Risk
5/31/2011
02:41 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

DOD Says Cyber Attacks May Mean War

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to published reports.

>Slideshow: Next Generation Defense Technologies
Slideshow: Next Generation Defense Technologies
(click for larger image and for full slideshow)
Future computer attacks against the U.S. will risk the possibility of an armed response.

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to The Wall Street Journal.

The Pentagon is expected to release unclassified portions of its Defense Strategy for Operating in Cyberspace later this month. According to The Wall Street Journal, the 12-page unclassified report--the classified report runs 30 pages--concludes that the Law of Armed Conflict--the sum total of various international treaties related to warfighting--applies to cyberspace as it does on the battlefield. This equivalency means that damaging acts may be met with a damaging response, regardless of whether the cause is truck bomb or a logic bomb.

A spokesperson for the Department of Defense declined to comment.

This marks a significant change in military thinking, at least in terms of formal doctrine--presumably a sufficiently damaging cyber attack would have provoked an armed response no matter how formal policies were worded. Back in 1997, a research paper by then Major Daniel M. Vadnais, concluded that, "The current body of international law seems to mitigate against including 'hacking' in the definition of 'armed force,' the standard necessary for unilateral military armed reprisal actions. In that case, unless the initial attack rises to the level that would permit some action by the 'victim' in self–defense, that nation is relegated to seeking action from the United Nations Security Council."

Times have changed since then. Though this paper was academic in nature and did not represent official doctrine, it nonetheless reflects an era before hacking had been demonstrated as an effective complement to, or alternative to, military action. Given the 2007 cyber attack on Estonia, the 2008 cyber attack on Georgia, and the 2010 Stuxnet attack on Iran's nuclear infrastructure, among other noteworthy cyber incidents, it has become clear that hacking can have as much consequence as a kinetic attack.

Such thinking is reflected in the Obama administration's International Strategy for Cyberspace, published two years ago. On page 14, it states, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The administration's policy also makes it clear that an armed response to a cyber attack would be a last resort, after diplomatic options have been exhausted.

For government officials, the challenge will be determining when an attack is significant enough to ready the missiles. In all likelihood, the low-level cyber attacks launched against U.S. infrastructure from various countries on a daily basis will continue, undeterred by the pugilistic policy to come.

At the 2011 RSA Conference in San Francisco in February, Deputy Secretary of Defense William Lynn III referred to the Defense Strategy for Operating in Cyberspace as "Cyber 3.0," and said the plan was in the process of being finalized. Rather than highlighting the possibility of a kinetic response to a virtual attack, Lynn stressed that U.S. cyber defense requires partnership and cooperation, because so much U.S. critical infrastructure is in private hands.

"In the cyber domain, soldiers are not the only ones on the front lines," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.