Denial of Service

Lawyers are crippling America's ability to defend against cyberwar with arcane rules and regulations. But war waits for no man.

BY STEWART BAKER | SEPTEMBER 30, 2011

Lawyers don't win wars. But can they lose one?

We're likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they've left the military unable to fight or even plan for a war in cyberspace. But the only thing they're likely to accomplish is to make Americans less safe.

No one seriously denies that cyberwar is coming. Russia pioneered cyberattacks in its conflicts with Georgia and Estonia, and cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran's Natanz uranium-enrichment plant, setting back the Islamic Republic's nuclear weapons program more effectively than a 500-pound bomb ever could. In war, weapons that work get used again.

Unfortunately, it turns out that cyberweapons may work best against civilians. The necessities of modern life -- pipelines, power grids, refineries, sewer and water lines -- all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure.

And the consequences of successful sabotage would be devastating. The body charged with ensuring the resilience of power supplies in North America admitted last year that a coordinated cyberattack on the continent's power system "could result in long-term (irreparable) damage to key system components" and could "cause large population centers to lose power for extended periods." Translated from that gray prose, this means that foreign militaries could reduce many of U.S. cities to the state of post-Katrina New Orleans -- and leave them that way for months.

Can the United States keep foreign militaries out of its networks? Not today. Even America's premier national security agencies have struggled to respond to this new threat. Very sophisticated network defenders with vital secrets to protect have failed to keep attackers out. RSA is a security company that makes online credentials used widely by the Defense Department and defense contractors. Hackers from China so badly compromised RSA's system that the company was forced to offer all its customers a new set of credentials. Imagine the impact on Ford's reputation if it had to recall and replace every Ford that was still on the road; that's what RSA is experiencing now.

HBGary, another well-respected security firm, suffered an attack on its system that put thousands of corporate emails in the public domain, some so embarrassing that the CEO lost his job. And Russian intelligence was able to extract large amounts of information from classified U.S. networks -- which are not supposed to touch the Internet -- simply by infecting the thumb drives that soldiers were using to move data from one system to the next. Joel Brenner, former head of counterintelligence for the Office of the Director of National Intelligence, estimates in his new book, America the Vulnerable, that billions of dollars in research and design work have been stolen electronically from the Defense Department and its contractors.

In short, even the best security experts in and out of government cannot protect their own most precious secrets from network attacks. But the attackers need not stop at stealing secrets. Once they're in, they can just as easily sabotage the network to cause the "irreparable" damage that electric-grid guardians fear.

Paula Bronstein/Getty Images

 SUBJECTS:
 

Stewart Baker is a former official at the U.S. Department of Homeland Security and the National Security Agency. He practices law at Steptoe & Johnson in Washington and is the author of Skating on Stilts: Why We Aren't Stopping Tomorrow's Terrorism. This article will kick off a debate between Stewart Baker and Maj. Gen. Charles Dunlap over the role of law in cyberwar, to be published soon in an American Bar Association book titled Patriot Debates 2.

WIZEBEE

1:56 AM ET

October 1, 2011

Hacked to death

Hackers are a big problem for many countries. The risks are very high when basic necessities are also controlled by computer networks. If someone can get hold of your company network, you lose all your data and, ultimately, business and money. Making networks safe is emerging as one of the several small business opportunities. People are scared and they don't want to take risk. There should be better legislation for this menace.

 

ZOIDBERG

7:50 AM ET

October 1, 2011

If you "lose all your data"

If you "lose all your data" it's probably because you neglected to keep regular backups in a physically separate (and off-line) location.

Yes, there are real threats and real hackers out there, including some employed by foreign militaries... But much of the fear-mongering myth of the omnipotent super-hackers comes from businesses skimping on basic security practices, and then seeking a scapegoat after things have blown up.

 

TRUEOZ

3:34 AM ET

October 3, 2011

Legislation won't help

Lawyers are out of their depth when it comes to hacking. Why anyone thinks that making a new law will deter a seriously committed criminal is beyond me. There are already many laws that make hacking illegal in many, many countries - but new laws never turn committed criminals into law abiding citizens - the payoffs in the world we now live in are far too great.

We will see a lot more of this type of crime in the coming years. As any seo savvy person knows, there are plenty of places of the internet where you can learn hacking skills for free. In due course, hacking activities will be supported by real physical violence, simply to obtain log in details and other usable information. It seems to me that the answer to this problem lays in better technologies - not new laws.

Despite what they think, lawyers cannot solve every problem with new legislation.

 

ZOIDBERG

7:40 AM ET

October 1, 2011

War on teenagers?

The escalation of WW2 bombing happened when those countries were at war already. An inappropriate example, because the difficult legal question about cyberwar is not what you can or cannot do when already at war. The questions are: When should cyberwar be escalated? And how to prevent cyberwar from escalating into "old-fashioned" war?

To phrase it more succinctly: Do you want to grant some mid-level military folks the power to start (cyber)war against China -- in retaliation to acts quite possibly committed by some bored Chinese teenager?

Because that is the lesson from the hack of "respected" HBGary. (If they were worthy of respect as security professionals, why were they hacked that easily?) It was apparently done by a bunch of kids. Conjuring up the need for unleashed cyberwar over this is nothing but scaremongering.

The other thing about HBGary: It was probably done by someone domestic. (The hack apparently applied "social engineering" techniques, which are so much more difficult across cultural and lingual boundaries.) Should US military busy itself with persecuting US citizens on US soil?

 

RES IPSA

3:10 AM ET

October 2, 2011

Paying Tribute to Reason

This is the kind of article I expect to see on one of the headline news networks' websites, not on FP. Mr. Baker is correct, lawyers do not win wars. Nor do they lose them. What they do is serve as a vanguard for the values and ideals that make our nation great, the same values and ideals that make wars worth the sacrifice. Cyberwar is a very real threat to this country because we are behind China and even some of the criminal organization in Eastern Europe when it comes to talent and capacity to operate on the networks, not because we are struggling to carry out cyber operations that fall within the norms of LOAC. Mr. Baker makes numerous conclusory statements then launches into an interesting analogy of air power in WWII. While the comparison to airpower can be helpful, it fails on so many levels that it is more dangerous than useful unless more thoroughly discussed. Of this WWII airpower strategy that Mr. Baker refers, General Curtis Lemay said “There are no innocent civilians. It is their government and you are fighting a people, you are not trying to fight an armed force anymore. So it doesn't bother me so much to be killing the so-called innocent bystanders.” Is that the mindset we should be looking back to and striving to achieve in our cyber operations? The reality of military history is that the significance of lawful military conduct has an inverse relationship with the stakes of the conflict. When the very survival of a nation is at stake, laws are likely to give way to necessity. Inter arma enim silent leges. But hopefully as we progress as a civilization we realize that we can win armed conflicts without sacrificing basic rights and values on the altar of war. As Justice Jackson so eloquently said, “The judgment of the law is one of the most significant tributes that power has ever paid to reason.”

 

CHRISAK

1:37 PM ET

October 2, 2011

Patience is worth it

As in every field of warfare, balances must be developed between conflicting goals. This article makes it sound on the surface as if the law were primarily a hindrance. I'm sure the devil is in the details--and I'm sure legalism can be excessive. BUT insistence on the law is a good first reflex and a good rule of thumb, often enough: it is not a luxury of the civilized; it is a sophistication of complex decision processes. It enables better security decisions in the long run while preserving other interests as well.

 

OSBEP

12:20 PM ET

October 3, 2011

Those Meddling Lawyers...

And while we have their attention:
1. Why are we letting lawyers keep us from full-fledged torture of criminals and detainees when it might give us information helpful to national security?
2. When will lawyers realize they have no business telling police officers they shouldn't search cars and houses without a warrant when such searches might help solve crimes?
3. Finally, when will lawyers stop being a pain in the ass of every platoon leader who understands that sometimes it's necessary to decimate the civilian population of an enemy village in order to get that ONE insurgent he knows is hiding among them?

For heaven's sake, can we at least pretend we still have some sort of national moral platform that doesn't buckle every time national security is threatened. If Machiavellian mentality prevailed over the rule of law then the Cold War wouldn't have ended with the fall of the USSR, it would have ended in a nuclear winter.

Also, @ Trueoz, little known fact about Republics in general: it's actually lawMAKERS, not lawyers, that create new laws through legislation. I know, an easy mistake to make, but seeing as how we VOTE for lawmakers and lawyers are just professionals enforcing existing laws some might say it's an important distinction.

 

YARINSIZ

8:22 PM ET

October 28, 2011

We will see a lot more of

We will see a lot more of this type of crime in the coming years. As any seo savvy person knows, there are plenty of places of the internet where you can learn hacking skills for free. In due course, hacking activities will be supported by real physical violence, simply to obtain log in details and other usable information. It seems to me thseslichat at the answer to this problem lays in better technologies - not new laws.