The development of the Internet and the Web has resulted in a global society dependent on information technology. As a consequence, there emerges profound problems of scientific ethics and international security that have been increasingly drawing the attention of international security experts, especially those concerned about the future of strategic warfare. Call it cyberwar or strategic information warfare (SIW).

Many countries rely on information-based resources, including management systems and infrastructures involving the control of electric power, money flow, air traffic, and other information-dependent items. SIW occurs when one national seeks to obtain strategic leverage over another by severely disrupting or damage these systems by exploiting the tools and techniques of the Internet. Compared to other strategic forms of warfare such as nuclear war or the clash of massed armies, SIW possesses several distinct features. The entry cost is potentially much lower. There is difficulty in ascertaining perpetrator identity, thereby, enhancing opportunities for deceptive attackers. It also generates new tactical warning and attack assessment problems since there is currently no adequate means for distinguishing between SIW attacks and other kinds of cyberspace activities, including espionage or accidents. Furthermore, in the world of SIW, there is no frontline; the “battlegrounds” are everywhere, from the stock market to the natural gas pipelines. In short, the expanding global network and its rise as a new mode of communication, transcends physical space, thereby muddying the geographical boundaries and traditional distinctions between the public and the private, the criminal and the warlike, the civilian and the military. Lastly, SIW seems to possess the redeeming quality of being “much more humane” than other forms of strategic warfare since the only intended casualties would be the crippling of information flow, convenience, and comfort.

An understanding and development of this technology can lead to great strides in attack capabilities. The question remains whether SIW should be legitimized as a new form of warfare. To explore this question, we will examine the ethical considerations in terms of offensive and defensive capabilities.

For the past several years, a comprehensive understanding of the impact of cyberwarfare has eluded the international security community. It is too early in its inception to determine the full extent to which someone might develop and use the capability to hack a critical infrastructure to pieces and maybe refuse to admit to the act. All nations see a need for new intelligence assessment and analysis methods to deal with this emerging threat. The absence of technology that permits identification of the cyber attacker with absolute certainty makes nations especially susceptible to a new kind of manipulation. For example, a terrorist group intent on provoking war between the U.S. and China, can carry out a cyber attack which deceives the U.S. into thinking the culprit to be China. Faced with such possibilities, reliance on any kind of deterrence strategy that assumes an ability to unambiguously identify an attacker seems unpromising. At the same time, owners and operators of critical infrastructures must assess their vulnerabilities to threats from cyberspace, from both nations and terrorists.

Of even greater concern is the emergence of cyberspace attack as the critical ingredient in a new witches brew of strategic warfare capability. Consider the prospect of a carefully constructed strategic warfare campaign seeking to achieve the strategic leverage of effecting mass disruption though combined attacks on key infrastructure nodes and other infrastructure targets via conventional means, via new unconventional means (e.g., electromagnetic weapons), and via information warfare tools and techniques. Such a capability poses a wholly new kind of threat to international stability.

Looking back before looking forward on this matter, the path followed from the development of the ARPANET through the emergence of the hacking community and culture, in parallel with ever evolving tools and techniques of electronic warfare for military ends, seems understandable enough. But the consequences of this path, and the larger implications for society and the future of warfare are only now beginning to reach national and international consciousness. Moreover, this consciousness has emerged in a wholly new international security environment marked by the end of the Cold War and the long shadows cast by the 1991 Persian Gulf War.

In the former case, strategic thinkers in the international security arena are pondering the future of strategic warfare, with great emphasis in the near term (absent a global peer competitor to the United States) on the character of strategic warfare at the regional level, e.g., in the Middle East or Northeast Asia. The Gulf War provided a clear lesson learned for all would–be regional hegemons: Don’t take on the U.S. and its allies on a traditional conventional battlefield. There other approaches, other means and strategies, for regional powers to take on such powerful coalitions – so-called asymmetric strategies such as those involving the use of biological or chemical weapons to counter an attack. In other words, SIW offers a new element of strategy for adversaries of nations like the US and its allies to consider.

Another complexity introduced by the potential for SIW is that some nations may develop SIW capabilities and hope that attacks with such weapons will only face repsonses in kind. However, there is no guarantee that an adversary nation will feel limited to an SIW response, especially if it has other instruments of strategic information warfare readily available.

This scenario also illustrates the unpredictability of using SIW. Envision a nation developing - and implementing through brandishing or actual use - a capability to disrupt the delivery of services from critical infrastructures. Try further, in a fast moving Information technology (IT)-driven environment, to envision that those who would offer such tools and techniques of strategic warfare - or terrorism - to decision-makers would be able to forecast accurately the collateral effects and overall consequences of an attack of any strategic magnitude. The first is readily conceivable; the second is almost inconceivable. No further examples are needed than those already on the record of the prospect of profound unforeseen cascading consequences of disruptions caused by innocent acts such as the 1997 falling tree incident in Wyoming, which had far-ranging negative impact on electrical service delivery as far away as southern California. In the light of such realities, can one possibly envision that the true consequences of a strategic campaign based in large measure on infrastructure attack via cyberspace can possibly be predicted?

It is not hard to construct very sobering scenarios in the light of these considerations. A supposedly limited precision attack on a segment of an electric power grid could have the unintended consequences of widespread power outages and the failure of emergency power services at places like hospitals and other critical facilities. Or a modest but widespread attack could simply produce far larger consequences across the board due to poorly understood infrastructure interdependencies (e.g., between electric power and telecommunications) and catalyze an unexpectedly larger response and conflict escalation. Thus, given continued poor understanding of infrastructure interdependencies, can SIW attacks under such “imprecisions” be justifiable? The situation is exacerbated by ethical considerations born of the blurred distinction between the public and the private. In cyberwar, the frontline is no longer defined by the military; disruption of the civilian sector may be the explicit objective. In such circumstances, what is “acceptable” and “fair” within the ethics of war as currently judged by civilization?

The search for answers needs to include fostering a serious and far-reaching dialogue on this subject within the international community. In November 1998, a committee of the United Nations General Assembly drafted a final resolution to address this issue. It called upon Member States to “promote the consideration of existing and potential threats in the field of information security” and invited them to help develop “international principles that would enhance information security and combat information terrorism and criminality.” Furthermore, the UN plans to include an item on developments in the field of information security on the agenda for its next session.

The dire character of the above descriptions is not intended to foster a feeling of hopelessness about the infrastructure protection challenge, but rather to stimulate a deeper consideration of the kind of problem that is emerging. Unlike the asymptotic U.S.-Soviet response to the nuclear threat – deterrence largely achieved through the threat of mutual assured destruction – there is relatively little hope that even in the long term the perpetrator identification problem (key to any deterrent concept) can be solved to the unambiguous degree that decision-makers will demand in considering a retaliatory response.

In such emerging circumstances, there appears to be only one strategic response – protection to the degree possible, and rapid response to restore services when protection fails. But can such a national and international strategic response succeed in an environment where the hacker culture – in no small measure the spokesperson for a large segment of the IT community - insists on perpetuating the concept that the breaking down of the defenses of computer networks is an unalloyed good? Is it not far more preferable for the IT community to unanimously embrace the alternative of very quietly helping to fix vulnerability problems when they are discovered?

Furthermore, can the IT scientific and technological community (unable to muster the leadership to acknowledge the Y2K problem years ago, and collectively take steps to remedy it) take a lead role in addressing on an urgent time scale the infrastructure vulnerability problem? While the prospect is not encouraging, the demand is of such a character that it becomes quite literally an ethical issue for the IT community. In the race to reap the financial rewards of the IT revolution, should not those in the scientific and technological communities who gave us the Internet and the Web not take some responsibility here? And should that responsibility not go so far as to change fundamentally the prevailing culture in the hacker community and quite literally turn it around? Should not those who once worked at opening every door now be encouraged - through example and leadership - to take on the task of making cyberspace more secure?

Without such a commitment, the IT community could run the risk that the grand potential of the IT revolution could be profoundly blunted by recurring problems of infrastructure disruption. While there is probably not the danger of the technological “simplification” that followed World War III in William Miller’s famous A Canticle for Liebowitz, there is a danger that much of the good that can be achieved from the IT revolution will be slower in coming and in the end less far less far reaching than the unalloyed bright shining path that the IT community would now cast before us. Perhaps, better a new ethic that eschews the evolution of cyberspace into a new battlespace.

Roger C. Molander is a senior research scientist at RAND. Sanyin Siang is Deputy Editor of Professional Ethics Report