The international community urgently needs to establish legal norms when it comes to computer and online crimes to help define and deter a problem that is escalating in severity, cyber security experts say.
A bipartisan commission examining the nation ' s cybersecurity infrastructure concluded this week that the next president needs to clearly articulate the value of the nation ' s cyber d omain . Of course, many groups are already looking at the issue, from NATO, which is focused on military applications, and the Department of Homeland Security to the European Union.
But the commission urged action from the White House directly. " The president should state as a fundamental principle that cyberspace is a vital asset for the nation and that the United States will protect it using all instruments of national power, in order to ensure national security, public safety, economic prosp erity, and the delivery of critical services to the American public. "
Of course, just the act of codifying cyberattacks, cybercrimes, or cyberwar would do little to physically prevent them from happening , says Jonathan Zittrain, a law professor at Harvard University and author of The Future of the Internet and How to Stop It. But it could have a deterrent effect, establishing a legal basis for punishing states that sponsor such incidents.
Two years ago, military officials reported that China had downloaded between 10 and 20 terabytes of information from Pentagon computers — a volume of data equivalent to twice the number of printed pages in the Library of Congress. The Chinese government has routinely denied all allegations of espionage , and P entagon officials aren ' t saying if they believed the Chinese government or simply hackers based in or routed through China were responsible.
In many countries, breaking into a computer network and copying files is no different from physically stealing paper documents from an office desk. But c ould such cyberattacks be consider ed an act of war, equivalent to attacking a pair of destroyers off the coast of Asia or striking a group of battle s hips at anchor in Hawaii ?
The U.S. military , meanwhile , lacks a formal doctrine on offensive military operations in cyberspace, although the Bush administration is " racing " to finalize such a policy before it leaves office, says one person familiar with the White House ' s work on the issue.
In the past few years, there has been a flood of attacks against U.S. computer assets, including classified and unclassified military networks and business and commerce sites, not to mention personal computers. Coordinated cyberattacks against Georgia , which coincided with Russian military action, and Estonia have raised even more concerns about what role cyberattacks could play in future conflicts.
Online assaults have also been mounted against America ' s enemies, including al Qaeda. For days before the anniversary of the 9 / 11 attacks this year, coordinated attacks were carried out against several websites known for posting messages from al Qaeda ' s leadership. Al Qaeda ' s anniversary message did eventually make its way onto the N et , but only days later.
No one claimed responsibility for the al Qaeda site attacks, and they could have simply been the work of vigilante computer experts, hackers, or other players entirely.
That's another vexing aspect of cyberattacks—they are often conducted across multiple national borders, making it very difficult to affix blame. For instance, some of the computers used (unwittingly) in the cyberattacks against Georgia were based in the United States, among other places, computer security experts say.
There are three central issues with which the international legal community must grapple as the debate continues, says James Lewis, the project director of the Commission on Cybersecurity of the 44th Presidency, which issued its report this week. Each country might have different answers, but the questions will be universal.
- At what point does a cyberattack constitute an act of war or a violation severe enough to justify a response?
- How do we protect the civil liberties of the Internet-using public while improving security?
- Which legal authorities will assume responsibility for investigating a cyberattack—the intelligence community, the military, or law enforcement?
The debate over codifying cyberattacks, Lewis points out, echoes some debates over terrorism, including whether it should primarily be a law enforcement or military concern and how to respond to attacks by state-sponsored actors.
- Read about the recent cyberattack on a U.S. military base in Afghanistan.
- Read more about the cybersecurity commission.
- Read more about terrorism.