Posted May 1, 2012 5:00 AM CDT By Stewart A. Baker and Charles J. Dunlap Jr.
What Is the Role of Lawyers in Cyberwarfare?Washington, D.C., attorney Stewart A. Baker and Charles J. Dunlap Jr., a former deputy judge advocate general of the U.S. Air Force, debate whether the U.S. should learn the practicalities of winning a cyberwar—and then ask lawyers for their input—or, instead, set the legal ground rules before conducting cyberwarfare in Patriots Debate: Contemporary Issues in National Security Law. The book is sponsored by the American Bar Association’s Standing Committee on Law and National Security, which invited both writers to address the legal approach to cyberwar.
STEWART BAKER’S POSITION
Stewart A. Baker
Lawyers don’t win wars.
But can they lose a war? We’re likely to find out, and soon. Lawyers across the government have raised so many showstopping legal questions about cyberwar that they’ve left our military unable to fight, or even plan for, a war in cyberspace.
No one seriously denies that cyberwar is coming. Russia may have pioneered cyberattacks in its conflicts with Georgia and Estonia, but cyberweapons went mainstream when the developers of Stuxnet sabotaged Iran’s Natanz enrichment plant, proving that computer network attacks can be more effective than 500-pound bombs. In war, weapons that work get used again.
Unfortunately, it turns out that cyberweapons may work best against civilians. The necessities of modern life—pipelines, power grids, refineries, sewer and water lines—all run on the same industrial control systems that Stuxnet subverted so successfully. These systems may be even easier to sabotage than the notoriously porous computer networks that support our financial and telecommunications infrastructure.
No one has good defenses against such attacks. The hackers will get through.
Even very sophisticated network defenders—RSA, HBGary, even the Department of Defense’s classified systems—have failed to keep attackers out. Once they’re in, attackers have stolen the networks’ most precious secrets. But they could just as easily bring the network down, possibly causing severe physical damage, as in the case of Stuxnet.
So as things now stand, a serious cyberattack could leave civilians without power, without gasoline, without banks or telecommunications or water—perhaps for weeks or months. If the crisis drags on, deaths will multiply: first in hospitals and nursing homes, then in cities and on the road as civil order breaks down. It will be a nightmare. And especially for the United States, which has trusted more of its infrastructure to digital systems than most other countries.
We’ve been in this spot before. As Brig. Gen. Billy Mitchell predicted, airpower allowed a devastating and unprecedented strike on our ships in Pearl Harbor. We responded with an outpouring of new technologies, new weapons and new strategies.