When "60 Minutes" reported that computer hackers had shut off the lights in some Brazilian cities, it raised the obvious question of who was behind the alleged attack. The answers aren't clear, but it is clear that many countries are developing the capabilities to attack their adversaries in cyberspace and to do massive damage to critical infrastructures like the electrical grid. The United States already has those capabilities.
In the current issue of National Journal, I tell the story of how the National Security Agency and the U.S. military in Iraq were able to use cyber attacks to penetrate the communications networks of insurgents and foreign fighters. It was a surgical strike, aimed at a discrete target. But it raises an obvious question: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.
To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.
Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."
The United States has never argued that the laws of armed conflict don't apply in cyberspace. Indeed, the military has operated under the assumption--based on experience--that cyber weapons can be so devastating that they must be used sparingly. According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.