Having long relied upon military prowess and diplomatic skills to project and protect its interests on the seas, on land and in aerospace, the United States now is in conflict with stateless entities seeking hearts and minds, not land or treasure. It is a global contest of words and images, waged on a battlefield called cyberspace where the rules of engagement that govern traditional conflict don’t apply and plans for a multiagency effort to protect the information infrastructure have not yet been adopted. 
 
Should we call this struggle a war? If so, what laws and rules govern conduct? How serious is the threat of malicious intrusions into—and manipulation of—information systems, and can the vulnerabilities, particularly in the Internet, be sufficiently reduced? Should we respond to these intrusions in kind, and if so, by which agencies and by what means? And what is the role of U.S. armed forces in a battle of words? Recent events have converged to bring the subject of network vulnerability, threats, risks and responses to the fore.
 
Assaults on Estonian, U.S., U.K., British and German government information systems have refueled alarm over security gaps in the Internet, calling to question the ability of wired nations to function under, respond to and recover from network disruptions. The May 9, 2007, attack on Estonia obliged that nation to sever external connectivity to its government Web sites temporarily, with resultant losses in the tens of millions of euros. Reports that e-mail service in the Office of the Secretary of Defense was interrupted for several days also suggest that nation-states could have been behind the disruption as well as behind electronic dumpster diving into information systems of U.S. defense contractors. Still, while important government functions were disrupted by these intrusions, no nation has been brought to its knees. Expensive? Yes. Damaging? Certainly. Manageable? Apparently. But, casus belli?
 
A cautious and conditioned approach by the armed forces is prudent because much of this struggle is being waged through information systems outside the classic battlefield, and the consequences of offensive electromagnetic attacks are unpredictable. The battle against improvised explosive devices (IEDs) is being fought in the radio frequency spectrum where civil and military uses are inextricable. Such conditions constrain the military from employing what in the past were legitimate military electromagnetic countermeasures—then and still called electronic warfare.
 
We ought not be surprised to find U.S. armed forces preparing for nonkinetic offensive operations against the tangible elements of cyberspace. Disrupting an opponent’s “lines of communications,” be they physical or electromagnetic, is a lawful tactic under the rules of armed conflict. At issue now is the applicability in a conflict being waged outside the boundaries of the traditional battlefield and one where adversaries are not just insurgents or terrorists but criminals and, potentially, other nation-states.
 
It is an exasperating reality, but the Internet is a global commons, owned and occupied by millions of equities that are not subject to selective sanctions or penalties. Further, while the U.S. armed forces may be the best equipped to employ offensive network-warfare practices in a global counterinsurgency campaign, they are not the only government agency with functions held hostage by a vulnerable Internet, nor are they the one with principal authority and ability to respond.
 
Those advocating offensive actions contend that defensive efforts to insulate the Internet against abuse have been, are and will continue to be ineffective. Indeed the Defense Service Board report cautions that the “network/COTS [commercial off the shelf] approach also has the potential to significantly increase vulnerabilities to internal and external threats.” That report finds the Internet to be a deliberately “flat” network where “every piece of subscriber equipment has an IP [Internet protocol] address and grants every communicant full access to that IP address and the ability to effect switching and signaling.” It goes on to urge that “DOD activities should also include a serious look at the risks, vulnerabilities and challenges introduced by using this [commercial] technology.”
 
How important is the external threat? In a New York Times article titled “Who Needs Hackers?” John Schwartz contends that “some of the most serious, even potentially devastating, problems with networks arise from sources with no malevolent component.” He quotes experts from industry and academia, remarking that “systems are falling apart by themselves. … The threat is complexity itself.”
 
There are political limits to defensive measures. No nation can unilaterally defend networks owned by nation-states, commercial companies and individuals. Almost 200 nations connect to the Internet, and there is no agreement among them as to whether or how it should or could be policed. This political constraint will persist until, as suggested by a Washington, D.C., think tank, some international body, perhaps patterned after the International Civil Aviation Organization or the International Telecommunications Union, is chartered to define standards of Internet behavior and enforceable sanctions for miscreants.
 
Efforts to weigh the respective merits of defense and offense become moot when one affixes to each the baggage of unforeseen and unintended consequences; that neither miscreants nor their motives can be refutably established; that users remain indifferent to federal information security standards; and that even the most robust defenses inevitably might be overwhelmed by technology and human frailty. All of which invites the conclusion that survivors on the cyberfield will be those best able to manage the consequences of catastrophic system failures, irrespective of their cause.
 
Col. Alan D. Campen, USAF (Ret.), is a SIGNAL contributing editor and the contributing editor to four books on information warfare and cyberwar.
 
The full version of this article is published in the January 2008 issue of SIGNAL Magazine, in the mail to AFCEA members and subscribers January 2, 2008. For information about purchasing this issue, joining AFCEA or subscribing to SIGNAL, contact AFCEA Member Services.