An excited outbreak of The Future this morning, as the New York Times reports that President Obama has the "broad power to order a preemptive strike if the United States detects credible evidence of a major digital attack looming from abroad," according to a secret review. According to the reporters' sources, the White House's review will provide secret guidelines that will allow U.S. agencies to "attack adversaries by injecting them with destructive code -- even is there is no declared war."
So it's all gone a bit cyberpunk on Capitol Hill. But while they're out buying mirrorshades, it's worth considering a couple of implications, and unanswered -- perhaps unanswerable -- questions. Because these guidelines, as reported, perhaps imply something a great deal more radical than they first suggest. And this is down to a failure, not of legal thinking, but of metaphor.
Cyber warfare is always compared with real warfare. We talk of invasions, where there is not physical entry, and we count individual attacks as if they are bombs, and not, as they are, automated programs. This leads to politicians with a point, and generals with a budget to justify, talking of, say, a Chinese invasion of hundreds of thousands of attacks an hour -- giving the image of legions of troops rolling across the border.
As so it is with these new guidelines. Just what does "evidence of a major digital attack looming" look like? There are no convoys to see from a spy plane, no fleet heading sailing towards Hawaii. Without an exact idea of what this evidence is, the guidelines seem to justify preemptive attacks against just about anyone at any time.
Which brings us to the second point. Against whom are these preemptive strikes allowed? Only nation states, or any organized foe? Could 2013 see the first war against an online collective, and does that spill out into actual kinetic warfare? Can the U.S., in short, shoot hackers?
If non-nation state actors are included -- and it's hard to see why they wouldn't be, given groups like al Qaeda -- then this raises a question about what a digital attack actually is. If we define war as an attempt to gain someone else's resources by force, then cyberwarfare looks like anything where a group forcibly changes the world's information flow to their own ends. Seen like this, the Libor fixing scandal is clearly an act of war. It is only called something else because it was perpetrated by a commercial entity. If it had been Iran fixing the Libor rate, and not Barclays Bank, we would have been at the UN Security Council within days. The clear and present danger of rogue bankers does seem a looming threat. Do these guidelines allow the U.S. intelligence agencies to preemptively hack foreign banks to protect their market interests? And if not, one might ask, why not?