Monday, December 15, 2008


Maybe you’ve seen the recent Hoover Institution report which argues that botnets and malware constitute “electronic Weapons of Mass Destruction” or eWMDs.

The authors of the report say they created the eWMD term (or acronym, I guess), and I’m sure they did.
My focus in this post is not on innovative semantics but on the notion that botnets and/or malware constitute a kind of weapon of mass destruction. To put it simply, I disagree.

The notion that computer technology can be equated to WMD’s arose in discussions of cyberterrorism. I did a blog post a couple of years ago in which I explained why equating computer technology to bombs, bugs and toxic chemicals misunderstands the nature of computer technology as an offensive device.

In that post I noted something the authors of the Hoover Institution report also concede: Computers are not particularly useful in inflicting mass carnage. When I speak on this issue, I point out that no computer attack – however devastating – could cause the sheer carnage we saw in the 9/11 attacks or the Mumbai attacks or any of a number of other, tragically similar events. Bombs and guns are splendid implements for those engaged in the theatrics of blood; biological and chemical weapons won’t shed blood, but they could trigger the same visceral response terrorists have elicited with bombs and munitions.

The authors of the Hoover Institution report concede this, as I said, but their comeback to that is that even if “software and data are securely backed up, there is still potential for great loss due to an eWMD attack.” Of course there is. Many of us having been saying that for years.
At another point in their report, the Hoover Institution authors analogize the attacks on the Pentagon computers to a digital blockade, another point I have trouble grasping, at least in the context in which it is made. Yes, of course, a DDoS or any other type of computer attack that shuts down a system is functionally analogous to a blockade; one of the authors of this report was one of the defenders when Estonia suffered a massive cyberattack last year, an attack that essentially took Estonia off the digital grid for a couple of weeks.

That kind of attack is the functional equivalent of a naval blockade, but I don’t see a blockade as synonymous with WMD. Indeed, I see the two as constituting very different types of aggressive action. Blockades interrupt activity of some kind (e.g., transport, commerce, military activity); destruction eliminates or damages people and assets. I suppose, logically, destruction could be analogized to a blockade in the sense that both deprive people of things (life/health and property in one instance, activity in the other), but I think that analogize is excessively literal and ignores the important distinctions between the two types of aggressive action.

At another point in the report, the Hoover authors note that while they hope (as do I) that computer technology will “never be able to cause the loss of life that other weapons of mass destruction . . . can cause, they should still be recognized as having the potential to destroy livelihoods or even entire economies”. As to the first point, I absolutely do not deny that computer technology could someday be used as a real WMD; Skynet comes to mind, for those of use who’ve seen the Terminator movies. But, as far as I know, we’re not there yet.

As to the author’s real point – the premise that computer technology can be used to destroy livelihoods or economies – I agree. I don’t know if we’re actually at that point yet; the DDoS attack on Estonia had the potential to do terrible damage to that country’s economy if it had been sustained for months or a year or more . . . but I’m not sure that is a realistic possibility at the moment, at least not for non-governmental actors. I don’t know if the U.S. military and the militaries of a number of other countries could mount an attack like that, but let’s assume they could.

This brings us to an issue I analyzed a bit in a law review article I published last year and that I’ve analyzed in a great more depth in a book that will be coming out early next year (and I will, of course, announce when it is published). I agree with the Hoover authors that computer technology can be used aggressively, to inflict various types of damage on civilian victims and/or on a nation-state. I disagree with them, though, when it comes to analogizing this type of activity to the use of real-world WMDs. As I explain in my new book, I think this type of activity constitutes something different, something that can be far more subtle in its implications than is the use of conventional WMDS.

The authors of the Hoover article seem to be really talking about the use of computer technology to wage warfare, an issue they specifically take up later in their article. As I explain in my new book (I did not intend this post to be a commercial for the book, but it’s hard to talk about these issues without referencing it), I think computer technology can and will be used to wage warfare . . . but I don’t think it is/will be conventional WMD warfare. One difference is deniability: (As I explain in the book,) when Hitler – or, more properly, when a LOT of men wearing German uniforms, speaking German and using vehicles and other implements with German insignia on them – invaded Poland, it was pretty clear that this was warfare.
As the Estonia episode illustrates, it an be difficult to tell whether a cyberattack is war – which means it’s launched by a hostile nation-state – or whether it’s . . . something else. In the book, I argue that cyberwar could become the province not just of nation-states; in the real-world, only nation-states can wage war because only they can assemble the massive manpower, firepower and other technical power needed to do so.

That is changing. We already have groups like Al Qaeda who consider themselves to be at war with the U.S., which causes legal and practical problems; the U.S. is not willing to treat Al Qaeda operatives as combatants because they really don’t qualify as that term is defined in instruments like the Geneva and Hague Conventions. They’re not, though, simply criminals; and while the U.S. ostensibly treats them as terrorists (a type of criminal, under the law), many of its actions implicitly indicate that they are being approached as something more.

Getting back to my primary point, I note in the book that computer technology is, by its very nature, democratic. That is, groups – even individuals – can control computer technology to launch what can be – as Estonia discovered – very devastating attacks, “soft” attacks on communications and other systems. The ripple effects of those attacks could, indeed, be devastating . . . but not destructive, not in the WMD sense of being destructive.

I guess my ultimate point of disagreement with the Hoover authors is that I think they raise very valid concerns about a very likely threat, but I think they distort the validity of their analysis by predicating it on a false analogy . . . the WMD analogy. I also think some of their proposed solutions – like calling in the National Guard when an attack has been launched – are not particularly good ones. A point I spend a great deal of time on in the book is the response issue, which is very complex in the U.S.; our laws divide the responsibility for responding to attacks between law enforcement (crime and terrorism) and the military (war). The two cannot combine forces, particularly not if the attacks is or seems likely to be crime or terrorism.

Ultimately, I think that division of responsibility is a very good idea; perhaps it’s simply because I’m used to this system, but I would be concerned about fusing the two, even in the limited context of responding to cyberattacks. The architects of the U.S. Constitution very much wanted to ensure a division between civilian and military response authority to prevent overreaching by the latter and a consequent erosion of the authority and independence of the former. I don’t think our military has any interest in doing either of those things, but they are products of the current system. I have concerns as to where we might go if we erased, or even eroded, the division between the two and let military personnel participate in active law enforcement investigations.

But that’s a bit of a tangent, one I’ll come back to, maybe when the book comes out.

No comments: