washingtonpost.com

Bush Orders Guidelines for Cyber-Warfare
Rules for Attacking Enemy Computers Prepared as U.S. Weighs Iraq Options

By Bradley Graham
Washington Post Staff Writer
Friday, February 7, 2003; Page A01

President Bush has signed a secret directive ordering the government to develop, for the first time, national-level guidance for determining when and how the United States would launch cyber-attacks against enemy computer networks, according to administration officials.

Similar to strategic doctrine that has guided the use of nuclear weapons since World War II, the cyber-warfare guidance would establish the rules under which the United States would penetrate and disrupt foreign computer systems.

The United States has never conducted a large-scale, strategic cyber-attack, according to several senior officials. But the Pentagon has stepped up development of cyber-weapons, envisioning a day when electrons might substitute for bombs and allow for more rapid and less bloody attacks on enemy targets. Instead of risking planes or troops, military planners imagine soldiers at computer terminals silently invading foreign networks to shut down radars, disable electrical facilities and disrupt phone services.

Bush's action highlights the administration's keen interest in pursuing a new form of weaponry that many specialists say has great potential for altering the means of waging war, but that until now has lacked presidential rules for deciding the circumstances under which such attacks would be launched, who should authorize and conduct them and what targets would be considered legitimate.

"We have capabilities, we have organizations; we do not yet have an elaborated strategy, doctrine, procedures," said Richard A. Clarke, who last week resigned as special adviser to the president on cyberspace security.

Bush signed the order, known as National Security Presidential Directive 16, last July but it has not been disclosed publicly until now. The guidance is being prepared amid speculation that the Pentagon is considering some offensive computer operations against Iraq if the president decides to go to war over Baghdad's chemical, biological and nuclear weapons development programs.

"Whatever might happen in Iraq, you can be assured that all the appropriate approval mechanisms for cyber-operations would be followed," said an administration official who declined to confirm or deny whether such planning was underway.

Despite months of discussions involving principally the Pentagon, CIA, FBI and National Security Agency, officials say a number of issues remain far from resolved. "There's been an initial step by the president to say we need to establish broad guidelines," a senior administration official said. "We're trying to be thorough and thoughtful about this. I expect the process will end in another directive, the first of its kind in this area, setting the foundation."

The current state of planning for cyber-warfare has frequently been likened to the early years following the invention of the atomic bomb more than a half-century ago, when thinking about how to wage nuclear war lagged the ability to launch one.

The full extent of the U.S. cyber-arsenal is among the most tightly held national security secrets, even more guarded than nuclear capabilities. Because of secrecy concerns, many of the programs remain known only to strictly compartmented groups, a situation that in the past has inhibited the drafting of general policy and specific rules of engagement.

In a first move last month to consult with experts from outside government, White House officials helped arrange a meeting at the Massachusetts Institute of Technology that attracted about 50 participants from academia and industry as well as government. But a number of participants expressed reservations about the United States engaging in cyber-attacks, arguing that the United States' own enormous dependence on computer networks makes it highly vulnerable to counterattack.

"There's a lot of inhibition over doing it," said Harvey M. Sapolsky, an MIT professor who hosted the Jan. 22 session. "A lot of institutions and people are worried about becoming subject to the same kinds of attack in reverse."

Government officials involved in drafting the new policy insist they are proceeding cautiously, recognizing the risks of crossing the threshold into cyber-warfare and acknowledging the difficulties still inherent in trying to model how a major cyber-attack might play out. By penetrating computer systems that control the communications, transportation, energy and other basic services in a country, cyber-weapons can have serious cascading effects, disrupting not only military operations but civilian life.

"There are questions about collateral damage," Clarke said. As an example, he cited the possibility that a computer attack on an electric power grid, intended to pull the plug on military facilities, might end up turning off electricity to hospitals on the same network.

"There also is an issue, frankly, that's similar to the strategic nuclear issue which is: Do you ever want to do it? Do you want to legitimize that kind of weaponry?" Clarke added.

A sign of the Pentagon's commitment to developing cyber-weapons was its decision in 1999 to assign responsibility in this area to a command under a four-star general -- at the time, Space Command, which last year merged into Strategic Command. In addition, a special task force headed by a two-star general has been established to consolidate military planning for offensive as well as defensive computer operations.

Maj. Gen. James David Bryan, who heads the Joint Task Force on Computer Network Operations, said his group has three main missions: to experiment with cyber-weapons in order to better understand their effects; to "normalize" the use of such weapons, treating them "not as a separate entity" but as an integral part of the U.S. arsenal; and to train a professional cadre of military cyber-warriors.

The Pentagon's general counsel also attempted four years ago to establish some legal boundaries for the military's involvement in computer attack operations, issuing a 50-page document that a senior defense official said in a recent interview remains "the basic primer" on the subject. It advised commanders to apply the same "law of war" principles to computer attacks that they do to the use of bombs and missiles -- namely, the principles of proportionality and discrimination.

This means hitting targets that are of military necessity only, avoiding indiscriminate attacks and minimizing civilian damage. So, for instance, sending a computer virus through the Internet to destroy an enemy network would be ruled out as too blunt a weapon, the senior defense official said.

One challenge that the Pentagon has been facing in exercises simulating computer attacks is getting military commanders to specify just what effects they would hope to achieve with a cyber-weapon.

"In the beginning, when we would ask, 'What do you want us to do for you,' the answer would come back very general," Bryan said. More recently, Bryan added, the stated objectives have become more specific, which has helped in designing more precise cyber-weapons.

Even so, effective and predictable computer attacks depend heavily on detailed intelligence about enemy networks and access to them. For all the heightened attention to cyber-warfare, specialists contend large gaps exist between what the technology promises and what practitioners can deliver.

"This whole area still leaves a lot to the imagination in terms of what can be done," said John P. Casciano, a retired two-star general who supervised Air Force computer operations.

Given the newness of the weapons, their potential power and the uncertainty about how they would work, the Pentagon's Joint Staff has issued classified "rules of engagement" that strictly require top-level approval for any cyber-attack.

© 2003 The Washington Post Company