As the worldwide explosion of information technology, including computing, telecommunications, and networks, is changing the way we conduct business, government, and education, it promises to change the way we fight.1 Information technology is diffusing into virtually all military weapons, communications, and command and control systems, as well as the civilian systems that support modern industrial (or post-industrial) economies and their military efforts. Some of the new ways of fighting have been labeled "information warfare," which has been broadly defined as "any action to deny, exploit, corrupt, or destroy the enemy's information and its functions; protecting ourselves against those actions; and exploiting our own military information functions."2 As such, information warfare includes both new techniques, such as computer intrusion and disruption and telecommunications spoofing, and old ones, such as ruses, camouflage, and physical attacks on observation posts and lines of communication. Some have suggested that information warfare could usher in an era of largely bloodless conflict; battle would occur in "cyberspace," as U.S. "information warriors" would be able to disable important enemy command and control or civilian infrastructure systems with little, if any, loss of life.3 Others have projected futures of conflict in which the bloodletting is only enhanced by improved and broadened communications.4 Still others have suggested that information technology may contribute to the development of new forms of social organization, along with new forms of conflict.5
Whatever the development and diffusion of information technology mean for the future of warfare, it is apparent that some of the new forms of attack that information technology enables may be qualitatively different from prior forms of attack. The use of such tools as computer intrusion and computer viruses, for example, may take war out of the physical, kinetic world and bring it into an intangible, electronic one. These newer forms of attacks, some of which may seem to be the products of science fiction, range along continuums extending from those with no physical impact on the enemy to some that would cause grave destruction or loss of life, from those with no physical intrusion beyond national borders to those requiring traditional, military invasions, and from those affecting purely civilian targets to those hitting purely military ones. Attacks could be conducted from a distance, through radio waves or international communications networks, with no physical intrusion beyond enemy borders. Damage could range from military or civilian deaths from system malfunctions, to the denial of service of important military or governmental systems in time of crisis, to widespread fear, economic hardship, or merely inconvenience for civilian populations who depend upon information systems in their daily lives.
The following are examples-some likely, some perhaps farfetched-of attacks that countries or nongovernmental entities might pursue, or suffer, as they wage warfare in the Information Age.
Law attempts to govern war, as it does most human endeavors. International law governs interaction among nations. International law primarily consists of "conventional" law and "customary" law.17 Conventional law is that made by treaty or other explicit agreement among nations, who are bound to their agreements under the principle of pacta sunt servanda, or "agreements are to be observed."18 Examples of conventional law would include the Paris Peace Treaty of 1783, which ended the U.S. War of Independence and fixed the borders of the new republic, the 1968 Treaty on the Non-Proliferation of Nuclear Weapons, and the General Agreement on Tariffs and Trade (GATT).
Customary law results from the general and consistent practice of states' opinio juris, or with the understanding that the practice is required by law, not just expedience. Customary law may develop from understandings reflected in treaties or other agreements, even if they have not been ratified, declarations or votes of international bodies such as the General Assembly of the United Nations, or the statements and actions of governments and their officials.19 There is no universally accepted way to determine whether a customary international legal norm has been established. To a great extent, customary international law must be like obscenity to the late U.S. Supreme Court Justice Potter Stewart-something we know when we see it.20 Examples of customary law include the traditional protected status of diplomats and the historical three-nautical mile claim to coastal territorial waters.
Even when legal norms seem well-established in theory, patterns of contrary state practice may contribute to the decline or alteration of the principles. Just as popular disregard for a trademark, such as cellophane, aspirin, or thermos, can result in that trademark losing its legal force and becoming a generic term, violation of an ostensible customary legal principle can cause its demise.21 Law based upon actors' recognition that it is indeed law loses force when those actors no longer recognize it.22
In considering international law, particularly in the context of national security, it is important to stress some distinctions between international and domestic law. Unlike most nations' domestic law, international law is not a body of law created by legislatures and courts and enforced by police through a court system. Rather, international law is generally established by agreement, either explicit or tacit, among the parties who will be bound by it, much as private parties enter into contracts with each other. Although international legal forums, such as the International Court of Justice, do exist, their enforcement mechanisms are limited at best; no international police force walks the world beat. Consequently, a country that is willing to accept the political and diplomatic consequences that may ensue when it defies international law may do so. As a crude example, the Revolutionary Islamic government of Iran blatantly disregarded the traditional sovereignty and sanctuary of the U.S. Embassy in Tehran in the late 1970s and early 1980s, but if it had any concerns about external reactions, those concerns seemed more directed at the threat of economic sanctions or U.S. military action, not at some global police force. It seems likely that nations will be least likely to follow the dictates of international law where those dictates endanger or conflict with the pursuit of their fundamental interests, including national security.
From a legal perspective, the older forms of information warfare pose few unanswered questions under customary or treaty law. For example, the use of camouflage to elude enemy observers was old even when Macduff and his men brought Burnham Wood to Dunsinane;23 ancient Greek soldiers blinded their foes by reflecting the sun off their shields; and both sides attempted to cut each others' telegraph lines during the U.S. Civil War, and there is little doubt of these actions' propriety. Similarly, wartime physical attacks against military observation systems, from lookout posts to radar stations, are unquestionably acceptable under international law.
But the development of information technology, specifically computers, telecommunications, and networks, makes it possible for adversaries to attack each other in new ways and with new forms of damage, and may create new targets for attack. Attackers may use international networks to damage or disrupt enemy systems, without ever physically entering the enemy's country, and countries' dependence upon electronic or other information-based systems may make those systems particularly attractive targets. Furthermore, the dual-use nature of many information systems and infrastructures may blur the distinction between military and civilian targets.
Such new attacks may pose problems for international law because law is inherently conservative; technological change may enable new activities that do not fit within existing legal categories, or may reveal contradictions among existing legal principles. Information warfare challenges existing international law in three primary ways. First, the sort of intangible damage that such attacks may cause may be analytically different from the physical damage caused by traditional warfare. The kind of destruction that bombs and bullets cause is easy to see and understand, and fits well within longstanding views of what war means. In contrast, the disruption of information systems, including the corruption or manipulation of stored or transmitted data, may cause intangible damage, such as disruption of civil society or government services that may be more closely equivalent to activities such as economic sanctions that may be undertaken in times of peace.
Second, the ability of signals to travel across international networks or through the atmosphere as radio waves challenges the concept of national, territorial sovereignty. Sovereignty, which has been a fundamental principle of international law since the Treaty of Westphalia of 1648, holds that each nation has exclusive authority over events within its borders.24 Sovereignty may not be suited to an increasingly networked, or "wired" world, as signals traveling across networks or as electromagnetic waves may cross international borders quickly and with impunity, allowing individuals or groups to affect systems across the globe, while national legal authority generally stops at those same borders. Furthermore, the intangible violation of borders that signals may cause may not be the sort of violation traditionally understood to be part of a military attack.
Third, just as information warfare attacks may be difficult to define as "peace" or "war," it may be hard to define their targets as military (and thus generally legitimate targets) or civilian (generally forbidden). Furthermore, the intangible damage the attacks cause may not be the sort of injuries against which the humanitarian law of war is designed to protect noncombatants.
Graphic representations may be helpful in understanding the analytical continuums along which information attacks may occur. Figure 1 illustrates the physical destructiveness of attacks, ranging from a propaganda broadcast, which may have no physical effects on its target, to a computer intrusion that may hinder the workings of government, military or civilian systems, to a computer intrusion that causes a destructive or fatal system failure. Most physically destructive, of course, would be an attack using massive kinetic force, with a thermonuclear attack as an extreme example. It is not difficult to place attacks along the continuum in a manner that is not quite arbitrary, although the appropriateness of each particular point may be debatable. It may be much harder to establish the location of the point on the continuum that divides "peace" from "war," or to determine when each particular attack may be permissible under international law.25
Figure 2 illustrates the extent to which particular attacks intrude across nations' borders. Least intrusive would be an "infoblockade," whereby a country's communications beyond its borders would be cut off.26 A computer intrusion might be considered to violate the target country's borders, whatever its destructive impact, although such characterization may not be inevitable, as discussed in Part II. Espionage, with the infiltration of an agent into the target country, would obviously require the crossing of borders, although perhaps on a limited scale. Finally, a military invasion's intrusiveness is obvious. Just as the destructiveness of an attack may be relevant for its characterization as "peace" or "war," so too will be this element of intrusion across borders, with the potential difference that it may be easier to characterize the destructiveness of an attack than it may be to determine the extent to which an attack violates a nation's borders (and sovereignty).27
Figure 3 illustrates the diverse character of the targets of potential attacks. Some targets, such as armored forces on the battlefield, are unambiguously military in character, and are thus the legitimate targets for attacks. Other targets, such as churches, kindergartens, or hospitals, are purely civilian in character, and may not be made the targets for attacks, although they may often suffer collateral damage from otherwise legitimate attacks. The acceptability of other targets, ranging from government social service systems to munitions factories, may vary with their contribution to a nation's war effort. As discussed, the dual-use nature of many telecommunications and computing systems may make them subject to attacks that will have grave civilian consequences. The borderline between legitimate and illegitimate targets of war is thus difficult to draw in the abstract. Furthermore, information warfare techniques that may cause grave hardship to civilians may not be considered to be "war," and may not be covered by the humanitarian provisions that attempt to lessen war's cruelty.28
The United States has a particularly significant stake in understanding how international law will apply to these new forms of conflict. First, as a matter of domestic politics, the United States has a largely legal culture. The U.S. Government is described as one of laws; in public political rhetoric acts are routinely described and discussed in legal terms, and characterizing an act as illegal can be a harsh and politically damaging criticism. Second, as a matter of domestic law, international law is as much a part of the "law of the land" as are the statutes that Congress enacts.29 Third, given the U.S. Government's apparent preference in the post-Cold War era (and even before) for acting militarily under the auspices of international coalitions or the United Nations, its prospects for obtaining such auspices are greater when it can persuade other nations that its actions are legal and those of its foes are not. Finally, as the preeminent world power, and one particularly dependent upon information systems, the United States has a stake in the international status quo. To the extent international law helps to provide stability and protect critical information systems, it may benefit U.S. interests.
This book will identify issues that arise from the development of information warfare under international law, and discuss how the law might be applied.30 It will look at both offensive information warfare and the responses that a nation may make to attacks on its information systems. Finally, the book will outline approaches to resolving legal ambiguities surrounding information warfare and addressing some of the difficulties that arise when old laws and new technologies collide.
| Index | Acknowledgments | Preface | Executive Summary | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | About the Authors | Endnotes |