Without a road map on network connections, a cyberattack could take down friends' and foes' systems.
Collateral damage is the fearsome, official-sounding name we use to describe the ripple effects of war. It traditionally describes some of the ugliest parts of combat: civilian casualties, communities destroyed, sacred grounds reduced to rubble.
Network warfare, on the other hand, has a different connotation. There are no deafening explosions or horrifying images flitting across the TV screen.
Collateral damage doesn't become palpable in the context of electronic warfare until a cyberattack shuts down a major banking system or a maneuver deep inside a government network spurs a physical retaliation.
Collateral damage "is the biggest constraint on using a cyberattack,” said James Lewis, director of the Center for Strategic and International Studies' Technology and Public Policy Program. “We don’t have a good map of how networks connect,” he added. For example, an attack on North Korea could damage Japan or China, or an attack on Serbia’s banking system could undermine other European countries.
Or as Vice Adm. Bernard McCullough, commander of the Navy Fleet Cyber Command, described in a theoretical scenario: A U.S. cyberattack on Country X could require dismantling the router box of Country Y — and then we could discover that the financial data of our close ally, Country Y, is stored in the same router box.
“Is that an acceptable amount of collateral damage?” McCullough asked. It’s a rhetorical question because nobody knows what could happen next.
Concerns about network warfare’s peripheral effects might be rooted in the ambiguity of how to handle cyberattacks and the delicate diplomatic concerns those attacks create. Technology develops rapidly, and the laws that govern cyberspace are not up to speed. Even the highest-level officials aren’t sure what to make of the situation.
Lt. Gen. Keith Alexander, President Barack Obama’s nominee to lead the new Cyber Command, told Congress that cyber warfare is changing so fast that there is a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.”
Congress is taking a closer look at cyber warfare and the damage it could potentially cause — damage that hasn’t necessarily been considered before.
“This policy gap is especially concerning because cyber weapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects,” said Sen. Carl Levin (D-Mich.), chairman of the Senate Armed Services Committee, according to a New York Times report.
The Defense Department hasn’t caught up either. DOD does not have formal guidance for responding to cyberattacks on civilian institutions, such as banks, power grids, financial networks and telecommunications, Marc Rotenberg, executive director of the Electronic Privacy Information Center, told TechNewsWorld.
Rotenberg said it’s not a new issue. In 2003, a directive from President George W. Bush called for a freeze on billions of dollars in Iraqi assets to prevent the country from buying war supplies or paying its troops. But the plan was abandoned when the collateral damage was considered. The effects of the freeze could have extended beyond Iraq and resulted in worldwide financial havoc.
DOD considers similar problems as it prepares to launch the Cyber Command in September and the military services establish their respective cyber agencies. But answers to the question of how the department should mitigate damage from cyber operations vary, depending on whom you ask.
Some say the challenges aren’t that different from those of traditional combat.
“In the battlefield, [soldiers] have to figure out how to jam an IED but not jam their own communications," said David Weddell, assistant deputy chief of naval operations for information dominance. "It continues to be a problem. I would challenge industry to help find a solution."
Lewis said it’s DOD’s responsibility to ensure the public’s safety amid cyber war. “DOD needs to do a lot more work on modeling the consequences of a cyberattack — the way we have done for other weapons,” Lewis said, adding that the department needs “advanced reconnaissance before any attack, and it needs to make sure that it is the civilian political leadership that authorizes a strike.”