Slashdot Mirror
U.S. Military Grapples With Cyber Warfare Rules
A number of readers have written to us with a report from Reuters regarding the US Military and cyber-warfare. The context is that the reason the US military did not crack into any of the Serbian boxes because the rules of war are still so murky in that area. What do you folks think? Anything goes? Or should we have a special section added to the Geneva Conventions?Update: 11/08 09:33 by H :Thanks to spartan for a better story on the subject.
War is war isn't it. It is the killing of people or industries to make the other side bend under the pressure of your forces. Cyber-warefare should be no different. Cyber-warefare in my opinion wouldn't be nearly as costly in human lives and wasted dollars. Hacking is a lot cheaper than sending boat loads of Marines to another country.
Good is never enough, when you dream of being great!
Was it actually a declared war? I honestly don't remember any such vote by Congress...
In any event, I'd think the (im)practicality would be more of a consideration than ethics. There's little reason that their defense infrastructure would allow, say, Telnet access from the rest of the world even if it were based on TCP/IP; hence, (physically) attacking would be the main way to DoS...
...concerning ethics, by the time you're committed to airstrikes and launching cruise missiles, it's a little late to be worrying about the whether you're being "nice" to their computers.
Only the dead have seen the end of war.
IMHO, this needs to be taken one step at a time, and should be inclusive, rather than exclusive. (ie: anything NOT explicitly permitted should be forbidden. That prevents people trying to sneak round restrictions.)
Also, there should be one overriding rule - computer warfare or electronic warfare for the explicit purpose of inflicting higher casualties than could be reasonably & legitamately achieved otherwise, casualties in groups not otherwise deemed legitamate targets, or caualties in any group for the purpose of inflicting terror, should ALWAYS be prohibited and a war crime.
In other words, DoS attacks on things like hospitals, emergency services and nursaries should be a BIG no-no. Mangling power-station computers would be reasonable, unless the place it supplies is in the middle of a 30' snow-drift, and heat is all that's keeping everyone alive, or a terrible heat-wave, where even a momentary failure of air conditioning would kill 3/4 of the civilian population.
Military RADAR systems would also make for a reasonable target. Blinding it, rather than blowing it up, would spare lives, whilst having much the same effect. Shutting down civilian RADAR, or interfering with it, for the purpose of causing jet airliners to collide or crash, should get any commander who chose such a tactic suspended over a crocodile pit by their big toes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nononono! It's not his fault. A squad of crack mice, from the higher dimensions (and recently guests on Magrathea) were testing their new cyber-warfare expansion pack for Windows 98 on Earth (which is, in fact, a mega-computer), and Hemos' brain got caught in the backwash from the mangled computational matrix.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Consider this:
The army hack into the electrical system, and shut down the power to a city.
A hospital in the city has a generator failure as a result and several babies and patients on life support die.
Has this violated the Geneva Convention rules on war?
The problem here isn't so much the rules as the results of a cyberwar attack. A cyberwar attack can be much more far reaching than people think.
A cyberwar attack can sometimes take out a specific target, eg a TV station, but in many cases the results of the attack can't be so easily planned for.
Many computer systems are configured with triggered-backups and inter-networked with other systems so that these respond in a certain way if a failure occurs.
Going back to my electrical example, what if the main power computer system is linked to a computer in a nuclear power plant that polls it to see if it needs to up the load to take care of a demand. If the software was buggy (and in Eastern Europe, this could very well be the case) the reactor could overload before someone realises and you have a second Chernoybl.
For a cyberwar attack to succeed you need to have a complete picture of the target. Only when you have a complete picture can you decide to attack or not. This is why the military rely so much on satellite and air imaging systems - they need to know exactly what is being hit. Without a clear picture you can take out a target and not realise that you just started a firestorm.
Is it wrong to bomb hospitals? Is it better to hack the hospital records so that all blood-type and allergy information is corrupt?
Is it better to bomb sewage treatment plants so that the people die of disease, or is it better to hack the computers so that sewers are allowed to overflow into the streets?
Cyber-warfare is just another step in the attempted sanitisation of war. We already know that if you maim someone with a cruise missile it's OK, but if you maim them with a machete then you're war criminal. Good to know that morality is linked to military technology.
Presumably in 20 years while our brave lads kill the enemy with computers from underground, we'll be condeming the atrocity of indiscrimate killing by out-dated Serbian smart bombs.
So let's hear it for war-by-wire. Why travel to far away places, meet interesting people and kill them when you can just kill them, eh?
P.S. I use Serbia only as a recent example of 'hi-tech good low tech bad' reporting in the news. I have no particular view on who was/is right or wrong in that war.
-----
How else are those who don't respect to learn different, unless they see different and see that that difference is giving others an advantage that intolerence, abuse and misuse do not?
I'll give an example. Sun Tzu, in is (in)famous "Art of War", makes it clear that destroying infrastructure is a Bad Idea, and hurts the attacker as much as the atacked. His theories are time-tested and are still largely accepted today. But do you think he learned that good treatment was a strength, in war, through only seeing abuse? Nope. There's no way he could have seen the advantage unless it had been shown, in some form or other.
What does this mean? It means that "all is NOT fair in love and war", and that the only way to get that across to more violent cultures is to demonstrate the innate superiority of true decency.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Here's a site that includes the Geneva Convention relative to the Protection of Civillian Persons in Time of War, in addition to other interesting documents.
Only the dead have seen the end of war.
The army hack into the electrical system, and shut down the power to a city.
A hospital in the city has a generator failure as a result and several babies and patients on life support die.
Has this violated the Geneva Convention rules on war?
The same thing applies if the drop a couple of bombs on the power plant as well though. And the military regularly bombs power plants during conflicts. The difference is that it's a lot easier to rebuild the computer network than it is to rebuild the actual power plant. cyber warfare is 'nicer' than conventional warfare.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
Geneva Convention of 1949
The convention deals mainly with the protection of innocents and prisoners.
Articles 12 & 13 deals with protection of wounded and sick
Articles 19 to 23 deals with protection of hospitals and medical units
Article 33 deals with protected buildings
All these could be accidentally affected by a cyberwarfare attack and put the attacker in violation of the geneva convention and liable to a war crimes trial.
Take article 19 as an example:
Art. 19. Fixed establishments and mobile medical units of the Medical Service may in no circumstances be attacked, but shall at all times be respected and protected by the Parties to the conflict. Should they fall into the hands of the adverse Party, their personnel shall be free to pursue their duties, as long as the capturing Power has not itself ensured the necessary care of the wounded and sick found in such establishments and units.
The responsible authorities shall ensure that the said medical establishments and units are, as far as possible, situated in such a manner that attacks against military objectives cannot imperil their safety.
Shutting off power to a city could affect a hospital and put the attacker in violation of the convention. If you are trying to make yourself be seen as the force of good, then this would hurt your credibility a lot. This is also why hospitals were given so much press during war.
The convention is drafted so that many things are already protected even under cyberwar. But I do think it needs to be extended to include protection of certain forms of attack.
Hrmmmm.
The communications infrastructure might be a reasonable target. There's the one-way methods (typically state-controlled broadcast media, used for spreading propaganda and mobilizing people), and the two-way methods (phones, radio, computers...).
If you can disable the first -- which might very well require a physical attack -- then you might increase uncertainty among the civillians.
If you can disable the second, you may be able to hamper such things as civillians reporting information to their government (civillian spotters warning about inbound aircraft, say, in the event that radar's being jammed/bombed; or reporting troop movements in the event of an actual invasion); orders from the government outside (such as summoning staff who aren't on-base for whatever reason, and any logistics that aren't completely w/n military lines), and so forth.
I'm figuring that radio communications can be triangulated, and the phone grid either hit physically (exchanges generally don't run away), or flooded. Network communications tend to go on leased phone lines, as well, so that may be a 2-for-1: voice/data.
In theory, one could nail enough communications infrastructure to make confusing and isolating an opposing force much easier...
Only the dead have seen the end of war.
The U.S.A. have little to fear in the way of invasion--we can still count on two large bodies of water to make a direct assault on our shores too costly to consider. In the cyberwar context, however, we cannot count on any natural geographical barriers, and we may be at a significant disadvantage because of our dependence on less-than-secure technology and our "Cover Your Ass at All Costs" corporate and government cultures. The Information Superdirtroad leads right to the back door of almost every mission critical institution and enterprise in this country and, as slashdot readers know, few of those doors are securely locked.
I think it would be wise of our military to refrain from cyberwar until the overall quality of security on corporate and government networks is improved. We can count on the military to defend us against an attacking force on the ground, but on the 'net, we're all on the front lines and it's every man for himself.
slashdot broke my sig
IMO, the Pentagon is probably hoping that the lack of any offensive information warfare activity on their part will prevent, for example, Serbia from actively trying to bring down the electronic keystones of the US economy
Yeah, just wait until some 2nd world country manages to DoS Slashdot and take credit for it. Two hundred thousand angry geeks will have reduced their entire information infrastructure to a smoking pile of toaster parts within seconds.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
Actually, Saddam Hussain is an excellent example of WHY the destructive approach doesn't work, except for the destructive. He put all the soldiers most likely to rebel or desert on the front line, where the Americans could drop cluster bombs on them. In short, America footed the bill for Saddam's political security.
This is not to say that something shouldn't have been done. It did. And given the alternatives available at the time, the Allies did the best job they could have done, IMHO.
However, the fact remains that it had largely the opposite effect to the one the Allies wanted, precicely because their efforts were as destructive as the person they were trying to replace.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Hmm...counter to the article's statement, I think computer or "cyber" warfare, is a type of warfare that makes most sense NOT being practiced by purely military organizations. In the case of the United States, it would appear to me that such warfare would be the realm of agencies like the CIA, NSA, not a military division like the Army, Navy or Air Force. Cyber warfare is more insidious, requires more care, precision and stealth, is more controversial and prone to scandal, and I think probably would be the realm of spooks, and /intelligence/ organizations, not GIs. Computer warfare in general is a very touchy subject...consider the day when everybody is connected through a pervasive global network (well, that's almost the picture today). Cannot an act against a piece of the global network be considered an attack on all parties? How can it be localised? This is probably something that needs to be discussed and written down in one of those rules of war agreements.
It's 10 PM. Do you know if you're un-American?
...but the purpose was nominally the same, no?
An individual helping to lead a massacre of a village wasn't looked upon too kindly by authorities who'd be under pressure if they didn't prosecute and convict. Not that this seems to happen with heads of state...
True, 'tho, it's pretty rare for anybody from a superpower or former superpower to get nailed thusly.
Only the dead have seen the end of war.
The U.S. sucessfully asserted its national sovereignity, which I think has to count as victory.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Here's to the hope that the military drafts a few thousand script kiddies, realize their IRC skills are useless and makes them pick up a gun. Good luck in the front, kids!
cyber warfare is fought on many different battle fields, and in many ways we have been fighting cyber wars for quite a while. do a little reading on the Navy war game where a US Navy ship was taken over and one of it's missles launched in a cyber warfare attack, you'll get an idea of how these things work. cyber warfare involves things like:
- Radio/Radar Jamming, EMF Disruptions, other DoS attacks. we've been doing this for a long time.
- Stealing proprietary technology that missles, ships, et. al. are controlled with and using it to attack/compromise the enemy.
- Compromising physical technology/network access points to further attack/manipulate the enemy.
- Disruption of electronic banking systems (freezeing foreign assets, disabling systems, stealing money)
- It also involves all kinds of technologies, rarely the Internet. i.e. Spread Spectrum, VHF, UHF, Satellite, GSM (and cell protocols), other radio frequencies, etc...
- any typical act of war (propaganda, disabling supply lines and communications, spying, etc...)
the biggest advantage any attacker could gain by using cyber warfare IMHO would be to steal proprietary knowledge, information, and war plans.remember that cyber warfare is not a *new war*. war is war and cyber warfare is a means to an end. CW is just new ways of doing the things that war has always done, even since the days of King David or Sun Tzu.