A US cyberwar doctrine? Pentagon document seen as first step, and a warning.
A yet-to-be-released Pentagon document on cyberwar reportedly lays out when the US would respond with conventional force to a cyberattack: when infrastructure or military readiness is damaged.
A map is displayed on one of the screens at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado July 20, 2010. A yet-to-be-seen Pentagon document on cyberwar is expected to outline when the US will respond to cyberattacks.
Rick Wilking/Reuters
Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an 鈥渁ct of war,鈥 according to new Defense Department cyberwarfare policies that have yet to be officially unveiled.
A not-yet-released Pentagon document outlining US military cyberwarfare doctrine cites the example of cybersabotage 鈥 the use of a malicious computer program to attack US infrastructure or military systems 鈥 which could under new policy guidelines elicit a response of American bombs and bullets, according to a Wall Street Journal article Tuesday that revealed the existence of the document.
The document, which reportedly includes an unclassified as well as a secret portion, is described as partly policy document 鈥 and partly a warning to any future adversaries to step gingerly 鈥 or else. It discusses the idea of 鈥渆quivalence鈥 鈥 a military concept whose premise is that if a cyberattack causes destruction and death or significant disruption, then the 鈥渦se of force鈥 in response should be considered, the Journal reported.
If the new Pentagon document does indeed lay out what the United States considers an 鈥渁ttack鈥 worthy of a military response to be, it would be a key move toward a far more coherent policy on responding to cyberattacks, experts say.
鈥淭here is value in the US drawing a line and saying 鈥 鈥楬ey, this really important, so if you mess with us in this area, we're going to take it seriously,鈥 鈥 says Dan Kuehl, a cyberwarfare expert and professor at National Defense University.
鈥淭he US has had a longstanding policy, that we're not just going to respond to cyberattacks with cyber,鈥 a former US national security official said in an interview earlier this year. 鈥淚f somebody really cripples the US electric grid, a nuclear power plant, or starts to kill people with cyberattacks we鈥檙e going to retaliate.鈥
Still, for at least 15 years, the US military has been wrestling with how to categorize cyberattacks against US systems 鈥 and whether or how they might fit within the international Law of Armed Combat, Dr. Kuehl says. How much damage does a cyberattack have to do to warrant a military response? Would the US retaliate even if it wasn't 100 percent sure about the source of the computer-based attack? If it can't be sure, is retaliation possible or ethical?
The document, as reported, seems to concur that cyberattacks against the US 鈥 and potentially those cyberattacks by the US itself 鈥 fit squarely under the umbrella of that international law, which governs the proportionality of any military response.
'Important first step'
Still, because the document has yet to be released, it鈥檚 not clear yet whether it will have the president鈥檚 stamp and the force that entails 鈥 or whether it will have only the limited force that other defense documents laying out cyberwar policy have had thus far.
鈥淚f this turns out to be a national policy rather than just a Department of Defense document, then I think it would be an important first step,鈥 says Michael Vatis, a partner at the New York law firm Steptoe & Johnson. He served on a National Research Council committee that produced a seminal 2009 study on the legal and ethical issues surrounding US use of cyberweapons. 鈥淭he document, as it has been reported, suggests an advance or maturation in government thinking,鈥 he says.
With America's military, government, and corporate networks under constant assault from hackers, computer viruses and other malicious software, the question of just what constitutes a cyberattack worthy of a full-throated US military response has been a growing question mark 鈥 and a gap in US war doctrine, cyberwar experts say.
The attack on Lockheed Martin this past week probably would not qualify as a 鈥渃yberattack鈥 under previous cyberwar doctrine. But any attempt by an adversary to slow down deployment of a carrier battle group probably would be an act of war.
Any new policy will have to guide the actions of the US, as the world鈥檚 leading cyber superpower, as well. Several experts believe Israel and the US may well have worked together to deploy Stuxnet 鈥 the world鈥檚 first confirmed cyberweapon 鈥 against Iran鈥檚 nuclear fuel enrichment facility at Natanz. If the US was involved in Stuxnet, was that an act of war 鈥 or simply enforcing international sanctions?
鈥淭here has been no clear boundary there in cyber,鈥 the former US national security official says. 鈥淵ou lay out frameworks for thinking about whether a certain set of activities are an act of war 鈥 but determining something is an act of war is a political decision. It鈥檚 not something you write into statute.鈥
The benefit of vague definitions
In fact, it鈥檚 best that any document purporting to lay out what the US considers to be a cyberattack be left somewhat fuzzy 鈥 in order to keep potential attackers off guard, and to leave the president and his generals with an array of options. Otherwise, an attacker could simply walk up to the line 鈥 and back off 鈥 exploiting US definitions.
鈥淵ou shouldn't draw white lines in advance,鈥 the former national security official says. 鈥淭here鈥檚 a body of literature that would say keep it vague. Still, it鈥檚 increasingly clear, that if something happens in cyberspace, if it鈥檚 significant enough, we鈥檒l use the full range of national means available to punish or address the situation.鈥
Of course, the question of 鈥渨ho did it鈥 still remains. Attributing a cyberattack can be fiendishly difficult given the Internet鈥檚 ability to cloak attacks, with commands going through computers in many countries. Who does the US retaliate against if an attack comes from a computer in New Orleans or New York?
For that reason, the US has been working flat out on the attribution problem. It also created a new Cyber Command in 2010 to defend the nation and conduct offensive cyberattacks. In the meantime, military theoreticians have been busily churning out documents with titles like: 鈥淒efending a New Domain: The Pentagon's Cyberstrategy鈥 or 鈥淲arfare by Internet: the logic of strategic deterrence, defense and attack.鈥
'It's 1946 in cyber'
But the pressure to come to terms with the difficulty of doing battle and defending cyberspace important to the US continues to grow. Consulting groups, academics and others have formed organizations and are now churning out papers exploring the intellectual underpinning of cyberwar doctrine.
鈥淗ere's the problem 鈥 it's 1946 in cyber,鈥 James Mulvenon, a founding member of the Cyber Conflict Studies Association, a nonprofit group in Washington said in an interview earlier this year. Not unlike the dawning nuclear era after World War II, 鈥渨e have these potent new weapons, but we don鈥檛 have all the conceptual and doctrinal thinking that supports those weapons or any kind of deterrence.鈥
Even if that overarching problem is not going to be solved by the Pentagon cyberwarfare document when it is unveiled, it still could be a 鈥済ood first step,鈥 says Mr. Vatis. Others agree its high time the US put the world on notice on at least some aspects of what will and won鈥檛 be tolerated in cyberspace.
鈥淲hat makes this important is that everyday that goes by more and more of what our society, economy, and military depends upon to make the system work happens in cyberspace,鈥 Kuehl says. 鈥淪ome lines in the sand need to be laid down.鈥