War Logs On: Girding America for Computer Combat

Some call the NATO intervention in Kosovo a victory (the deportees were returned, and NATO suffered no casualties). Others call it a failure (thousands of ethnic Albanians were killed, and thousands of Serbs were left homeless). But there is another way to think about Operation Allied Force: it was the first time the United States went to war since Netscape went public.

An odd yardstick? Not really. We are in the computer age now, and Kosovo was the first major military operation that required U.S. leaders to decide whether, when, and how to use a new form of warfare: computer network attack. Computer warfare (to use a less technical term) is a byproduct of the information revolution. The explosive growth of electronic devices and communications networks has created a new way for armies to strike their opponents.

U.S. forces reportedly planned several computer warfare operations during Operation Allied Force. Some appear to have been successful, some clearly failed, and still more were aborted for a variety of reasons. But even these early efforts have raised issues that are bound to become increasingly important. Should the United States conduct computer war? Should certain targets be off-limits? Who should be responsible for taking warfare on-line? Is America prepared? These questions were quietly debated during the last decade within the White House, the Pentagon, the State Department, and the intelligence community. But without answers, the United States could fall behind in a critical new dimension of military power. Moreover, the broad issues of computer warfare must be debated openly, because U.S. policy will depend heavily on public and industry support.

AN ELECTRONIC PEARL HARBOR?

Computer warfare first emerged from classified circles in the mid-1990s, when U.S. officials warned that terrorists and hostile countries might someday attack American computers and communications systems. Their concerns were genuine, but these alerts about an "electronic Pearl Harbor" did not give the full picture. In fact, U.S. defense experts have been as intrigued by the prospect of attacking an opponent's computer networks as they have been worried that someone might attack their own. Officials recently began to talk openly about such offensives because several developments made the opportunities obvious and irresistible.

First, armies everywhere now depend on computers more than ever. Dependence implies vulnerability, and to military thinkers, vulnerability implies opportunity. Those who remember the War Room and the Big Board from Dr. Strangelove are familiar with the computer networks used in command-and-control systems, but that is just one, highly visible military application of computing technology. Computers have worked their way into every aspect of the world's armed forces. Modern military organizations need massive data-management systems for logistics, computers to process intelligence and plan operations, and paperless, computer-based systems to design and manufacture weapons. All these computers and the networks that connect them are potential targets.

Second, civilian society depends more on computer networks, too, and these networks are even more vulnerable than military systems. A strike on the computers that support a country's civilian infrastructure could, at least temporarily, leave its people shivering in the dark. Such a salvo could also cripple a country's military forces, which usually depend heavily on commercial transportation and communications systems.

Third, modern telecommunications are linking computer systems throughout the world. In principle, any data-processing device linked to a communications network (and often even those that are not) is vulnerable to attack. Futurists often joke that someday even household appliances will be connected to the Internet. When that happens, your Cuisinart will be a potential target for computer network attack.

Meanwhile, weapons for computer warfare -- like most other information technologies today -- keep getting better. During Operation Desert Storm, U.S. forces reportedly dumped bogus data into Iraq's air-defense computers by having troops tap into land-based phone lines. In Kosovo, the same job was done from aircraft, and the Pentagon reportedly has plans for satellites that could launch such strikes. Today military forces use lasers and microwaves to stun or dazzle their adversaries' electronic equipment. Tomorrow they might modulate these energy waves to insert actual data into computer networks from afar. And as all these weapons improve, military thinkers are also developing better strategies and tactics to deceive, confound, and confuse their opponents.

Unfortunately, many U.S. officials still think computer warfare is an exotic option reserved for special occasions. They should look further ahead. As computer networks continue to spread throughout armies and societies, both will become more vulnerable to attack. Striking an opponent's information systems will no longer be novel; it will simply be an obvious way to win a war. The United States must understand both how to defend itself and how to use this new kind of warfare effectively.

WAR GAMES

Accounts of U.S. information operations in Kosovo -- even the government's own -- describe confusion and poor planning. For example, U.S. commanders reportedly considered attacking computer systems that controlled public utilities in Serbia but refrained because they feared it would be illegal, immoral, and harmful to civilians. Other reports say that Clinton administration officials proposed hacking into the computer systems of banks in Russia, Greece, and Cyprus where Serbian elites had stashed funds. The officials thought they could steal the money electronically and thereby pressure Serbian leaders. The operation was canceled after other officials called the plan half-baked. (After all, banks keep backup records, so the scam would have failed and, in the process, exposed America's ability to penetrate computer systems.)

Part of the problem was simply that computer warfare is new, and the Pentagon is still learning how to use it. But U.S. officials and military commanders clearly slipped. A Defense Department report after the war concluded, with traditional military understatement, that the "conduct of an integrated information operations campaign against Yugoslavia was delayed by the lack of planning and strategic guidance defining key objectives" -- this in a report that lavished praise on almost every other aspect of the NATO operation. Admiral James Ellis, the commander of the U.S. component of the NATO air campaign, put it more bluntly, calling the allies' poorly planned information operations "perhaps the greatest failure of the war."

Unfortunately, post-Kosovo efforts to fix the problem seem to have consisted mainly of tweaking organizational charts. For example, the Pentagon moved the Joint Information Operations Center -- which supports computer-network attacks as well as military deception, psychological operations, and electronic warfare -- from Atlantic Command to Space Command. Such measures, although well intentioned, will be ineffective or even counterproductive.

Computer warfare is like airpower, armor, or most other military capabilities -- potentially useful, but rarely on its own. Computer warfare will usually be effective only when planned as part of a larger operation. Indeed, Defense Department doctrine instructs commanders to do exactly that.

If only doctrine equaled practice. Kosovo showed that U.S. commanders still consider information operations a sideshow. Concentrating computer warfare in any single command will make matters worse. Regional commanders, already slow to think about computer attacks, will not have to think about them at all. After all, figuring out how to take out the enemy's computers is now Space Command's job.

In fairness, organizing for computer warfare is tough. For one thing, geography does not constrain computer warfare; you can crash a computer in Baghdad from an office in London if you make the right connections. So a computer warfare plan often must involve military organizations in several different regions. Furthermore, exploiting computers' vulnerability is a tricky business, which further complicates planning. For example, to insert bogus data into an enemy computer network during wartime, one might need to compromise the system several years in advance via a cloak-and-dagger operation.

Planning for computer warfare is also complicated because most information systems -- even those used by the military -- are commercially manufactured, owned, or operated. Offensive computer warfare could easily involve private companies in some way. If the firm is American, should Washington expect it to object? Or to cooperate? If the company is foreign, does Washington care? And what about retaliation? Should U.S. forces strike foreign military computer systems when the enemy might strike back at American commercial systems used by the U.S. military?

Similarly, effective defense in computer warfare will depend on whether commercial communications companies, software developers, and electronics manufacturers can protect themselves. Unfortunately, many companies are in no great hurry to cooperate or coordinate with U.S. war planners. Relations between the U.S. information industry and the government are already strained, thanks to disagreements over encryption standards, antitrust laws, immigration policy, and other issues. The military's influence over industry standards has shrunk as consumers, rather than government, have become the most important customers.

In short, planning for computer warfare is terribly complex. Regional commanders must be pressed to include information operations in their planning and coordinate these plans across commands at the highest levels. The secretary of defense should coordinate any clandestine operations needed to prepare or support these plans with the various U.S. intelligence organizations.

The secretary of defense should also improve relations with companies in the information industry, which need to understand their own stake in an effective defense. Formal regulations and the "industry councils" used in the past are too slow and cumbersome. They also reduce cooperation to the lowest common denominator. Direct relations -- formal and informal -- with individual companies are essential.

SECRETS AND LIES

Midway through Operation Allied Force, the Pentagon's Office of General Counsel looked at the legal issues associated with computer warfare. Its analysis became controversial when journalists reported that some information operations could leave U.S. commanders culpable for war crimes. In fact, the report's main conclusion was that most legal questions about computer warfare were addressed by existing laws and treaties. For example, a bogus broadcast in which a "morphed" foreign leader told his troops to surrender would be a crime, but only for the same reason that attacking under a white flag is illegal -- both actions abuse the communications channels reserved for invoking a cease-fire. Similarly, causing disproportionate civilian casualties by hacking into the controls of a hydroelectric dam would be criminal, but so would bombing the dam, if the effects were similar.

Intriguing though all this is, the most pressing issues about computer warfare are not matters of law but matters of policy -- in particular, policies concerning targeting, secrecy, oversight, and defense. Most Americans would probably approve of computer attacks against enemies abroad during wartime. After that, the questions get harder. Should American companies overseas be protected from U.S. computer strikes aimed abroad? Should U.S. allies operating in third countries be exempt? Today's global marketplace makes these questions even more complicated. A company incorporated in California might have a director on its board from France and operate a subsidiary in Russia that serves customers from Iran. These are partly legal matters, but they are primarily issues of judgment. The key is how much retaliation and collateral damage U.S. leaders are willing to risk.

Discussing computer-warfare policy is even harder because such operations often require secrecy and sometimes require hiding the U.S. government's role. Victory in information warfare depends on knowing something that your adversaries do not and using this advantage to confound, coerce, or kill them. Lose the secrecy, and you lose your advantage.

Moreover, such secrecy is often fragile. Knowing that U.S. forces can penetrate a particular computer system will ensure that America's enemies avoid using it. Simply realizing that the United States is involved in such activities will encourage our foes to protect themselves.

Secrecy is anathema to free debate, and covertness is anathema to accountability. Both threaten democratic rule. But as computer warfare becomes increasingly important to U.S. security, more defense planning may mean more furtiveness. Past experience makes this troubling. Historically, oversight of covert activities has swung between two extremes -- either ineffective (as in the Iran-contra scandal) or painfully slow and legalistic (as in the current situation, partly a result of the excesses of the 1980s). If the United States is to use computer warfare effectively, it must strike a balance.

The public must also understand U.S. policy. If they do not, they and the information industry will be reluctant to provide the cooperation that computer warfare requires. Worse, Americans will feel blind-sided when controversial operations become public, as they inevitably will. The backlash could prevent Washington from undertaking such operations in the future.

Officials can discuss openly the broad strokes of U.S. computer warfare policy without revealing details that would compromise specific operations. The White House and Congress should hammer out an agreement about how the United States will carry out computer warfare. The Clinton administration was slow to start dealing with the issue; the next president must give it a higher priority if the United States is to sort out computer warfare's complexities.

Computer warfare may be fought with electrons rather than bullets, but war is war, and decisions about war will always be the hardest ones that officials have to make. The incentives and means for computer warfare will increase as the information revolution proceeds. Even if the United States does not practice computer warfare, some of its adversaries will. If America is not prepared, the glitches in U.S. information operations in Kosovo could become disasters in a future war.