Yesterday, the Wall Street Journal broke news that the Pentagon decided that cyber attacks against the United States constitute an act of war and may be returned with the full force of the U.S. military. Today, we find out that responding to such attacks is really tricky, and the Pentagon's confused about how to play this 21st-century war game. Here are the stumbling blocks to having a coherent cyber security defense plan:
There are too many attacks to respond to "Every year, hackers steal enough data from U.S. government agencies, businesses and universities to fill the U.S. Library of Congress many times over," U.S. officials tell Reuters. The Department of Defense estimates that more than 100 foreign intelligence organizations have attempted to hack into U.S. networks. Surely the U.S. military is not going to respond militarily to each cyber attack. So the Pentagon's threat runs the risk of appearing empty.
It's difficult to know where the attack came from The Pentagon's 30-page document outlined in the the Journal yesterday will be made public soon, largely to serve as a deterrent to others entertaining the idea of striking the U.S. with a cyber attack. But that deterrent strategy might not work given the difficulty of knowing where the attacks originated, notes The New York Times. "During the cold war, deterrence worked because there was little doubt the Pentagon could quickly determine where an attack was coming from--and could counterattack a specific missile site or city," writes the paper. "In the case of a cyberattack, the origin of the attack is almost always unclear, as it was in 2010 when a sophisticated attack was made on Google and its computer servers. Eventually Google concluded that the attack came from China. But American officials never publicly identified the country where it originated, much less whether it was state sanctioned or the action of a group of hackers." A former Pentagon official tells the Times "One of the questions we have to ask is, How do we know we're at war? How do we know when it's a hacker and when it's the People's Liberation Army?”
What if other countries adopt our strategy? If regimes opposed to the U.S. also declare cyber attacks an act of war, it could put the U.S. in an uncomfortable situation, notes Foreign Policy's David Hoffman. "For argument's sake, let's take the new U.S. strategy that reserves the right to carry out military attacks on anyone who fools with our power grid or nuclear power plants. Let's assume that Iran adopts exactly the same strategy. What would we think if Iran decided to attack the United States--with a missile down a smokestack--in retaliation for Stuxnet?"
It's not clear if the CIA or the Department of Defense is in control Cyber-operations are marked by persistent disagreement over who should take action and under what conditions," reports The Washington Post. The paper details an interesting example surrounding the discovery of Al Qaeda's English-language magazine, Inspire, by the Department of Defense. "The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander, argued that blocking the magazine was a legitimate counterterrorism target and would help protect U.S. troops overseas," reports the Post. "But the CIA pushed back, arguing that it would expose sources and methods and disrupt an important source of intelligence. The proposal also rekindled a long-standing interagency struggle over whether disrupting a terrorist Web site overseas was a traditional military activity or a covert activity--and hence the prerogative of the CIA."
The attacks can come from state and non-state actors Hoffman adds that "In the nuclear arms race, we knew a lot about our adversaries, if not everything. We set up early warning systems that could track a missile trajectory. We knew where the enemy silos were located. We established 'counterforce' targets that could hit those silos with great precision... The offensive cyber battlefield promises to be far more chaotic than in the nuclear arms race, with many smaller players and non-state actors." The New York Times quotes a source close to the administration who says "Almost everything we learned about deterrence during the nuclear standoffs with the Soviets in the '60s, '70s and '80s doesn't apply."