA agents
then attacked 41,000 of the Pentagon's 100,000 computer networks and got
in to 36. Only two of the attacks were detected and reported. The agents
were thus able to roam freely across the networks, sowing destruction and
distrust wherever they went. They could, for example, have sent truck
headlights to an F-16 fighter squadron requesting missiles or rerouted
aircraft fuel to a port rather than an air base. The hackers also managed
to infect the human command-and-control system with a paralyzing level of
mistrust. Orders that appeared to come from a commanding general were
fake, as were bogus news reports on the crisis and instructions from the
civilian command authorities. As a result, nobody in the chain of command,
from the president on down, could believe anything. This group of hackers
using publicly available resources was able to prevent the United States
from waging war effectively.

In October 1999, a second exercise, code-named Zenith Star, tested the
lessons learned from Eligible Receiver. On this occasion, the "hackers"
attacked the power systems feeding several U.S. military bases and then
overwhelmed local 911 emergency systems with a flood of computer-generated
calls. The test showed that some improvement had occurred since Eligible
Receiver, but coordination between government agencies was still poor and
the national infrastructure remained vulnerable to attack.

The potential nightmares of Eligible Receiver and Zenith Star, as well as
the real and ongoing Moonlight Maze sabotage, are visible signs of a new
war already being waged in cyberspace. This war is largely hidden from
public view but the infrastructure protection it requires is costing the
private sector and the U.S. taxpayer billions of dollars. And thus far,
the war is operating in an environment of near chaos. Unlike during the
Cold War, when the nuclear standoff produced its own understandable rules
of the game that included a sophisticated deterrence mechanism, no legal
or de facto boundaries inhibit cyber-aggressions. Instead, information
warfare is a free-for-all, with more and more players hurrying to join the


THE U.S. GOVERNMENT now believes that more than 30 nations have developed
aggressive computer-warfare programs. The list includes Russia and China,
volatile governments such as Iran and Iraq, and U.S. allies such as Israel
and France. Ambitious newcomers, including India and Brazil, are also
seeking to become powers in the world of virtual combat.

Americans celebrated the Persian Gulf War as a major victory for U.S.
military forces and as a vindication of the nation's defense structure.
But outside the United States, the conflict taught an additional lesson: a
direct military confrontation with the United States would inevitably
result in defeat. So while the United States has continued to develop its
conventional forces (the Pentagon's defense budget is now larger than
those of the 12 next largest nations combined), other countries have
looked elsewhere for an asymmetric advantage. "The rest of the world
realizes that you don't take the United States on in a military frontal
sense, but you can probably bring it down or cause severe damage in a more
oblique way," asserts Art Money, assistant secretary of defense for
command, control, and intelligence. "And that's where the vulnerability in
the United States resides."

One country that American intelligence has been closely monitoring is
China, which is actively exploring the possibilities raised by this new
American vulnerability. Because Beijing sees the United States as its
principal antagonist in the twenty-first century, Chinese military leaders
and policymakers have made an intensive effort to apply the lessons
learned from the Persian Gulf War's show of American military might. The
heated Chinese debate about how to seize a military advantage over the
United States produced a partial answer in Unrestricted Warfare, written
by two People's Liberation Army (PLA) colonels, Qiao Liang and Wang
Xiangsui. The book clearly sets out why China considers the Gulf War to
have been the last hurrah for the old-style warrior.

[The] age of technological integration and globalization . . . has
realigned the relationship of weapons to war. . . . Does a single "hacker"
attack count as a hostile act or not? Can using financial instruments to
destroy a country's economy be seen as a battle? Did CNN's broadcast of an
exposed corpse of a U.S. soldier in the streets of Mogadishu shake the
determination of the Americans to act as the world's policeman, thereby
altering the world's strategic situation? . . . When we suddenly realize
that all these non-war actions may be the new factors constituting future
warfare, we have to come up with a new name for this new form of war:
Warfare which transcends all boundaries and limits -- in short,
unrestricted warfare.

The authors believe that China will never be able to match American
technological superiority. Moreover, having watched Moscow spend itself
into oblivion trying to win the Cold War arms race, Beijing will seek to
avoid the same mistake. Instead, the authors write, a digital attack will
give China a significant asymmetric advantage and even bring about the
defeat of the United States. China has therefore been making large
investments in new technology for the PLA and has established a special
information-warfare group to coordinate national offense and defense.
China-watchers in the Pentagon refer to these efforts as the creation of
"the Great Firewall of China."

Part of the reason for such aggressive action is that China suspects that
it is already under cyber-attack from the United States. Every piece of
computer hardware or software imported from the United States or its
allies is subject to detailed inspection when it arrives at the border.
China's own technicians then take control of the goods and either resist
or closely monitor Western experts' efforts to install the equipment

The same restrictions apply in Russia, where political and military leaders
are convinced that they are losing the cyberspace war to the United
States. For the past two years, Moscow has quietly circulated among the
members of the U.N. Security Council drafts of a possible arms-control
treaty for cyberspace. The United States and its allies have dismissed the
proposals as the desperate posturing of a nation with a weak information
economy that is losing the cyber-war. Indeed, from the perspective of
information-technology powers such as the United States, an arms control
treaty that will primarily benefit those nations falling behind in the
information war makes no sense.


ALTHOUGH MOSCOW'S idea of an international treaty to limit information
warfare may seem far-fetched, the concept of an effective deterrence
regime for cyberspace is gaining currency in Washington. As the
information revolution gathers pace, so do the frequency and
sophistication of the attacks on U.S. computer and communications
networks. And these attacks have made glaringly clear two dangerous
changes in U.S. military and national security structures.

First, during the Cold War, Washington controlled the pace of U.S.
technology development by directly funding approximately 70 percent of
technology research. Today, that figure is less than 5 percent.
Technological innovation is now driven by private interests that refuse to
depend on Washington's archaic acquisition systems. Instead, technology
entrepreneurs strive incessantly to increase the speed of change.

That shift from public to private funding has been matched by the
development of a new weapons platform known as the personal computer. The
ammunition for this weapon -- the hacking tools -- come free on the Web
and are constantly being updated. One needs only access to a computer,
Internet capabilities, and a little bit of technical savvy to become an
information warrior. And unlike twentieth-century weapons innovations that
took an average of 15 years to enter military service, today's newest
versions of computers and software are available everywhere and accessible
to everyone at the same time.

Second, the front line in this new war has changed. In the last century,
the crucial battlefront was generally seen as the place where soldiers,
sailors, and aviators met in combat. For the United States, with no
aggressive neighbors on its borders, defense of the homeland meant
projecting power overseas when U.S. interests were endangered. This
strategy has worked well since the nation was founded; unlike most modern
great powers, the United States has rarely been invaded by foreign forces.

The cyber-world has changed that paradigm. Seeking to avoid a direct
military confrontation with U.S. forces, potential foreign aggressors now
look instead to attack the soft American underbelly -- the private sector
-- and to do so in such a way as to make military retaliation very
difficult, either because the attack's origin is unknown or because the
perpetrators have sabotaged civilian or military command networks. The
private and public sectors together now form the front line of
twenty-first-century warfare, and private citizens are the likely first

Despite the warning signs, the United States still does not prioritize
threats to the private sector or sufficiently emphasize cooperation
between citizens and government in defense. In many cases, Washington
remains legally constrained from passing on information about potential
threats to the private sector. For example, intelligence officials now
believe that certain hardware and software imported from Russia, China,
Israel, India, and France are infected with devices that can read data or
destroy systems. The names of the suspected companies and products are not
available to the private sector, however, and because that information and
the intelligence that supports it are so highly classified, the suspicions
are impossible to verify.

In addition, the U.S. defense posture, which is designed around power
projection and not homeland defense, leaves the country's information and
communications networks vulnerable. Currently no mechanism exists for
effective defense of the computer networks of businesses, the power grids
of American cities, or even the information networks of the federal
government. Indeed, cyber-defense is left to the FBI, a law-enforcement
agency meant to pursue criminals, not defend the nation. Thus far, the
FBI's efforts to coordinate cyber-defense have been hampered by a lack of
technological skills and resources. The bureau has supposedly been
coordinating the sharing of information across public and private sectors
but has in fact focused on its traditional role of law enforcement.

The Clinton administration's response to these challenges was fragmented
and disorganized. Leadership in cyber-warfare was supposed to come from
the National Security Council (NSC), but not enough materialized.
Relations between the FBI and the NSC were tense, and those between the
NSC and the Pentagon even worse, with officials refusing even to speak
with one another. And cooperation among the military services remains
weak, despite efforts to put all computer warfare under a single entity,
the U.S. Space Command. Every service has developed its own
information-warfare capability at huge cost and with significant
duplication of effort. Similarly, the CIA, the Defense Intelligence
Agency, and the NSA have each undertaken independent information-warfare
efforts, with little cooperation between them.


AFTER WORLD WAR II, the detonation of two nuclear bombs over Japan
frightened the world enough to provoke a ferment of activity inside the
world's governments and the academic community -- leading in time to the
development of a nuclear deterrent strategy. The world knew that a nuclear
attack against the United States or one of its allies, or against the
Soviet Union or a Soviet ally, would provoke instant nuclear retaliation.
Defense planners later applied this strategy of deterrence through the
threat of mutually assured destruction to chemical and biological weapons
as well. During the Gulf War, for example, Saddam Hussein recognized that
if he used chemical or biological weapons, he could expect a devastating,
if unspecified, response.

But with no U.S. strategy for deterrence in the virtual world and no clear
thinking about a legal regime for retaliation against cyber-attack,
potential hackers can battle the United States with impunity. Consider
what happened in May 2000, when a hacker in the Philippines launched the
"Love Letter" virus around the world. In the United States, the Veterans
Health Administration received 7 million "I Love You" messages, 1,000
files were damaged at NASA, and recovery from the attack at the Department
of Labor required more than 1,600 employee hours and 1,200 contractor
hours. Estimates of the cost of the attack to the United States range from
$ 4 billion to $ 15 billion -- or the equivalent, in conventional war
terms, of the carpet-bombing of a small American city. Yet Washington did
nothing to prosecute the hacker or to recover damages. Although the hacker
was arrested, he was later released because Philippine law is not designed
to prosecute such crimes.


THE PROBLEMS in the current U.S. defense system and national security
paradigm are easy to identify. But remedying those problems by creating an
effective defense and deterrent will be much more difficult. Bringing
order to the new frontier of information warfare will require a robust
strategy and sound tactics.

First and foremost, primary responsibility for the cyber-defense of the
nation must be given to the Department of Defense. The NSC has failed to
lead the battle in computer warfare, in part because it has lacked the
financial and military muscle to do so. In Washington's bureaucratic maze,
where departments and agencies vie for money, the cyber-threat has often
been seen as just another excuse to win additional funding to take on the
task of network defense. Because it lacks bureaucratic punch, the NSC's
warnings about cyber-threats to national security have gone largely

The FBI, which has the training and resources to investigate and apprehend
hackers, can play a crucial role in fighting cyber-crime, but it should
not coordinate the battle. The bureau has a reputation for not sharing
information with other government departments, and its initiative to
promote communication between government and the private sector has
produced disappointing results. The FBI officials in charge of that
project argue that the bureau itself remains uncommitted to the
cyber-defense role and has not allocated the necessary people, money, and
technology to cyber-defense.

Certainly, there are some doubts about the wisdom of giving the Pentagon
the information-defense mandate. Foreign enemies of the United States face
U.S. military services that are authorized to protect and defend the
nation, whereas American citizens enjoy civil rights that domestic
law-enforcement agencies such as the FBI must observe. So lawmakers and
civil libertarians are understandably nervous about extending the
military's powers to the homeland. But the United States has two underused
assets at its disposal that will allow it to avoid this contentious move:
the military reserves and the National Guard. These groups already have
the technology skills needed to run an effective information defense,
because their personnel are also integrated into the technology-driven
private sector. Homeland defense, coordinated by the Pentagon and using
the National Guard and the reserves, is the way to protect America's
information networks.

The Pentagon has the resources to lead information defense but has been
reluctant to take on this mission. To assume this additional role now
would require realigning Defense Department priorities and re-allocating
resources from traditional power projection abroad to homeland defense.
But national defense is the Pentagon's business. And in the information
age, national defense must include cyber-defense.

In order for defense planners to coordinate a strategy for cyberspace, the
definitions of national security and the appropriate methods of managing
it need to be redefined. "National security" has always meant protecting
the nation's borders from foreign attack, and the perceived national
interest has often led to the projection of U.S. military power overseas
to protect the homeland. But as the Chinese clearly understand, future war
is no longer going to focus on borders and territorial disputes. In
addition, previously it was defeat on the battlefield that decided the
outcome of a conflict, and any wartime attacks on a country's private
sector primarily targeted its industrial complex. In cyberspace, however,
the asymmetric advantage goes to whoever understands that a successful
computer attack against privately owned information networks is just as
effective a weapon as military force. This is an uncomfortable concept for
both military and political leaders to grasp, because it requires, first,
acknowledging that the barriers between the public and private sectors
have eroded and, second, embracing innovative strategies that take the
private sector's new technological skills and vulnerability into account.

Furthermore, effective defense means deterring attacks before they occur.
The threat of retaliation is a good preventive strategy. Every nation
already understands the consequences of using weapons of mass destruction
against the United States. Washington must similarly put the world on
notice that it will consider a cyber-attack against any U.S. entity an act
of war that will generate an appropriate response. It must also make clear
that the United States does not distinguish between methods of attack;
whether struck by a bomb or a computer virus, it cares only about the

But acts of aggression against U.S. information networks will occur, and
guidelines for responding need to be developed. As Washington has learned
from Moonlight Maze, pinning the blame on a specific group or nation is
tough. Many nations faced similar challenges from terrorism in the late
1960s and early 1970s, when they suffered from a critical shortage of
intelligence, little cooperation between governments, and no defensive
capability, either civilian or military, to protect against the new
phenomenon of transnational terrorism. By the mid-1980s, however,
intelligence had improved dramatically, nations were cooperating more, and
defensive measures had been put in place. The result was the containment
of the terrorism problem, although it will never be fully eliminated. The
same parallels apply in cyberspace.

If the United States is to respond effectively to cyber-attack, it must
first know who is responsible for the aggression. Finding criminals who
act through computer networks is a tough challenge, since attacks in
cyberspace can come from multiple points simultaneously, with their
origins disguised. For example, in February 1998, while tensions were
mounting once again with Iraq, the Pentagon discovered a sophisticated set
of intrusions into a number of Defense Department information systems.
These attacks, code-named Solar Sunrise, seemed designed to gather
intelligence on U.S. plans for actions in Iraq and disrupt
command-and-control and logistics systems. The hacks were assumed to have
been organized by Iraq, and their origin was traced to Abu Dhabi. A strike
force was sent to that Gulf state and, after receiving permission from its
government, entered what was thought to be the building where the Iraqi
computer team was hiding. In fact, the building housed not Iraqis but
computer servers; the attacks were not ordered by Baghdad, and Abu Dhabi
was simply a false trail laid by the hackers. Shortly afterward, two
teenagers in California were arrested. It turned out that they and an
Israeli hacker had launched Solar Sunrise, and their motivation had
nothing to do with Iraq.

U.S. policymakers must also resolve the legal and moral questions
surrounding retaliation in information warfare. The legal principle of
proportionality applies to issues of national sovereignty -- a nation has
every right to use force to defend itself against territorial incursion.
But there is no clear understanding of how or whether proportionality
should apply to information warfare, which involves civilian populations
to a greater extent than does traditional war. If China launched a network
attack to turn off the power in Chicago in midwinter, killing large
numbers of the city's residents, would the United States be justified in
using remote systems to raise the gates of a dam in China and kill the
Chinese living in the valley below? Is responding to a cyber-attack with
conventional force legally, morally, or politically acceptable? These
difficult questions have so far frustrated computer warriors and lawyers

In such a confused environment, the intelligence agencies must improve
their sources and methods. They will have to develop new means of
infiltrating private or government-sponsored groups that wage war in
cyberspace. The CIA targets parties hostile to the United States and
develops covert operations to counter them -- and the same methods must be
employed against those who choose computer networks as their battlefield.

Complicating the intelligence agencies' task of finding computer attackers
is the fact that hackers can use many different routes, so that an attack
that seems to come from London has actually originated in Brazil and
traveled to the United States via Moscow and Antwerp. Tracing an e-mail
virus back to its source, for example, requires individual authorization
from every jurisdiction through which it has traveled. This time-consuming
job restricts the ability of law enforcement to arrest an attacker and of
the Pentagon to retaliate. Congress should pass new legislation that will
allow the tracking of intrusions through the Internet. Further legislation
is needed to allow law-enforcement agents to infiltrate computer networks
when tracking a cyber-criminal, just as they can tap telephone lines. If a
national security priority can be shown, such taps could be allowed by
law. Congress already has the authority to pass some such legislation --
indeed, the intelligence community is authorized to gather information
from foreign computer networks. But for Congress to acquire the necessary
legal license and political leeway to pass comprehensive and effective
measures, the cooperation of other governments is required.

During the Cold War, U.S. and foreign policymakers appropriately recognized
that an armed conflict could threaten access to vital oil supplies.
Washington managed the problem by positioning supplies in areas of risk,
developing a rapid deployment force, and forming international alliances.
In the event of a conflict, American and allied forces could be rapidly
deployed to protect the oil supplies, as happened before the Gulf War. The
same solutions are relevant in a world where computer attacks could cut
American access to an equally vital economic fuel: computer networks.
Although the United States has developed some effective cyber-weapons that
can destroy an enemy's computer network or interrupt a nation's fuel and
water supplies, there is disagreement about when and how they can be used.

These questions must be sorted out inside the United States to avoid the
kind of confusion that emerged in Bosnia. There, the military wanted to
unleash some information attacks against the Bosnian Serbs, but officials
in the Justice Department expressed real concern about whether such
attacks were legal. Coordination with U.S. allies is also necessary to
share information on the threat and what can be done to overcome it.
During the Cold War, the United States and its allies developed an
effective early warning system to detect and track the launch of nuclear
missiles, which could reach their targets within minutes. Similarly, a
hacking technique or e-mail virus developed in Europe can hit the United
States a few minutes later. But as of yet, there is no effective warning
against cyber-attacks.

Another gap in U.S. information defense concerns the several countries with
offensive information-warfare programs that use private companies as a
cover for planting malicious code in seemingly benign computer software.
For example, India or Israel may sell a software solution to a U.S.
government agency that has a virus embedded within it. Currently, there is
no way of comparing a specific piece of software to other commercially
available products to check for any discrepancy in the source code.
Developing the technological means to vet software codes should be a
priority for both the public and the private sectors. The president could
assign this task to the National Science Foundation. At the same time,
foreign companies need to understand that if malicious code is found in
their products, there will be an economic price to pay, such as an import
ban. Such a threat would swiftly persuade foreign companies that
cooperating with their governments in waging computer warfare is not in
their best economic interests.


EVEN IF Washington takes steps to create, guide, and direct a coherent
strategy to combat the cyber-threats to national security, effective
defense will work only in cooperation with the private sector. A new
partnership must be forged between policymakers and the high-tech
community, which generally has better intelligence about
information-network threats than does the government. U.S. network
vulnerability is a shared problem, and there must be a shared solution.

The Bush administration has an opportunity to redefine the national
security environment. The threat of cyber-attack demands leadership and
creative thinking that will produce new solutions. If the administration
remains stuck in the outdated, Cold War paradigm of conflict, U.S. status
as a military superpower will be jeopardized by the new players of the
cyber-world. The United States must neutralize the asymmetric advantage of
waging virtual war. 

Copyright 2001 Council on Foreign Relations, Inc. 


Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:10 PDT