STEVE INSKEEP, host:
Over the next couple of days, we're going to look a little bit more closely at cyberwar, computers fighting computers. An all-out cyberwar could knock out a country's power, water, and telecommunications, all of which depend on computers. In fact, a cyberwar could halt transportation, even paralyze the financial system. All of which raises a question: Should the laws of war apply to cyberspace, and if so, how?
NPR's Tom Gjelten has been taking a look at this debate and joins us now. Hi, Tom. TEXT: TOM GJELTEN: Hi, Steve.
INSKEEP: Let's talk about what the laws of war are. I mean people hear about war crimes so much, it may surprise people to realize there are any rules.
GJELTEN: There are rules. There's actually a whole body of international law we call the Law of Armed Conflict. In general it says when a country is justified in going to war. And second, it says how armies should fight, rules they should follow once a war is actually under way.
INSKEEP: OK. So when is a country entitled to wage war?
GJELTEN: The main justification, Steve, is self-defense. The United Nations charter says that if you are yourself the victim of a quote, "armed attack" by another country, you can legally go to war against that country.
INSKEEP: That's when you can send your bombers overhead, fire your missiles, send your armies, but now when can you legally launch some kind of cyberattack against a country?
GJELTEN: That's a little more complicated. Essentially if a country launches the cyber equivalent of an armed attack against you, you should be able to respond with a comparable cyberattack against that country.
GJELTEN: But Daniel Ryan, a law professor at the U.S. military's National Defense University, says that if a country is going to go to war legally in response to a cyberattack, it has to be able to show that the cyberattack was tantamount to an act of war - as defined by the U.N. charter.
Professor DANIEL RYAN (National Defense University): The problem is, we don't know when or if a cyberattack could rise to the level of an armed attack.
GJELTEN: Here's what we can say: For a cyberattack to be an act of war, it has to be a government operation. We're not talking here about some hacker or some rogue. It's one country deliberately going after another country's computer networks with the intent to disable or destroy them. It might actually be easier to say what's not cyberwar. Michael Hayden, the former CIA director, says, for example, that it's not cyberspying, one country breaking into another country's computer system to steal information or plans.
Mr. MICHAEL HAYDEN (Former CIA Director): We don't call that an attack. We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time.
GJELTEN: And Steve, Hayden's remarks on cyberwar there were at a recent conference on hacking.
INSKEEP: OK. So we have an idea here when countries under the law of war can wage war. Once that war is underway, what do the rules say about how that war can be fought?
GJELTEN: I'm going to really over-simplify here, Steve. Generally, international law says you have to fight in such way as to minimize the damage to civilians. That's the over-arching principle, and it would apply to cyberwar. Military targets have to be distinguished from civilian targets, with civilian computers off limits. Here's Daniel Ryan again, of the National Defense University.
Prof. RYAN: A direct attack on a civilian infrastructure that caused damage, even loss of life, of civilians would, I think, be a war crime.
GJELTEN: Civilian infrastructures, Steve, would include the computer networks that control an air traffic control system, a water supply, things like that. But Harvard Law Professor Jack Goldsmith says distinguishing civilian and military targets is not always so simple in the cyber domain.
Professor JACK GOLDSMITH (Harvard Law School): You know, computers don't always have signs over them that say I'm a military target, I'm a civilian target, and also the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks.
GJELTEN: In fact, you could set out to hit a military target but then hurt civilians in the process if your attack is disproportionate.
INSKEEP: Collateral damage, basically, is what we're talking about here all the sudden.
GJELTEN: Yeah. And it's the proportionality rule: You don't level a city to destroy a single military unit. Now, in the cyberworld, it means you couldn't plan a massive computer attack, even on a military network, without regard for the civilian computer networks that would be affected by that attack. It's hard enough to follow this proportionality rule in a conventional war; Jack Goldsmith says it's much harder in a cyberwar, because computer networks are so highly interlinked. Taking out one could set off an unpredictable chain reaction.
Prof. GOLDSMITH: The U.S. government, when they're dropping a bomb, they have all sorts of computer algorithms and studies that they use to show exactly what the consequences are going to be from dropping this bomb at this angle on this building. Those kind of consequential analyses are much harder in cyberspace, and so it's hard to apply the proportionality test.
GJELTEN: It's all because of the indirect effects that flow from a cyberattack. And Daniel Ryan says it's a real problem for cyberwar planners who want to follow the rule of war.
Prof. RYAN: Since we can't predict what the unintended consequences of the use of cyber might be, that would say you can't attack at all in cyberspace. That can't possibly be the right answer.
GJELTEN: Ryan teaches cyber law and the law of war to military and government officials. He thinks the right answer is that commanders should have to consider those effects of a cyberattack they're able to consider, but not those consequences that can't be anticipated. Michael Hayden, the former CIA director, talked about what cyberattacks should be illegal when he spoke at that recent conference on hacking. His top example: sneaking damaging software into an electrical grid.
Mr. HAYDEN: Overall finance is so dependent upon investor confidence that cyber penetration of any electrical grid, for whatever transient advantage it might create for the aggressor state, is so harmful to the international financial system that we should just all agree, these are like chemical weapons, we're just not going to use them.
INSKEEP: Tom Gjelten, it sounds very impressive when Michael Hayden says that, but how do you enforce any laws, any restrictions that there might be in cyberspace?
GJELTEN: Well, Steve, that's always a problem with the law of war. You know, even if governments could agree on what's illegal, it would not necessarily mean they would honor those agreements. There are skeptics out there. One of them is Stewart Baker, a former General Counsel at the National Security Agency and an assistant secretary of Homeland Security under George W. Bush.
Mr. STEWART BAKER (Former General Counsel at the National Security Agency): It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will.
GJELTEN: If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means it can be almost impossible to determine where a computer attack originates and who's behind it. Then what do you do, says Stewart Baker.
Mr. BAKER: Since we know that that's going to happen all the time, and no one's going to get caught, to say that's a violation of the rules of war, or the law of war, is simply to make the law of war irrelevant.
GJELTEN: Now, there are other ideas, Steve. Some governments are promoting the idea of a cyber disarmament accord: getting militaries to give up their cyber weapons voluntarily. But that approach could be even more problematic, for reasons we'll get into tomorrow.
INSKEEP: NPR's Tom Gjelten here. And we'll look forward to your report tomorrow, Tom. Thanks very much.
GJELTEN: Thank you, Steve.