"Information warfare is believed by many to be the means by which the next 'big' war will be fought and, more importantly, the means by which future wars will be won."
Maj. Richard W. Alrich, USAF
"The International Legal Implications of Information Warfare"
Aerospace Power Journal, Fall 1996
Worldwide governments have realized that information networks are vulnerable to terrorist attacks. When countries or groups of individuals initiate disruptive activity against a nation's information technology (IT) infrastructure, it is called information warfare. Attacks may range from denial of service attacks, viruses, misleading traffic, and seizure of Web sites. In response to this threat, most governments recognize the need to monitor traffic on the Internet to catch criminals and prevent terrorist activity. Aldrich1 discusses possible attacks and responses in his article, "How Do You Know You Are at War in the Information Age?"
In the U.S., President Clinton recognized the vulnerabilities of the nation's IT infrastructure when he issued the Presidential Decision Directive (PDD 63) in 1998. PDD 63 directed the establishment of various working groups in the government, in the Department of Defense (DoD) and the public sector to promote awareness, knowledge, cooperation and standards for infrastructure protection. Overall responsibility for PDD 63 implementation rests with the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism, who directs the work of several coordinating groups, such as the National Infrastructure Protection Center (NIPC). The NIPC, led by the Federal Bureau of Investigation (FBI), includes DoD. As one of the many efforts in Homeland Security, the FBI is currently using a diagnostic software tool called Carnivore to monitor and intercept suspect computer traffic.
At the same time, there has been wide concern by private industry and the general public regarding the FBI's use of Carnivore. Private industry is concerned that: the government does not have the expertise to deal with the complexities of Internet traffic and they do not want the Government monitoring their corporate e-mail. Private citizens express fears that monitoring may be used to violate civil rights. (The FBI Web site at www.fbi.gov provides information on Carnivore and its use.)
While the nation's IT infrastructure must be preserved, issues still remain: 1)When should governments be allowed to intercept traffic? 2) What measures can best protect civil liberties of individuals and corporations? 3) How should governments respond to information warfare attacks?
Point of View
Heads of executive agencies, and by regulation, government organizations must ensure that information security policies, procedures and practices are adequate to prevent infiltration. The function of a government Chief Information Officer (CIO), as defined by the Information Technology Management Reform Act of 1996, includes management responsibilities for the sound integration and management of the organization's information technology enterprise. Information Assurance normally becomes a duty of the organization's CIO. This article is written from the point of view of a government analyst or administrator charged with providing technical and policy issues to an agency CIO. Issues concerning civil rights reflect the author's views as a private citizen.
When should governments be allowed to intercept traffic?
The origin of the relevant law in the United States concerning the interception of communications traffic is the Fourth Amendment to the United States Constitution: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The first case reference to communications interception was in Olmstead v. United States, 277 U.S. 438 (U.S. 1928), in which the Supreme Court held that interception of telephone conversations are not subject to Fourth Amendment protection.
In Goldman v. United States 316 U.S. 129 ( U.S. 1942), the Supreme Court reaffirmed this position in a case in which Federal agents conducted electronic eavesdropping in an adjacent room. In Katz v. United States, 389 U.S. 347 (U.S. 1967) the Supreme Court reversed the prior findings and noted that "[t]he Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied while using the telephone booth and thus constituted a "search and seizure" within the meaning of the Fourth Amendment. The fact that the electronic device employed to achieve that end did not happen to penetrate the wall of the booth can have no constitutional significance."
Wiretapping was explicitly outlawed (permitted for law enforcement purposes under explicit authorization) under Title III, the Omnibus Crime Control and Safe Streets Act of 1968. The Electronic Communications Privacy Act (ECPA) of 1986 explicitly prohibited unauthorized interception of electronic communication, while making provisions for such interceptions for law enforcement purposes. Coacher2 defines electronic communication as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo-optical system that affects interstate or foreign commerce… [with certain exceptions]."
Law enforcement officials can intercept electronic traffic in the course of investigation. Different conditions apply for different types of interception. There are methods of interception that acquire the content of the communication and those that only acquire meta-data about the communication. In telephone communication, the former would consist of listening to or recording the conversation, and the latter would consist of the use of so-called pen registers and trap-and-trace devices. The FBI deploys Carnivore to Internet Service Providers (ISP) to collect information from e-mails to/from a suspect. It is used under the provisions of Title III for content or under the ECPA for the collection of addresses (non-content).
In the latter case, Carnivore is treated as a pen register and trap-and-trace device. There is substantial controversy surrounding this application, since the collection of e-mail addresses provides substantially more information than telephone numbers. Gilman.3 and U.S.C. Title 18 Sec. 3121-3127 (United States Code is available at Cornell University's Web site at www4.law.cornell.edu) explain the parameters of when the government may use electronic surveillance.
What protects the civil liberties of individuals and corporations?
Electronic communications can be captured through an individual's use of the Internet. When a user seeks information from Web sites, it is necessary for his browser to transmit information identifying the information sought; these packets can be maintained by the user's ISP, forming a "clickstream." Skok4 defines the clickstream as an "aggregation of the electronic information generated as a Web user communicates with other computers and networks over the Internet."
This aggregate of information is not subject to Fourth Amendment protection since it is considered to be volunteered by the user to the ISP during the course of accessing the Internet. So while Skok warns that clickstream data can be "shockingly revealing"--the Web surfer should have no expectation of privacy. BeVier5 advises thateven the data were to be accorded such protection, it would still be accessible by law enforcement officials under the provisions of the ECPA as stored communications.
The privacy of citizens is accorded protection only to the extent that protection can be offered by law. Skok advises that in Internet use, items are only accorded privacy protection if they can be reasonably assumed to be private. Items posted to bulletin boards, chat rooms and other public forums are accessible to the public, therefore, they are not private. Skok believes that a citizen's use of the Internet should be private under the Fourth Amendment since the intent of the Fourth Amendment was t limit potentially intrusive government searches.
Blackowicz6 suggests that communications made in the workplace are sometimes protected, but not always. Coacher presents the criteria by which the degree of protection is provided for government workers, as delineated by O'Connor v. Ortega, 480 U.S. 709 (U.S. 1987): the extent of privacy of the work area and the reasonableness of the search, i.e., reasonable suspicion. In general, the ECPA does not protect e-mail communications in the workplace. BusinessWeek online (http://businessweek.findlaw.com/employmentbook/HFCHP5_h.html), "Employee Privacy Rights, Wiretapping and Eavesdropping," describes Title III as the most important statute prohibiting employers from deliberate and surreptitious eavesdropping, including the interception of employees' oral communications when spoken with the expectation of of privacy (e.g., if a conversation occurs in places where an employee has an expectation of privacy, such as a restroom). (See Blackowicz.)
Given that U.S. Code and case law leave questions to an individual's expectation of privacy, the logical conclusion is that entities must protect themselves. Essentially one should e-mail only those items that are not at risk if made public. It should be assumed that e-mails can be intercepted or more often, passed along by the receiver. The use of encryption software, now widely available, can prevent the reading of intercepted e-mail. Individuals should carefully choose where to expect privacy; the hard drives of their employers does not confer such an expectation. To protect your privacy for accessing the Internet at home, Gilman suggests there are various "anonymizer" programs for e-mail (anonymous re-mailers) and for clickstreams.
The EFF is a "a nonprofit, nonpartisan organization working in the public interest to protect fundamental civil liberties, including privacy and freedom of expression in the arena of computers and the Internet." The EFF (http://www.eff.org/abouteff.html) raises awareness and lobbies to educate the public regarding Internet privacy issues, and more importantly, educates those in a position to make policy. While self-protection is paramount, perhaps some effort should be made to protect the rights of individuals who, for whatever reason, cannot exercise self-protection methods on the Internet for themselves.
Finally, some concern should be voiced for the collective civil liberties of society as a whole. If law enforcement officials have do not have the ability to electronically monitor and collect suspect information to prevent digital crime and if effective laws are not in place to prosecute Internet criminals, then society as a whole will suffer the consequences. In an EFF report the "Challenge of Unlawful Conduct Involving the Use of the Internet: A Report of the President's Working Group on Unlawful Conduct on the Internet," the President's Working Group found that "federal laws appear to be generally adequate to protect users from unlawful conduct on the Internet." However, the Internet is young and is still in a period where "anything goes"; the Federal Government should continue to conduct inquiries such as the Working Group study to ensure that lawmakers develop a "net-centric" frame of mind.
How should governments respond to information warfare attacks?
The Joint Doctrine for Information Operations, Joint Publications 3-13 or JP3 states the DoD view of IW as a special case of Information Operations (IO) that occurs during periods of intended hostility. IO consists of "actions taken to affect adversary information and information systems, while defending one's own information and information systems." IW consists of "Information operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries."
The Joint Doctrine for Information Operations, more explicitly refers to the term "Offensive Information Operations" (OIO) to denote what is commonly considered IW. IW includes a range of actions, but the DoD perspective clearly earmarks OIO or IW as having specific known military objectives. The familiar "hacker attack," denoted Computer Network Attack (CNA) is but one of the activities conducted under the heading OIO; other activities include Operations Security (OPSEC), Psychological Operations (PSYOPS), Electronic Warfare (EW), military deception, physical attack and destruction, and Special Information Operations (SIO), including CNA.
An IW attack could consist of a range of possible actions, including attacks on computers with the intent to incur a range of effects such as inserting misinformation, disrupting operations, disabling the nation's physical infrastructure, and, in the most extreme cases, disabling the economy and preparing the battlespace for attack. The President's Working Group defined that computer crime should be treated independently from similar crimes committed in the physical world, without the use of a computer. The JP3 states that the same reasoning would translate into the instance of an attack on the nation's people, properties, or interests…an attack is an attack, whether by weapon in the physical realm or by computer.
While the threat of a cyber-attack may cause an emotional reaction that demands the United States should react in kind, the response is governed by the nature and severity of the attack and is subject to the constraints of treaty and international law. Schmitt's8 analysis of the legal framework in which the U.S. can retaliate concerns what is properly considered "force" in the United Nations Charter (UNC). Schmitt concludes that "the use of force must lie somewhere between economic coercion and the use of armed force."
Schmitt argues that the determination depends on the nature of the cyber-attack and its severity: "One might simply look no further than the severity of consequences." If the attack is on the lower end of the spectrum--inconvenience only, then it may be necessary to suffer the attack without response; if the attack is a serious threat to life or property or is designed to prepare the battlespace, then a response is justified under Article 51 of the UNC, "Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations."
Hayes and Wheatley believe that: "Information warfare attacks on the United States are presently deterred by the same policy that deters other types of attack. Acting under its rights as a sovereign state, the United States stands ready to respond to any attack on its interests with all appropriate means, including law enforcement as well as military capacity. If the U.S. can reasonably determine who may be about to launch IW attacks on U.S. interests, it can deploy deterrence "prevention or discouragement, by fear or doubt, from acting." Schmitt reasons for a measured response to IW attacks: "On the contrary, maintaining a relatively high threshold for triggering the right to respond to [Computer Network Attacks] in self-defense, although not enhancing its deterrent effect, serves to maintain constraints in the usually more disruptive act of unilateral resort to armed force."
Aldrich9 raises significant issues and offers additional analysis on the ramifications of an armed response in his article, "The International Legal Implications of Information Warfare," Aerospace Power Journal. Whether or not international clarification is enacted as Aldrich suggests, the U.S. military should, indeed, play the central role in the defense of the U.S. according to Hayes and Wheatley. If the attacks were of a grave enough nature, an invocation of the War Powers Resolution allows the use of U.S. military forces. The DoD is clearly attuned to the international legal ramifications of responding in kind to IW attacks; official doctrine for Information Operations tells the planners to consult DoD Counsel prior to conducting IO. The JP3 specifies, "The staff judge advocate should be an integral part of the planning and execution of such operations."
Conclusion
The daily existence we take for granted is underpinned by a technological infrastructure of huge complexity, with systematic dependencies among its components. The recent spate of cyber-attacks on elements of this infrastructure, such as the denial of service attacks on eBay and others, reminds us of how vulnerable we are. We were reminded of the intricacies of the infrastructure and its underlying computer structure during preparations for Y2K. Then, we were challenged by a possible collapse due to weaknesses from within; likewise we must remain ever vigilant to attacks from without. At the same time, we must remain watchful of the balance between the interests of national security, the free enterprise system and the civil liberties of individuals.
John Lever is the Chief Information Officer, Naval Oceanographic Office.
References
1. Aldrich. Lt Col. Richard W. "How Do You Know You Are at War in the Information Age? Houston Journal of International Law, Vol. 22, p. 223, 2000.
2. Coacher, Lt. Col. LeEllen. "Article: Permitting Systems Protection Monitoring: When the Government Can Look and What It Can See," The Air Force Law Review, Vol. 46, p. 55, 1999.
3. Gilman, Johnny. "Comment: Carnivore: The Uneasy Relationship Between the Fourth Amendment and Electronic Surveillance of Internet Communications," The Catholic University of America CommLaw Conspectus 111, 2001. (http://comlaw.cua.edu).
4. Skok, Gavin. "Establishing a Legitimate Expectation of Privacy in Clickstream Data," Michigan Telecommunication and Technology Law Review, Vol. 6, 1999/2000. (www.mttlr.org/volsix/skok.html)
5. BeVier, Lillian R. "Symposium, The Communications Assistance for Law Enforcement Act of 1994: A Surprising Sequel to the Break Up of AT&T," Vol. 51 Stanford Law Review, p. 1049, 1999.
6. Blackowicz, Jeremy. "E-Mail Disclosure to Third Parties in the Private Sector Workplace," Boston University Journal of Science and Technology Law, p. 80, 2001.
7. Hayes, Richard E. and Wheatley, Gary. "Information Warfare and Deterrence," National Defense University Strategic Forum, p. 87, 1996.
8. Schmitt, Michael N. "Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework," Vol. 37 Columbia Journal of Transnational Law, p.885, 1999.
9. Aldrich, Maj. Richard W. "The International Legal Implications of Information Warfare," Aerospace Power Journal, Vol. X, No. 3, Fall 1996, pp. 99-110. (www.airpower.maxwell.af.mil/airchronicles/apj/aldrich.pdf.)
Editor's Note: Mr. Lever used the Web site LexisNexisTM at www.lexis.com for the legal references in his original research paper, which he completed as an academic course assignment. Where possible, digital sources have been added to his original source information; and additional resources have been included for further research by the reader.