Why the U.S. Won't Pull a Brazil--Yet

When "60 Minutes" reported that computer hackers had shut off the lights in some Brazilian cities, it raised the obvious question of who was behind the alleged attack. The answers aren't clear, but it is clear that many countries are developing the capabilities to attack their adversaries in cyberspace and to do massive damage to critical infrastructures like the electrical grid. The United States already has those capabilities.

In the current issue of National Journal, I tell the story of how the National Security Agency and the U.S. military in Iraq were able to use cyber attacks to penetrate the communications networks of insurgents and foreign fighters. It was a surgical strike, aimed at a discrete target. But it raises an obvious question: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.

To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.

Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."

The United States has never argued that the laws of armed conflict don't apply in cyberspace. Indeed, the military has operated under the assumption--based on experience--that cyber weapons can be so devastating that they must be used sparingly. According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.

The military ran into this same dilemma four years later, during preparations to invade Iraq in 2003. Planners considered whether to launch a massive attack on the Iraqi financial system in advance of the conventional strike. But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies. Some planners also worried that the contagion could spread to the United States. It could have been the cyber equivalent of nuclear fallout.

The reported conclusions of Pentagon lawyers and planners find echoes in the Academies report: "The fact that an attack is carried out through the use of cyber weapons rather than kinetic weapons is far less significant than the effects that result from such use." That's the critical question facing the United States military as it stands up a new Cyber Command: What real world effect would hacking a power grid have? What disruption to civilian life would corrupting a bank's databases cause? The United States has apparently concluded that the repercussions would be profound, widespread, and unjust.

A year and a half ago, I asked the head of counterintelligence for the United States, Joel Brenner, what kinds of cyber attacks would qualify as acts of war. He'd clearly given the question some thought. If another nation took out a piece of our power grid, that would qualify, he said. No different than if they'd attacked it with explosives.

In May, the current director of the National Security Agency, Lt. Gen. Keith Alexander, told a congressional panel that cyber attacks in Estonia and Georgia a few years ago, which knocked out public communications and disrupted banking, got close to the definition of cyber war. Alexander didn't say whether the United States would ever engage in such attacks. But it's hard to believe that he would think that's a good idea. Not unless we'd been attacked first, and in similar fashion. And if that had happened, the escalation from cyber war into real world war would be swift and devastating.

More comfortable online than out partying, post-Millennials are safer, physically, than adolescents have ever been. But they’re on the brink of a mental-health crisis.

One day last summer, around noon, I called Athena, a 13-year-old who lives in Houston, Texas. She answered her phone—she’s had an iPhone since she was 11—sounding as if she’d just woken up. We chatted about her favorite songs and TV shows, and I asked her what she likes to do with her friends. “We go to the mall,” she said. “Do your parents drop you off?,” I asked, recalling my own middle-school days, in the 1980s, when I’d enjoy a few parent-free hours shopping with my friends. “No—I go with my family,” she replied. “We’ll go with my mom and brothers and walk a little behind them. I just have to tell my mom where we’re going. I have to check in every hour or every 30 minutes.”

Those mall trips are infrequent—about once a month. More often, Athena and her friends spend time together on their phones, unchaperoned. Unlike the teens of my generation, who might have spent an evening tying up the family landline with gossip, they talk on Snapchat, the smartphone app that allows users to send pictures and videos that quickly disappear. They make sure to keep up their Snapstreaks, which show how many days in a row they have Snapchatted with each other. Sometimes they save screenshots of particularly ridiculous pictures of friends. “It’s good blackmail,” Athena said. (Because she’s a minor, I’m not using her real name.) She told me she’d spent most of the summer hanging out alone in her room with her phone. That’s just the way her generation is, she said. “We didn’t have a choice to know any life without iPads or iPhones. I think we like our phones more than we like actual people.”