纽约时报：奥巴马将有网络武器权

图为奥巴马与布伦南

奥巴马将有网络武器权

DAVID E. SANGER,  THOM SHANKER 联合报道 2013年02月04日

华盛顿——有关部门对美国日渐庞大的网络武器进行了秘密法律审查，参与这一过程的几位官员表示，审查结果显示，奥巴马总统在这一领域拥有广泛权力，如果美国发现有可靠证据证明，该国即将遭到来自国外的重大网络袭击，总统就可以下令先发制人。

这是近几个月所做出的决定之一，美国政府将在未来几周内采取行动，争取使美国第一个关于在遭遇重大网络攻击时军队如何防卫或反击的规定得到通过。新政策还将对情报部门搜索远在他地的电脑系统以寻找攻击美国的迹象的相关工作做出规定。而且如果得到总统批准，即便两国尚未宣战，情报部门也可以通过植入毁灭性代码来攻击敌人。

这些规定将属于最高机密，就像那些绝对不向外界透露的无人机袭击规定一样。奥巴马的首席反恐顾问、中情局局长提名人约翰・O・布伦南(John O. Brennan)在政府制定无人机和网络战争政策方面扮演了主要角色，而这两者都是美国武器库中最新而且最具政治敏感性的武器。

目前，最新一场军备竞赛就发生在网络武器领域，而且这也可能是最复杂的一场军备竞赛。美国国防部新成立了一个网络战司令部(Cyber Command)，而网络战也是军费预算中少数几个预计将会出现增长的项目之一。官员称，经过十年发展的反恐政策对新的网络政策起到了指导作用，尤其是在界定军方和情报机构在部署网络武器的权力方面。这些官员要求匿名，因为他们没有获得公开置评的授权。

按照当前规定，在阿富汗等美国按照战争规则行事的国家，军方可以公开执行反恐任务。但情报机构有权下令在巴基斯坦和也门等尚未宣布为交战地带的地方进行秘密的无人机袭击和突击队袭击。相关结果已经引起了广泛抗议。

据已知信息显示，奥巴马只有一次曾批准使用网络武器，那是在他执政的早期，他当时下令对伊朗的铀浓缩设施发动一系列逐步升级的网络攻击。这次行动的代号为“奥运会”(Olympic Games)，它在乔治・W・布什总统(George W. Bush)任内由国防部开始实施，但很快就被美国最大的情报机构国家安全局(National Security Agency)接管，遵照总统命令执行秘密任务。

一位高级美国官员称，官员们很快决定，鉴于网络武器的巨大威力，发动网络攻击的命令只应该由总司令直接发布，这与核打击相似。

如果军方进行针对性很强的战术攻击，比如在对敌人发起常规打击时关闭防空系统，规定可能允许出现例外情况。

“在网络战中，总统以下级别人员做决定的情况非常非常少，”这名官员说。这就意味着，政府排除了“自动”进行报复的可能，即使发现美国的基础设施受到了网络攻击，哪怕病毒正在网上快速传播。

尽管这些规则已经酝酿了两年多，它们的出台正值美国的企业和关键基础设施受到的网络攻击大幅增加。美国国土安全部(Homeland Security Department)前不久宣布，美国一处发电站因遭遇网络攻击而瘫痪数周，但并未公布该发电站的名字。上周本报报道，本报遭到了源自中国的网络攻击，时间长达四个多月。《华尔街日报》和《华盛顿邮报》也报道说它们的系统遭到过类似的攻击。

“尽管所有这些描述采用的都是中性语言，比如我们该如何应对网络攻击，但其根本问题是，‘我们要如何应对中国？’”对外关系委员会(Council on Foreign Relations)高级研究员理查德・法尔肯罗特(Richard Falkenrath)说。“在这个问题上，两国向彼此发出了大量信号。”

在撰写新规则时，相关参与者对在网络战中先发制人可能引发的后果专门进行了详细分析。据参与其中的一名官员称，政府审查涉及的一个重要问题是，在制止网络攻击或对其进行报复时，如何定义“合理、适当的武力”。

伊朗多处设施曾遭到攻击，但美国从未承认是自己所为，在攻击期间，奥巴马坚称网络武器要缩小针对范围，以确保它们不会影响到医院或电力供应。奥巴马频频表示担忧，称美国对网络武器的使用可能会被其他国家当做攻击美国的理由。当网络武器从遭遇攻击的伊朗浓缩中心泄露出来时，美国的相关行动也就暴露了，此后，“震网”(Stuxnet)编码在网上被海量复制。

尽管国防部拥有的网络工具是最多的，但根据新的指导方针，在美国公司或个人遭遇普通网络攻击时，国防部不会参与防卫。在国内，这一责任落到了国土安全部身上，而对网络攻击或网络盗窃行为的调查则由美国联邦调查局(FBI)来进行。

在国内，如果没有总统的命令，军方不得展开行动，但如果美国国内遭到了大规模网络袭击，军方将会介入。

翻译：陈柳、陈亦亭

Broad Powers Seen for Obama in Cyberstrikes

By DAVID E. SANGER and THOM SHANKER February 04, 2013

WASHINGTON — A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review. 

That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.

The rules will be highly classified, just as those governing drone strikes have been closely held. John O. Brennan, Mr. Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal.  

Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow. Officials said that the new cyberpolicies had been guided by a decade of evolution in counterterrorism policy, particularly on the division of authority between the military and the intelligence agencies in deploying cyberweapons. Officials spoke on condition of anonymity because they were not authorized to talk on the record.

Under current rules, the military can openly carry out counterterrorism missions in nations where the United States operates under the rules of war, like Afghanistan. But the intelligence agencies have the authority to carry out clandestine drone strikes and commando raids in places like Pakistan and Yemen, which are not declared war zones. The results have provoked wide protests.

Mr. Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran’s nuclear enrichment facilities. The operation was code-named Olympic Games, and while it began inside the Pentagon under President George W. Bush, it was quickly taken over by the National Security Agency, the largest of the intelligence agencies, under the president’s authority to conduct covert action.

One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief. 

A possible exception would be in cases of narrowly targeted tactical strikes by the military, like turning off an air defense system during a conventional strike against an adversary.

“There are very, very few instances in cyberoperations in which the decision will be made at a level below the president,” the official said. That means the administration has ruled out the use of “automatic” retaliation if a cyberattack on America’s infrastructure is detected, even if the virus is traveling at network speeds.

 While the rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on American companies and critical infrastructure. The Department of Homeland Security recently announced that an American power station, which it did not name, was crippled for weeks by cyberattacks.The New York Times reported last week that it had been struck, for more than four months, by a cyberattack emanating from China. The Wall Street Journal and The Washington Post have reported similar attacks on their systems.

 “While this is all described in neutral terms — what are we going to do about cyberattacks — the underlying question is, ‘What are we going to do about China?’ ” said Richard Falkenrath, a senior fellow at the Council on Foreign Relations. “There’s a lot of signaling going on between the two countries on this subject.”

The implications of pre-emption in cyberwar were specifically analyzed at length in writing the new rules. One major issue involved in the administration’s review, according to one official involved, was defining “what constitutes reasonable and proportionate force” in halting or retaliating against a cyberattack.

During the attacks on Iran’s facilities, which the United States never acknowledged, Mr. Obama insisted that cyberweapons be targeted narrowly, so that they did not affect hospitals or power supplies. Mr. Obama frequently voiced concerns that America’s use of cyberweapons could be used by others as justification for attacks on the United States. The American effort was exposed when the cyberweapon leaked out of the Iranian enrichment center that was attacked, and the “Stuxnet” code replicated millions of times on the Internet. 

 Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, and investigations of cyberattacks or theft are carried out by the F.B.I. 

But the military, barred from actions within the United States without a presidential order, would become involved in cases of a major cyberattack within the United States.