Home / Blogs

Networks and Nationalization

Susan Brenner

This post isn't about — or isn't only about — the use of computer technology to commit crimes. It's more about the use of computer technology to commit war.

A few weeks ago, I was part of a conversation about the legal issues cyberwarfare raises. We were talking about various scenarios — e.g., a hostile nation-state uses cyberspace to attack the U.S. infrastructure by crippling or shutting down a power grid, air traffic control systems, financial system, etc.

Mostly, we were focusing on issues that went to the laws of war, such as how and when a nation-state that is the target of a cyberattack can determine the attack is war, rather than cybercrime or cyberterrorism. (As I noted in an earlier post, the distinction between the threats lies in the nature of the attacker: Cybercrime and cyberterrorism are carried out by civilians, while war is carried out exclusively by nation-states. For the purposes of the analysis in this post, I'm going to assume that war is the exclusive province of nation-states; in other words, I'm not going to consider scenarios in which civilians who are not affiliated with a nation-state launch what is, in effect, cyberwarfare.)

More precisely, we were discussing how a country that is under cyberattack — like the attacks that recently targeted U.S. sites or the ones that targeted Estonia in the 2007 — decides if it it is authorized to retaliate against the attacker (assuming it can identify the attacking nation-state with enough precision to justify launching a counterattack.) We were, in other words, focusing on the "Pearl Harbor moment," i.e., the point at which a nation-state can justifiably conclude it is the target of state-initiated cyberwarfare.

As we discussed those issues, someone raised a very interesting point, one that had never occurred to me. He pointed out that the signals used to launch the initial attacks and the signals that would be used to launch counterattacks would travel primarily, if not exclusively, over civilian-owned and — operated networks. He asked what would happen if the companies that operate the networks that constitute the Internet refused to carry the signals that would deliver the cyber-counterattack (and, I assume, any subsequent attacks by either side to this almost-war). I don't think any of us had a clue.

I still don't . . . but I thought I'd use this post to raise the issue and throw out a few ideas as to how it MIGHT be resolved. As I analyze the issues, I'm making two assumptions, both of which I think are accurate: One is that a cyberwarfare attack would necessarily travel primarily, if not exclusively, over civilian networks; the other is that the operators of those networks can, at least at some point, identify traffic as "war" traffic, as opposed to the "not-war" traffic they usually carry.

If those assumptions are, in fact, valid, then it seems the civilians who own and operate the constituent networks that create the Internet can, in effect, exercise a veto over cyberwarfare . . . or at least aspects of cyberwarfare. In the scenario that was implicit in the discussion I noted above, the operators of civilian networks could exercise their veto to prevent the attacked state from launching retaliatory cyberattacks and, I assume, to stop the attacking state from launching further offensive cyberattacks. In this scenario, the network operators are essentially neutral. They probably don't have to be, which means there's another, more unsettling scenario: The civilians who operate the networks could choose sides; so they might allow the signals being used in the attacking state's cyberattacks and prevent the defending state from launching its own counterattacks.

I, however, want to focus on the general issue: In the cyberwarfare context, it seems civilians have the capacity to control the battlefield or, perhaps more accurately, to control whether there will be a battlefield. I can't think of any historical instances in which civilians had the ability to exercise a veto power over nation-states' ability to carry out acts of war.

When the gentleman raised the issue of network operators' deciding not to facilitate cyberwarfare, the first thing I thought of was nationalization, as in nationalizing the networks. That led me to think about whether the U.S. government has ever had to do anything similar . . . and that led me to the United States Railroad Administration. As you may know (I didn't), President Wilson nationalized the railroads in 1917, after we declared war on Germany:

By proclamation dated December 26, 1917, the President of the United States, acting under the powers conferred on him by the Constitution and laws of the United States, by joint resolution of the Senate and House of Representatives, bearing dates of April 6 and December 7, 1917, . . . (said resolutions being respectively the resolutions declaring that a state of war existed between the United States and Germany, and between the United States and Austria-Hungary), and particularly under the powers conferred by section (1) of the act of Congress approved August 29, 1916, entitled 'An Act Making appropriations for the support of the Army for the fiscal year ending June thirtieth, nineteen hundred and seventeen, and for other purposes,' took . , , assumed control . . . as of December 31, 1917, of . . . railroads. . . .The principal railroads in the United States were so taken over, and a central and administrative board was. . .set up and known as the United States Railroad Administration, at the head of which was an officer appointed by the President, and known as the Director General of Railroads.

Chicago & North Western Railway Co. v. Commissioner of Internal Revenue, 22 B.T.A. 1407, 1931 WL 473 (U.S. Board of Tax Appeals 1931).

As Wikipedia explains, once the U.S. entered World War I in April, 1917, "the nation's railroads proved inadequate to the task of serving the nation's war efforts." Many of the companies were in bankruptcy, others were suffering financial difficulties because of the inflation that had "struck the American economy", the unions were threatening to strike and despite the railroad companies attempt to "join forces and coordinate their efforts [to] help the war effort", they failed. Wikipedia, supra.

In December 1917, the Interstate Commerce Commission "recommended federal control of the railroad industry" to improve its effectiveness and the President nationalized the railroads later that month. On March 21, 1918, the Railway Administration Act went into effect; among other things, it "guaranteed the return of the railroads to their former owners with 21 months of a peace treaty". Wikipedia, supra. On March 1, 1920, the "railroads were handed back to their original owners and the" United States Railroad Administration was shut down. Wikipedia, supra.

There is, then, U.S. precedent for taking over companies that provide services which constitute part of what we now call the country's critical infrastructure. Since no one seems to have challenged President Wilson's nationalizing the railroads, the Act that authorized his doing so is (was) at least presumptively valid. My point is that what President Wilson did with the railroads COULD provide a precedent for a contemporary President's nationalizing the networks that constitute, or contribute to the constitution of, the Internet. In this post, I'm not concerned with how viable it would be to do that in practice; I'm simply focusing on the legal issues that might be involved in an effort to do that, assuming it was practicable.

As Devil's advocate, I see certain differences between President Wilson's nationalizing the railroads and the hypothetical scenario in which a contemporary President somehow manages to nationalize the networks that create and sustain cyberspace. One lies in the justification for nationalization: President Wilson nationalized the railroads to improve their performance as a coordinated transportation system, the benefits of which would accrues to civilians as well as to the military; if a modern President nationalized the networks under the scenario(s) I outlined above, he/she would be nationalizing them to alter their performance, to shift their function from serving purely civilian ends to serving civilian and military ends.

In other words, I see nationalizing the networks as having a much more dramatic effect on the functioning of the networks than I suspect President Wilson's nationalizing the railroads did on the functioning of the railroads. Nationalizing the railroads was intended to improve their ability to efficiently transport military personnel and equipment within the territorial United States. Nationalizing the railroads in no way altered their function so that they became, at least to some extent, an implement of war. Their role was simply to support the military by transporting the men and material it needed to wage war outside the territorial boundaries of the United States.

That brings me to another, related difference I see between the railroad and network nationalization scenarios: Nationalizing the railroads did not transform them from purely civilian entities into civilian/military entities. Nationalizing the networks would, I think, transform them into civilian/military entities or even into a component of the military. It seems to me that nationalizing the networks so they can carry defensive and offensive cyberwarfare traffic is analogous to nationalizing the airlines so Boeing 777s and 747s can drop bombs on the enemy.

I'm not saying nationalizing of the networks isn't an option under the law, as it exists now or as it could exist. As far as law is concerned, I think nationalization of the networks clearly is an option. At this point, though, I'm not convinced it's a practicable option nor am I convinced it would be a particularly advisable one.

But, as always, I could be wrong. I've just started thinking about these issues, so I may change my mind as I get further into them.

By Susan Brenner, Professor of Law and Technology. More blog posts from Susan Brenner can also be read here.

Related topics: Access Providers, Cyberattack, Internet Governance, Policy & Regulation, Security, Telecom

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Susan, there are countries that very recently clawed themselves out of a nationalized network .. Suresh Ramasubramanian  –  Jul 21, 2009 7:41 AM PDT

.. with a monopoly telecom operator. And expensive, highly restricted bandwidth.

I come from just such a country, myself. 

And the "before" and "after" are as easily distinguishable as those old charles atlas ads about the bully kicking sand in the 90 pound shrimp's face.

Things that are nationalized - even in what gets characterized as an emergency - have a way of staying nationalized.

While I'm all for effective public private partnership and engagement - in fact I wrote an ITU paper on botnet mitigation that goes into some detail on this - I'd certainly be very surprised if that was even remotely achieved by nationalization.

Civilians already control the cyber battlefield to Dan Campbell  –  Jul 21, 2009 10:54 AM PDT

Civilians already control the cyber battlefield to a large extent.  Service providers often respond to attacks generated by, targeted for or traversing within their networks.  They have IDS that may identify the attack traffic to which they may take action, or they may respond to customer calls or even calls from other ISPs and, if they decide to, invoke some sort of response such as blackholing, throttling or filtering such traffic.  At a minimum they have a desire to protect their own investment if not their direct customers from being affected, e.g., if the cyber response is a massive DOS attack targeted at the source, the ISP may see a duty to mitigate it somehow, at least in how it serves their own interests if not the general well being of the Internet, which is the case sometimes as well.  Whether or not a Government can legally take that over and invoke their own policies – assuming it can even be done in any practical way given the different policies and technologies that independent service providers implement in their networks – is another matter.

Also, although you caveat the post with the assumption that the attacking nation-state can be “identified with enough precision to justify launching a counterattack”, it would be good to debate this.  How often would you really be able to figure that out conclusively, e.g., how often would the attacks not come from systems outside the country that the attacker is actually from, and how often could you pinpoint the real source?  You wouldn’t necessarily want to target the actual source of the attack.  For a more extreme example and to use the examples you use, what if the computer systems within an air traffic control system (FAA, airport, etc.) were compromised and used to attack the computer systems within the power grid / company of the same country?  With Pearl Harbor, we could see the planes.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Smokescreening: Data Theft Makes DDoS More Dangerous

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics