Panel Advises Clarifying U.S. Plans on Cyberwar
The report, based on a three-year study by a panel assembled by the National Academy of Sciences, is the first major effort to look at the military use of computer technologies as weapons. The potential use of such technologies offensively has been widely discussed in recent years, and disruptions of communications systems and Web sites have become a standard occurrence in both political and military conflicts since 2000.
The report, titled “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” concludes that the veil of secrecy that has surrounded cyberwar planning is detrimental to the country’s military policy.
The report’s authors include Adm. William A. Owens, a former vice chairman of the joint chiefs of staff; William O. Studeman, former deputy director of the Central Intelligence Agency; and Walter B. Slocombe, former under secretary of defense for policy. Scientists and cyberspecialists on the panel included Richard L. Garwin, an I.B.M. physicist.
Admiral Owens said at a news conference Wednesday in Washington that the notion of “enduring unilateral dominance in cyberspace” by the United States was not realistic in part because of the low cost of the technologies required to mount attacks. He also said the idea that offensive attacks were “nonrisky” military options was not correct.
In the United States, the offensive use of cyberweapons is a highly classified military secret. There have been reports going back to the 1990s that American intelligence agencies have mounted operations in which electronic gear was systematically modified to disrupt the activities of an opponent or for surveillance purposes. But these activities have not been publicly acknowledged by the government.
The report concludes that the United States should create a public national policy regarding cyberattacks based on an open debate on the issues. The authors also call on the United States to find common ground with other nations on cyberattacks to avoid future military crises.
The authors point to a 2004 Pentagon statement on military doctrine, indicating that the United States might respond to a cyberattack with the military use of nuclear weapons in certain cases. “For example,” the Pentagon National Military Strategy statement says, “cyberattacks on U.S. commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent.”
Pentagon and military officials confirmed that the United States reserved the option to respond in any way it chooses to punish an adversary responsible for a catastrophic cyberattack. While the options could include the use of nuclear weapons, officials said, such an extreme counterattack was hardly the most likely response.
“The United States reserves the right to respond to intrusions into government, military and national infrastructure information systems and networks by nations, terrorist groups or other adversaries in a manner it deems appropriate,” said one senior Pentagon official.
Another senior Pentagon official added, “While the United States would always reserve the right to respond appropriately to defend the nation and its citizens, this kind of scenario is extremely speculative and requires an enormously vivid imagination.”
The two officials spoke on the condition of anonymity because of the highly classified nature of planning for cyberwarfare and nuclear warfare. Both officials emphasized that in American military planning, there are only rare instances when any specific option would be declared off-limits in advance.
This effort to specifically project a lack of clarity is viewed as important to keeping an adversary uncertain of the severity of an American counterattack. Introducing that uncertainty into the thinking of an adversary’s government and military has historically been an essential element of deterrence, whether traditional nuclear deterrence or today’s cyberwar planning.
For example, during the cold war, when the Soviet Union and its Warsaw Pact allies stationed an overwhelming conventional force in Central Europe, American planners were never certain that NATO’s tanks and artillery could hold back the Soviet-led armor if an offensive was begun across the Fulda Gap in Germany.
Thus, the United States never declared that it would be bound to respond to a Soviet and Warsaw Pact conventional invasion with only American and NATO conventional forces. The fear of escalating to a nuclear conflict was viewed as a pillar of stability and is credited with helping deter the larger Soviet-led conventional force throughout the cold war.
Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose.