8 July 1998
Source: Hardcopy The Washington Post, July 8, 1998 pp. A1, A10

Cyberwar: A New Weapon Awaits a Set of Rules

Military, Spy Agencies Struggle to Define Computers'
Place in U.S. Arsenal

By Bradley Graham
Washington Post Staff Writer

Intent on developing more powerful weapons for penetrating
enemy computer networks, U.S. military and intelligence
authorities are struggling to define new rules for deciding when
to launch cyber attacks, who should authorize and conduct
them and where they fit into an overall defense strategy.

Not since the advent of nuclear bombs half a century ago
have national security officials confronted weapons with such
potential to alter the means for waging war, according to those
involved in the planning. But the consequences of their use
remain largely unexamined and problematic.

The full extent of U.S. offensive capabilities is among the
most tightly held national security secrets. According to
various accounts, the government has explored ways of
planting computer viruses or "logic bombs" in foreign
networks to sow confusion and disruption. It has considered
manipulating cyberspace to disable an enemy air defense
network without firing a shot, shut off power and phone
service in major cities, feed false information about troop
locations into an adversary's computers and morph video
images onto foreign television stations.

Pentagon officials say they are at an early stage of thinking
about the various applications for cyber weapons and the
legal, ethical and operational consequences of employing
them. But because of secrecy concerns, many of the
programs remain known only to strictly compartmented
groups, inhibiting the drafting of general policy or specific
rules of engagement.

"It's a little bit like medical ethics," said a high-ranking
Defense Department official who requested anonymity. "The
technology gives you the capabilities that go a lot further than
the ethical context for using them sometimes. This is a very
tough area."

A presidential decision directive last month outlining a plan for
raising U.S. defensive barriers against computer attack made
no mention of the offensive side of the issue. Senior
administration officials say no presidential directive about
offensive capabilities is even in the works that might help
resolve definitional and operational differences between the
Pentagon and intelligence agencies.

Similarly, Congress has held next to no public debate on the
direction the United States should be heading in inventing
cyber weapons, writing guidelines for their use or weighing the
potential international repercussions of unleashing them. At a
Senate hearing last month that focused on the vulnerability of
America's own information systems to unauthorized entry,
Sen. Carl M. Levin (D-Mich.) gingerly ventured a question
about whether the United States is developing offensive
capabilities. In a one-sentence reply, George J. Tenet, the
director of central intelligence, said the nation can rest assured
that "we're not asleep at the switch in this regard."

"It's my sense that the policy in this area is at a fairly
immature stage of development," said a Senate staff member
with oversight responsibility. "But part of the problem in
discussing information operations is that whenever you get
into the offensive stuff, you very quickly run into a security
brick wall. The Defense Department has next to nothing to
say about this in an unclassified form."

For all the heightened interest in cyber warfare, specialists
cautioned that yawning gaps exist between what the
technology promises and what practitioners can deliver.
Large-scale computer attacks require an extraordinary amount
of detailed intelligence about a nation's hardware and software
systems, as well as about the habits and decision-making
processes of foreign political and military authorities.
Moreover, cyber operations can become unwieldy.

"Frequently, we like to think of electronic attack as the
ultimate in precision weapons," said Vice Adm. Arthur K.
Cebrowski, a leading Navy authority on the subject. "But
these are not necessarily very precise instruments."

Further, much still is unknown about how a major cyber
attack would play out.

"We don't understand the cascading effects on
decision-making of what providing defective data to an enemy
may mean," said a colonel responsible for the Air Force's
information warfare plans. "That's a hard thing to model."

Other critical questions surround these largely untested
weapons, according to experts inside and outside government.
Given their broad destructive potential, for instance, should
cyber weapons be treated the way nuclear bombs have been
and placed under a special military command authority, similar
to the Strategic Command that manages targeting plans for the
U.S. atomic arsenal?

When should the United States justifiably consider taking
down chunks of the information infrastructure of a foreign
country? What are the risks of inviting retaliation against U.S.
computer networks?

How should intrusions into foreign systems be conducted in
peacetime for the benefit of intelligence gathering, and when
does such passive snooping -- which often involves the same
computer techniques as offensive action -- cross some
boundary into outright aggression?

"What constitutes an act of war in this area? It's never been
made clear," said Brenton C. Greene, a former Pentagon
specialist in information operations who served on the
presidential commission that studied U.S. vulnerabilities last
year. Several government sources also spoke of an ongoing
interagency dispute over when a cyber break-in requires
special presidential approval, with the intelligence community
arguing the need for the White House to sign off on such
covert actions but the Pentagon preferring to view some of its
peacetime cyber operations less formally as "prepping the

By traveling across global networks and flitting in and out of
countries without assuming a physical presence, cyber
warriors pose a new challenge to old notions of national
sovereignty. Their assaults on societal information networks
blur traditional distinctions between military and civilian

Michael McConnell, a retired three-star admiral who stepped
down two years ago as head of the National Security Agency,
said he knows more than a dozen people who could "do major
damage" to a nation by mounting a computer attack with just
a few weeks of preparation.

"The question is, what's the legal framework for some of
these things?" said Dan Kuehl, a former Air Force officer who
now heads the National Defense University's department of
information operations. "The answer is, we don't know."

Senior Defense Department officials say they are attempting
to define what classes of targets might be appropriate for
cyber weapons and sorting out the legal issues with Justice
Department and intelligence community officials.
Congressional sources also report that the House and Senate
intelligence committees have pressed behind closed doors for
greater clarity in the kinds of cyber operations under
consideration and for improved coordination between the
Pentagon, CIA and FBI to keep their hackers from tripping
over one another in cyberspace abroad.

The Pentagon has restructured units under the Office of
Secretary of Defense and on the Joint Staff to give greater
attention to offensive as well as defensive computer
operations. And regional military commanders have been
instructed to review their war plans for ways in which cyber
weapons can be substituted for conventional munitions.

"That's causing some pretty aggressive thinking about how
they might be able to go after some targets with electrons
instead of iron bombs," said one informed congressional staff

Last year, military and intelligence officials overcame turf
concerns and set up a joint Information Operations
Technology Center at the National Security Agency, the
supersecret organization responsible for spying on foreign
communication networks. But there appears to be little
inclination on the part of senior Pentagon officials to establish
a special command for conducting cyber operations.

"I don't think there's a special requirement to create a special
process to deal with cyber weapons," said a general on the
Pentagon's Joint Staff. "Clearly, the basic processes for getting
approval are in place, the same ones we use for execution of
any military plan."

Ultimately, U.S. defense officials envision using cyber
weapons as much to forestall conflict as to wage war. They
see computer tools as part of a larger package of "information
operations" -- including more traditional psychological
operations, electronic warfare measures and deception actions
-- that can be applied in conjunction with diplomatic efforts to
help dissuade a potential opponent from fighting.

This notion was tested in a pioneering series of military
exercises in 1996 and 1997 dubbed Evident Surprise and run
by Marine Gen. John Sheehan, who headed the Atlantic
Command. As perhaps the most energetic four-star proponent
of information operations until his retirement last autumn,
Sheehan also held periodic Saturday meetings on the
Washington campus of the National Defense University with a
group of top Pentagon and intelligence officials, pressing them
for clearer policy guidance.

In one scenario posed by Sheehan two years ago, with striking
parallels to the present, India and Pakistan were assumed to
have acquired nuclear capabilities and were preparing to use
them. The United States also was assumed to have gained
access to the information systems of both nations.

"I said to the group, as a matter of policy, do you want to alter
their command and control capability to the point where
neither side has a clear picture of the battlefield, thereby
preempting their use of nuclear weapons?" Sheehan
recounted. "Who decides? We never got an answer to that

© Copyright 1998 The Washington Post Company