Published by The Lawfare Institute
in Cooperation With
Books reviewed in this essay:
@War: The Rise of the Military-Internet Complex, by Shane Harris (Houghton Mifflin Harcourt 2014)
Cyber Operations and the Use of Force in International Law, by Marco Roscini (Oxford UP 2014)
Reviewed by Alan Rozenshtein
North Korea hacks Sony. Criminals repeatedly steal millions of credit-card and social-security numbers from major retailers. And government officials regularly warn of a "cyber 9/11." To an extent that would have been hard to imagine only a few years ago, the Internet has become a major battleground of the 21st century. We are only beginning to grapple with the fundamental questions this transformation raises. Do crime and war in cyberspace use the same tactics, require the same defenses, and have the same effects as they do in "realspace"? Or does this new battlefield mean a break with the past, requiring new approaches and ways of thinking? In other words, is conflict on the Internet merely an evolution of what's come before, or rather a revolutionary change?
Two recent books provide grist for both sides of these questions. Arguing for an essentially evolutionary position, Marco Roscini, who teaches international law at the University of Westminster, convincingly applies well-established law-of-war principles to the Internet. He suggests that, by and large, they can be adapted to work in this new terrain. In Cyber Operations and the Use of Force in International Law, Roscini updates both the jus ad bellum (international-law rules governing when resort to war or armed conflict is lawful) and the jus in bello (also known as international humanitarian law, and that govern the conduct of belligerents). In this effort, Roscini draws on foundational legal documents like the U.N. Charter and the 1949 Geneva Conventions, as well as newer sources like the 2013 Tallinn Manual, a NATO-led effort by an international group of experts, similar in aim to Roscini's own, to draft rules for cyberwar.
Roscini's contribution—his careful and systematic analysis of different use-of-force issues in the cyber context—is a significant one. He makes a strong case that the traditional laws of war can be successfully applied to something as novel as the Internet. Even those features that might be thought to present difficulties—e.g., the fact that malicious activity in cyberspace may not cause physical damage in realspace—can be accounted for using traditional law-of-war concepts (such as rules on inflicting economic damage on adversaries or neutrals through blockades).
Roscini's book is not without flaws. It's hardly an easy read, even for experts, and is largely inaccessible to those not already knowledgeable in public international law and the law of armed conflict. More importantly, it won't (nor does it even attempt to) convince readers who might be skeptical of its highly positivist, doctrinal approach to law-of-war analysis. For this audience, Roscini's methodological correctness will count for little as compared to its practical deficiencies: a highly restrictive approach to activities on the Internet and what can feel like a naive insistence on crafting rules so early in the development of a technologically and operationally fast-moving area, and in the absence of practical experience or useful data. Nevertheless, for the technical expert in public international law, Roscini offers an immensely valuable model for how one might apply the laws of war to the Internet. More generally, it is an impressive attempt to preserve the foundations of a well-established body of law as its application moves from one context to another.
In contrast to Roscini, Shane Harris makes a strong case that the Internet is forcing us to fundamentally rethink our basic assumption about crime, war, and the roles of the government and private sector in keeping us safe. Harris, a senior correspondent for The Daily Beast (and frequent Lawfare contributor), is one of the best journalists writing about government surveillance and cyber activities today. His previous book, the justly praised The Watchers, chronicled the growth of the NSA's modern surveillance capabilities. In his terrific new book, @War: The Rise of the Military-Internet Complex, Harris broadens his focus, exploring how government and private industry are reacting to dangers online—whether from criminals, terrorists, or hostile states.
@War's coverage ranges widely, much of it focused on the private sector: from the serious cyber threats U.S. companies face from foreign criminals and nation states to the impressive defensive capabilities that some of them, especially in the financial sector, have developed in response. At its core, however, @War offers a set of descriptive claims about the nature and extent of threats on the Internet. These in turn motivate normative arguments ones about the desirability—and general lack thereof—of aggressive offensive government action on the Internet.
Harris is most convincing when he describes the novel (i.e., revolutionary) features of cyber threats. He notes that "where the military-Internet complex takes a screaming turn off the road of history" is that, although "the government has always had a monopoly on the use of force," that is no longer the case. . That's precisely right. At least in the case of foreign threats, conflict between governments has traditionally occurred on and around borders, mediated by notions of territory: ours and theirs and in-between. Even transnational terrorism, which strikes at a society's civilian core, confronts a border through which the threat must pass and where it is confronted in the first instance by government (the immigration system, border police, etc.).
The Internet is different. An online computer can be accessed by any other computer anywhere in the world, bypassing governments entirely (at least in the case of nations like the United States that have an open Internet and a communications infrastructure almost entirely owned by the private sector). Put another way, the Internet's architecture makes all threats—even those carried out by foreign terrorist groups or nation states—functionally like domestic ones in the following way: because the government's presence within the United States is substantially less complete than it is at the border, private entities are not only targets of Internet attacks, but are often the first line of defense.
Harris offers qualified support for the private sector's central role in Internet defense. He states that "the growth of private cyber security" is "a trend that's probably unavoidable and maybe even preferable to the government monopolizing this realm." . Yet he wisely recognizes the danger of allowing "hacking back" by private entities:
Private cyber wars are probably inevitable. Someday soon a company is going to bait intruders with documents loaded with viruses that destroy the intruder's network when opened. That provocation will escalate into a duel. Then governments will have to step in to defuse the crisis or—in the worst case—forcefully respond to it. [224–25].
This underestimates, I think, the potential costs of diluting the government's monopoly on force on the Internet. "Attribution"—identifying the individual, group, or government that is responsible for a network attack—is a stubbornly difficult problem. Although both the government and the private sector are getting better at cyber forensics, attribution is still often time-consuming, expensive, and laced with uncertainty. Attacks are frequently routed through compromised but otherwise innocent third-party computers, and nation states are increasingly getting in on the action against the private sector (e.g., Chinese cyber espionage against U.S. companies or North Korea's recent attack on Sony). This means that even heavily regulated hacking back could result in a private U.S. entity damaging computers or infrastructure in neutral countries or even attacking a sovereign state. After all, the danger of private actors drawing whole nations into conflict with each other (Cf. Sarajevo, 1914) is as good an argument as any for a government monopoly on legitimate force.
Harris limits his characterization of the Internet (as a revolutionary new medium for the projection of force) in one way. He sees a parallel with the past in the government's continuing reliance on the private sector: "Without the cooperation of [technology and telecommunications] companies, the United States couldn't fight cyber wars." [xxiii]. This is certainly true, as are Harris's observations that many of the same defense contractors who helped build America's conventional military and intelligence capabilities are doing the same thing in the cyber domain, and that many former government employees working on cyber issues end up in private companies doing similar work. But does this mean that we are witnessing, as @War's subtitle proclaims, "the rise of the military-Internet complex"? And does it actually parallel Harris's obvious inspiration—the post-WWII military-industrial complex?
I'm not so sure. Harris clearly means to evoke the negative associations of that term, most famously expressed by President Eisenhower, who brought it into public use when he warned about "unwarranted influence" in his 1961 farewell address. Eisenhower wasn't worried per se about government relying on the private sector for manufacturing and research. His fear was rather an update of the Framers' distrust of standing armies: that their existence would embolden the government to use them, either in adventures abroad or, worse yet, at home to subvert democracy and squash liberty. To Eisenhower, the problem with the military-industrial complex was that it gave the private sector a financial incentive to keep the military large and left no social group able to effectively check the expansion of U.S. armed force.
Defense contractors certainly have an interest in growing the government's cyber capabilities, both offensive and defensive. Still, there's nothing like the collaborative industry-wide relationship with the government that existed during the Cold War (and persists today) in the conventional military space. Indeed, the private sector spends at least as much time and energy trying to subvert the government's power on the Internet as it does to augment it. Witness, for instance, the move by major electronic-communication service providers like Apple and Google to implement "end-to-end" encryption, whereby communications are encrypted on users' machines in such a way that the providers don't have access to the encryption keys and thus can't decrypt data, even when compelled to do so by a valid court order.
There are many possible explanations for the oppositional stance of technological elites against the government—whether the belief that it's what consumers want; the libertarian streak running through the leadership of top technology companies and startups alike; the harm to the government's reputation in the wake of the Snowden leaks; or nominally U.S. tech companies seeing their global economic interests, including in places like Europe and China, increasingly unencumbered by bonds of citizenship or national allegiance. Whatever the reason, we are far from the close working and ideological relationship between private companies and the government that characterized the military-industrial complex. This dissent can provide a healthy check on the government's cyber capabilities in a way that might not exist when it comes to the government's conventional military might. (Of course, whether the check goes too far in constraining the government's power is a different question altogether.)
Harris's claims about the military-Internet complex aside, @War comes down firmly on the revolutionary view of the Internet. This motivates Harris's general skepticism of the government's offensive activities online. Nowhere is this clearer than in Harris's insightful discussion of what might be called the "dual use" problem of modern computing: to a degree unique to activity on the Internet, everyone is using the same software and hardware, of which the vast majority was designed, built, and continues to be run by the private sector. Thus, offensive capabilities in pursuit of legitimate military or foreign-intelligence goals often target the same hardware and software that civilians also use.
This poses an enormous difficulty for the government: how to balance these offensive capabilities with its responsibility to defend the Internet. To Harris, this circle cannot be squared, and its contradictions are embodied in the very structure of the NSA, which has responsibilities both for defensive and offensive operations on the Internet. Harris thinks that, within the agency, offense has dominated defense, such that "the NSA has in many respects made the Internet less safe." . He writes that "as the agency drums up talk of cyber war and positions itself as the best equipped to help defend the nation from intruders and attacks, it should act more like a security guard than a burglar." . Harris is certainly not the only person to make this structural criticism. The administration's own President's Review Group on Intelligence Reform suggested stripping the NSA of its defensive responsibilities. (Notably, these reforms were some of the few that the administration has rejected outright, arguing that the NSA's two roles are inextricably linked, and that separating them into two agencies would only harm the NSA's defensive capabilities.)
It is sometimes unclear in @War what precisely Harris is objecting to: whether to the NSA in particular playing such a dual role, or more generally to the government ever withholding information about (or somehow encouraging the existence of) cyber vulnerabilities. If the former, then it's doubtful that forcing the NSA to choose which role to play—defensive or offensive, as the President's Review Group would have it do—would make much of a difference. It would merely push the debate (over whether to disclose a vulnerability) to some other level of government.
Indeed, such a thing is already happening. The administration has publicly described a high-level interagency process that weighs the costs and benefits of disclosing cyber vulnerabilities the government discovers. But make no mistake: the government as a whole still has to make the difficult decisions and weigh the tradeoffs that a purely internal NSA process would have to do. Perhaps separating each part of the tradeoff into separate government agencies would have the virtue of requiring that a suitably high level of officialdom would have to make the balancing decisions. But the result might merely be that one hand doesn't know what the other is doing.
I suspect Harris's critique is more fundamental than just a question of who decides. At bottom, Harris seems to object to the government ever prioritizing anything over the defense of the Internet and its users—certainly not preserving offensive capabilities. But this ignores the reality of the dual-use problem. And to the extent that the government knowing and exploiting those vulnerabilities can help it defeat adversaries bent on attacking the U.S. or its allies, it's impossible to say ex ante that this increases vulnerability on a net basis. The best defense might require some aggressive offense.
Harris's examples are striking and well researched—they certainly give reason to pause and think carefully before ever keeping a vulnerability secret. But what they don't do is support his bottom-line normative judgments. Ultimately, cyber is yet another domain of hard national security choices. The tradeoffs will have to be considered and balanced through some government decisionmaking process whose conclusions will certainly not be perfect. What they can't be is wished away.
@War is superb. Few books on a subject as technical as network security can be fairly described as riveting, but Harris has managed to pull off a rare feat: a story that is simultaneously rigorous, comprehensive, and a joy to read. Even if Harris doesn't manage to answer all the questions he asks, he deserves great credit for raising and providing the context necessary to understand them. There is no better introduction to the current state of U.S. cybersecurity than @War. It should be read not only by those in government or industry, but by anyone who wants to know more about one of this century's most important—and, yes, revolutionary—threats. You may not think you're interested in cyberthreats, but make no mistake: they're certainly interested in you.
(Alan Rozenshtein serves in the National Security Division, Office of Law and Policy, of the U.S. Department of Justice. The views expressed herein are his own and do not necessarily reflect those of the United States government or the U.S. Department of Justice.)