Why the U.S. Won't Pull a Brazil--Yet

When "60 Minutes" reported that computer hackers had shut off the lights in some Brazilian cities, it raised the obvious question of who was behind the alleged attack. The answers aren't clear, but it is clear that many countries are developing the capabilities to attack their adversaries in cyberspace and to do massive damage to critical infrastructures like the electrical grid. The United States already has those capabilities.

In the current issue of National Journal, I tell the story of how the National Security Agency and the U.S. military in Iraq were able to use cyber attacks to penetrate the communications networks of insurgents and foreign fighters. It was a surgical strike, aimed at a discrete target. But it raises an obvious question: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first.

To understand why, forget about the cyber dimension for a moment. Imagine that some foreign military had flown over a power substation and Brazil and dropped a bomb on it, depriving electricity to millions of people, as well as the places they work, the hospitals they visit, and the transportation they use. If there were no official armed conflict between Brazil and its attacker, the bombing would be illegal under international law. That's a pretty basic test. But even if there were a declared war, or a recognized state of hostilities, knocking out vital electricity to millions of citizens--who presumably are not soldiers in the fight--would fail a number of other basic requirements of the laws of armed conflict. For starters, it could be considered disproportionate, particularly if Brazil hadn't launched any similar sized offensive on its adversary. Shutting off electricity to whole cities can effectively paralyze them. And the bombing would clearly target non-combatants. The government uses electricity, yes, but so does the entire civilian population.

Now add the cyber dimension. If the effect of a hacker taking down the power grid is the same as a bomber--that is, knocking out electrical power--then the same rules apply. That essentially was the conclusion of a National Academies of Sciences report in April. The authors write, "During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyber attack is governed by all the standard law of armed conflict. ...If the effects of a kinetic attack are such that the attack would be ruled out on such grounds, a cyber attack that would cause similar effects would also be ruled out."

The United States has never argued that the laws of armed conflict don't apply in cyberspace. Indeed, the military has operated under the assumption--based on experience--that cyber weapons can be so devastating that they must be used sparingly. According to a report in The Guardian, military planners refrained from launching a broad cyber attack against Serbia during the Kosovo conflict for fear of committing war crimes. The Pentagon theoretically had the power to "bring Serbia's financial systems to a halt" and to go after the personal accounts of Slobodan Milosevic, the newspaper reported. But when the NATO-led bombing campaign was in full force, the Defense Department's general counsel issued guidance on cyber war that said the law of (traditional) war applied.

The military ran into this same dilemma four years later, during preparations to invade Iraq in 2003. Planners considered whether to launch a massive attack on the Iraqi financial system in advance of the conventional strike. But they stopped short when they realized that the same networks used by Iraqi banks were also used by banks in France. Releasing a vicious computer virus into the system could potentially harm America's allies. Some planners also worried that the contagion could spread to the United States. It could have been the cyber equivalent of nuclear fallout.

The reported conclusions of Pentagon lawyers and planners find echoes in the Academies report: "The fact that an attack is carried out through the use of cyber weapons rather than kinetic weapons is far less significant than the effects that result from such use." That's the critical question facing the United States military as it stands up a new Cyber Command: What real world effect would hacking a power grid have? What disruption to civilian life would corrupting a bank's databases cause? The United States has apparently concluded that the repercussions would be profound, widespread, and unjust.

A year and a half ago, I asked the head of counterintelligence for the United States, Joel Brenner, what kinds of cyber attacks would qualify as acts of war. He'd clearly given the question some thought. If another nation took out a piece of our power grid, that would qualify, he said. No different than if they'd attacked it with explosives.

In May, the current director of the National Security Agency, Lt. Gen. Keith Alexander, told a congressional panel that cyber attacks in Estonia and Georgia a few years ago, which knocked out public communications and disrupted banking, got close to the definition of cyber war. Alexander didn't say whether the United States would ever engage in such attacks. But it's hard to believe that he would think that's a good idea. Not unless we'd been attacked first, and in similar fashion. And if that had happened, the escalation from cyber war into real world war would be swift and devastating.