Roger Hertog Program on Law and National Security | Columbia Law School
Bryan Cunningham
There is no consensus among government and private cyber-security experts about whether terrorists or hackers could launch a cyber-attack with such precision and power that it could bring down a regional electrical grid or disrupt the air traffic control system.
But even without a digital Pearl Harbor, “there is little dispute that cyber-warfare remains a serious threat, and one that government and industry must do more to combat, attorney Bryan Cunningham recently told participants in the Charles Fabrikant Colloquium in National Security Law and Policy at Columbia Law School. “The law should be evolving very rapidly in response to the changes in technology,” said Cunningham, a former C.I.A. officer and Deputy Legal Adviser at the National Security Council under Condoleezza Rice.
Cunningham helped draft key portions of the Homeland Security Act, and helped formulate the 2003 National Strategy to Secure Cyberspace. He said fighting cyber-warfare is especially difficult because of the often near-impossibility of ascertaining who is mounting the attacks and from where, and proving it in timely ways.
“Attribution is the most difficult” of many difficult problems with cyber-espionage and cyber-warfare, Cunningham said during a conversation with Associate Professor Matthew Waxman, who runs the colloquium. In a conventional war “most missiles come with a return address,” Cunningham said, adding that one of the most serious cyber-attacks on Pentagon computers was traced back to a computer in the Harvard University library, though the actual attack almost certainly originated elsewhere but made use of “zombie” techniques to take over the Harvard device.
While Cunningham worked in the White House in 2003, President Bush announced a new policy that could treat a cyber-attack as the equivalent of a military strike and reserved the right for the U.S. to respond through military means. The Obama Administration, Russia, and China have announced similar policies.
“It appears to be that countries are going to judge their right to respond based primarily on how bad the damage is,” and that they will not always limit their response to cyberspace, Cunningham said.
Perhaps the best-known cyber-attack to date on physical infrastructure – a capability many experts had once asserted was impossible -- has been the Stuxnet virus, a complex piece of malicious software that affected centrifuges at a uranium enrichment facility in Iran, which blamed the U.S. and Israel for the attack.
“No one has taken responsibility for it, but no one has denied that it happened either,” said Cunningham, now a principal at a suburban Denver law firm that advises clients on computer and Internet security issues.
While he noted that wide-scale attacks, such as one that could take over air traffic control systems, have not been proven to be feasible, Cunningham said authorities as well as the private sector need to be vigilant against attacks that are more subtle but just as pernicious, especially in the financial sector.
“Imagine if, once a month, at random times on random days,” financial institutions or markets “didn’t quite clear—there are a couple of thousand dollars of mistakes that are never reconciled,” Cunningham said. “That, I think, would shake investor confidence in a way that could really damage the system without doing physical damage. That is not hard. There are probably teenagers in the U.S. and elsewhere who could make that happen.”
The Charles Fabrikant Colloquium on National Security Law and Policy addresses contemporary national security issues, such as civilian versus military trials for terrorism suspects, oversight of covert CIA activities, electronic surveillance and foreign intelligence collection, and presidential versus congressional control of the armed forces.
The colloquium is part of the Roger Hertog Program on Law and National Security, which focuses on the role of domestic law in national security matters from the perspective of both lawyers and policymakers.