Cyber-War Tools Still on the Shelf

Despite months of speculation and discussion about the U.S. government's cyber-warfare capabilities, security and defense experts say there is little chance the military will use such weapons in the war against Iraq.

Despite months of speculation and discussion about the U.S. governments cyber-warfare capabilities, security and defense experts say there is little chance the military will use such weapons in the war against Iraq.

While government agents have the tools and expertise to launch crippling attacks on Iraqi computer networks, telecommunications systems and other vital pieces of the countrys infrastructure, U.S. officials said they believe the negative ramifications of such an attack outweigh the benefits. But the restraint still may not be enough to keep U.S. systems safe.

"There are certainly things they can do. We know that the government has been considering the rules for affirmative cyber-warfare for 12 years," said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., in Omaha, Neb., who has worked closely with the government on this issue. "But theres no reason to do it. They have to look at proportionality. We could go after banking or finance or communications. But we dont know if we can design an attack thats targeted enough to do this without damaging other things."

Much like the case with conventional weapons, the concern is over collateral damage. Disabling a telecommunications network could disrupt some of the Iraqi military and government communications, but that disruption could also impede U.S. operations down the road, once the conflict is over. In addition, government officials are concerned that a U.S.-led cyber-war would incite retaliatory cyber-terrorism not only from Iraq but also from Iraqi sympathizers and anti-war protesters around the globe.

Some experts say that while wide-ranging attacks associated with cyberwarfare are unlikely, smaller, concentrated efforts are happening already.

"If you shut down the radar grid while youre flying missions, it will probably come back up," said Gene Spafford, a professor of computer science at Purdue University, in West Lafayette, Ind., and an information security expert. "If you take out the power, you havent damaged the infrastructure. Id be surprised if theyre not doing that."

Perhaps the most troublesome aspect of any large-scale cyber-warfare tactics is the ease with which the same techniques can be turned around and directed against U.S. interests.

But combine that fact with the notion that a major attack on U.S. networks is inevitable, and the rationale for refraining from launching a cyber- warfare campaign against Iraq sours, observers say.

"I kind of doubt anyone would hold off on attacking us because we didnt attack," said Steve Durst, co-founder of Skaion Corp., a security software maker in North Chelmsford, Mass., that works closely with government and military agencies. "Should we hold off because we fear state- sponsored or individual attacks? I dont think it matters. Theres no reason to think that since weve used soft power [such as e-mailing and calling Iraqi military officers] that we wont use hard power."


Main considerations in use of cyber-war tactics:
  • Questions of legality
  • Doubt over whether attack can be precise enough
  • Fear of state-sponsored or individual counterattacks
  • Fear that launching a cyber-attack will legitimize future attacks by foreign powers
"They dont have to be selective," Solutionarys Rasch added. "We have enough vulnerable targets that they could create some disruptions. They could launch it from anywhere and disguise it."

While the military has been sharpening its hacking skills, it has also taken steps to secure its own systems. The massive Navy Marine Corps Intranet project, an ongoing $7 billion outsourced deal with Electronic Data Systems Corp., has already proved its worth, according to Navy officials.

The improved security implemented in the NMCI environment has helped the Navy thwart many war-themed viruses and worms, according to Capt. Chris Christopher, staff director, NMCI Office, in Herndon, Va.

"NMCI has proven itself to be very secure," Christopher said, adding that integrators expect to "detect and deflect approximately 14,235 viruses from infecting our network and data" by years end.

While officially the cyber-battlefield remains quiet, there have been several low-level information warfare incidents in the past 10 days related to the war. The most notable was the apparent denial-of-service attack launched against the English and Arabic Web sites of the Al-Jazeera satellite news channel. The sites were unavailable for most of last week.

Additional reporting by Paula Musich.