Getting it right: protecting American critical infrastructure in cyberspace.

• Author: Condron, Sean M.

TABLE OF CONTENTS I. INTRODUCTION II. DEFENSE AND SECURITY: A BLURRED DISTINCTION III. THE CYBERSPACE THREAT AND INTERNATIONAL LAW A. Use of Force in Cyber Self-Defense B. Conditions for the Use of Force in Cyber Self-Defense IV. CYBER WARFARE AND CIVIL LIBERTIES A. Reversing the Presumption B. Impact of the Posse Comitatus Act V. CONCLUSION THE DOGMAS OF THE QUIET PAST ARE INADEQUATE TO THE STORMY PRESENT. THE OCCASION IS PILED HIGH WITH DIFFICULTY, AND WE MUST RISE TO THE OCCASION. AS OUR CASE IS NEW, SO WE MUST THINK ANEW AND ACT ANEW. (1)

WHERE ONCE OUR OPPONENTS RELIED EXCLUSIVELY ON BOMBS AND BULLETS, HOSTILE POWERS AND TERRORISTS CAN NOW TURN A LAPTOP COMPUTER INTO A POTENT WEAPON CAPABLE OF DOING ENORMOUS DAMAGE. IF WE ARE TO CONTINUE TO ENJOY THE BENEFITS OF THE INFORMATION AGE, PRESERVE OUR SECURITY, AND SAFEGUARD OUR ECONOMIC WELL-BEING, WE MUST PROTECT OUR CRITICAL COMPUTER-CONTROLLED SYSTEMS FROM ATTACK. (2)

1. INTRODUCTION

   The attacks of September 11, 2001 highlight the deadly intent of our adversaries and the nation's vulnerability to "different, unorthodox, and unimaginable" threats. (3) Due to the low cost and wide availability of computers, cyber attacks (4) are an attractive method of warfare. (5) Unlike traditional military weapons, an adversary can use a personal computer, which can be purchased almost anywhere for a few hundred dollars, to accomplish a military objective. (6) In 2003, the Computer Emergency Response Team Coordination Center received reports of 137,529 "incidents." (7) Attacks against network systems have become so common that, in 2004, the Computer Emergency Response Team stopped maintaining statistics showing the number of "incidents." (8) In 2004, the Congressional Research Service estimated that the economic impact of cyber attacks in the United States was $226 billion. (9)

   Cyber attacks can originate from a number of sources. Michael Vatis, former head of the Institute for Security Technology Studies at Dartmouth College, has identified four categories of threats: terrorists, nation-states, terrorist sympathizers, and thrill seekers. (10) Of these threats, nation-states likely have the greatest capabilities and resources. For example, in the years ahead, the United States will probably face an evolving cyber threat from China. In particular, China is integrating "information warfare units" into its military operations that have the capabilities for "first strikes against enemy networks." (11) In August 1999, China launched several cyber attacks against Taiwan, initiating a "public hacking war" with the disputed island. (12) China may have attacked United States federal government computer systems in the past. (13) Nation-states, however, probably will not attempt major cyber attacks, unless it is a precursor to military action, because of the potential severity of the response. Nation-states have territory, property, and citizens to protect, all of which would be jeopardized if it were to conduct a major cyber attack.

   Thrill seekers are a minor threat because they are generally driven by a desire to show off their skills, rather than a desire to destroy. (14) While they are certainly capable of causing some serious problems, both the media and self-promoters from this group have overstated their actual menace. (15)

   Cyber terrorists may not have a robust ability to conduct large cyber attacks on critical infrastructure, but they are probably far more likely to try than other actors. (16) Cyber terrorists do not face the repercussions that nation-states would and probably have more destruction-oriented agendas than thrill seekers. Despite this concern, there have been no known attempts to stage such an attack by any major terrorist group. (17) According to Dorothy Denning, a professor of computer science at the Naval Postgraduate School, "[t]errorists have not yet integrated information technology into their strategy and tactics, and significant barriers between hackers and terrorists may prevent their integration into one group." (18) There are indications, however, that Al Qaeda and other terrorist groups are seeking to expand their capabilities in this area, perhaps by forging connections with hacker groups. (19) Michael Vatis argues that terrorist sympathizers are the most likely group to launch a cyber attack. (20) Unlike the other groups, these individuals do not necessarily lack the technological ability or incentives. As a demographic, they are hackers with not only the knowledge and ability to conduct a cyber attack, but also a cause shared by terrorist groups like Al Qaeda. (21)

   The United States federal government has focused an unprecedented amount of attention, time, and financial resources on the threat from weapons of mass destruction (22) and terrorism. (23) The White House, recognizing the growing threat of cyber attacks and the importance of protecting cyberspace, (24) has designated the Department of Homeland Security as the lead agency for addressing this threat. (25)

   The government's approach to protecting cyberspace focuses on the concept of "critical infrastructure." The USA PATRIOT Act of 2001 defines critical infrastructure as the "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (26) Critical infrastructure includes the following sectors: agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemical industry and hazardous materials, and postal and shipping. (27) Both government and private entities own and operate the critical infrastructure in the United States. (28)

   Critical infrastructure is by definition essential for the survival of the nation. (29) Networked computer systems form the nerve center of the country's critical infrastructure. (30) The private sector is largely unable to adequately protect these computer systems and networks from major military and terrorist threats. (31) Civilian networks are often more vulnerable to attack than the Department of Defense network. (32) However, military networks are also vulnerable because they depend extensively on civilian networks for connectivity and transferability of information. (33) The well-being of the nation depends on a safe and secure cyber environment for its critical infrastructure. (34) Therefore, protection of the computer systems and networks supporting critical infrastructure in the United States should be the federal government's responsibility. (35)

   Despite the magnitude of this threat, the United States currently operates under the presumption that a cyber attack constitutes a criminal activity, not a threat to national security. (36) Because law enforcement investigations that require the methodical collection of evidence are often protracted and resource-intensive, typically taking days, weeks, or even months, this presumption may result in a very slow response that may come too late to confront a cyber attack successfully. (37) A delayed response to a cyber attack on the nation's critical infrastructure may result in lives lost and massive damage. (38) For these reasons, the response should be nearly simultaneous with the attack itself. (39)

   It may thus be preferable to approach cyber security as a threat to national security rather than as a criminal matter. This change would raise at least three issues. First, it may be necessary to revisit and clarify the government's current distinction between homeland security and homeland defense as applied to cyberspace. Second, this change requires consideration of the jus ad bellum paradigm that controls a state's self-defense response against a cyber attack. Finally, the delicate balance between national security interests and civil liberties should be considered in developing a strategy for responding to cyber attacks. This Article presents a framework for addressing these issues.

2. DEFENSE AND SECURITY: A BLURRED DISTINCTION

   Following September 11, 2001, the executive branch made a policy decision to distinguish homeland security from homeland defense. (40) Homeland security has been defined as a "concerted national effort to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recover from attacks that do occur." (41) In contrast, "[h]omeland defense is the protection of US sovereignty, territory, domestic population, and critical defense infrastructure against external threats and aggression, or other threats as directed by the President." (42) The Department of Homeland Security is the federal agency in charge of homeland security while the Department of Defense is the lead federal agency for homeland defense. (43)

   Such a distinction between defense and security poses several problems in the context of cyberspace. The first problem is that the distinction relies on a poor choice of words: defense and security are commonly understood to be synonymous. (44) Applying synonymous terms to two different concepts can lead to confusion. The Department of Homeland Security's National Response Plan exacerbates this con fusion by creating categories that imply a distinction between cyber security of the United States and cyber defense of the United States without delineating the difference between the two. (45)

   The second problem is that the executive branch has failed to clearly distinguish between defense and security. As previously defined, homeland security focuses on terrorist attacks within the United States, while homeland defense focuses on external threats and aggression towards the sovereignty, territory, domestic population, and critical defense infrastructure of the United...