When The Wall Street Journal broke the news last month that the U.S. would, for the first time, be classifying cyber attacks as an act of war, the report constituted one of the first leaks from the Pentagon's two-year effort to develop a formal cyber strategy, as it contends with the growing threat of hackers sabotaging U.S. subways, electrical grids, financial systems, and nuclear reactors. Today, the Associated Press takes the baton, outlining what it's learned from U.S. officials about the rules that will govern America's cyber warfare. Here are the three key guidelines:

  • Peacetime Espionage: The military will be able to send non-malicious computer code to "another country's network to test the route and make sure connections work--much like using satellites to take pictures of a location to scout out missile sites or other military capabilities," the AP writes. But things could change on a dime if the U.S. gets involved in a conflict with the other country. The formerly "passive" code could provide a path for an offensive cyber attack if the president approves of the measure.
  • Wartime Retaliation: If the U.S. comes under attack, the AP explains, it can "defend itself by blocking cyber intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries--even if those are virtual network lines."
  • Neutral Countries: While "hackers routinely route their attacks through networks of innocent computers that could be anywhere," the AP notes, the new guidelines would not permit the U.S. to "deliberately route a cyberattack through another country if that nation has not given permission--much like U.S. fighter jets need permission to fly through another nation's airspace."

These rules of the road notwithstanding, the Government Accountability Office, in a report on Monday, claimed the Defense Department hasn't done enough to define what its new Cyber Command is supposed to do. For example, the report asked, to what extent can civilian employees at the Pentagon take part in offensive military cyber assaults? Until the next round of leaks, we'll leave that question unanswered.