Risk
5/31/2011
02:41 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

DOD Says Cyber Attacks May Mean War

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to published reports.

>Slideshow: Next Generation Defense Technologies
Slideshow: Next Generation Defense Technologies
(click for larger image and for full slideshow)
Future computer attacks against the U.S. will risk the possibility of an armed response.

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to The Wall Street Journal.

The Pentagon is expected to release unclassified portions of its Defense Strategy for Operating in Cyberspace later this month. According to The Wall Street Journal, the 12-page unclassified report--the classified report runs 30 pages--concludes that the Law of Armed Conflict--the sum total of various international treaties related to warfighting--applies to cyberspace as it does on the battlefield. This equivalency means that damaging acts may be met with a damaging response, regardless of whether the cause is truck bomb or a logic bomb.

A spokesperson for the Department of Defense declined to comment.

This marks a significant change in military thinking, at least in terms of formal doctrine--presumably a sufficiently damaging cyber attack would have provoked an armed response no matter how formal policies were worded. Back in 1997, a research paper by then Major Daniel M. Vadnais, concluded that, "The current body of international law seems to mitigate against including 'hacking' in the definition of 'armed force,' the standard necessary for unilateral military armed reprisal actions. In that case, unless the initial attack rises to the level that would permit some action by the 'victim' in self–defense, that nation is relegated to seeking action from the United Nations Security Council."

Times have changed since then. Though this paper was academic in nature and did not represent official doctrine, it nonetheless reflects an era before hacking had been demonstrated as an effective complement to, or alternative to, military action. Given the 2007 cyber attack on Estonia, the 2008 cyber attack on Georgia, and the 2010 Stuxnet attack on Iran's nuclear infrastructure, among other noteworthy cyber incidents, it has become clear that hacking can have as much consequence as a kinetic attack.

Such thinking is reflected in the Obama administration's International Strategy for Cyberspace, published two years ago. On page 14, it states, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The administration's policy also makes it clear that an armed response to a cyber attack would be a last resort, after diplomatic options have been exhausted.

For government officials, the challenge will be determining when an attack is significant enough to ready the missiles. In all likelihood, the low-level cyber attacks launched against U.S. infrastructure from various countries on a daily basis will continue, undeterred by the pugilistic policy to come.

At the 2011 RSA Conference in San Francisco in February, Deputy Secretary of Defense William Lynn III referred to the Defense Strategy for Operating in Cyberspace as "Cyber 3.0," and said the plan was in the process of being finalized. Rather than highlighting the possibility of a kinetic response to a virtual attack, Lynn stressed that U.S. cyber defense requires partnership and cooperation, because so much U.S. critical infrastructure is in private hands.

"In the cyber domain, soldiers are not the only ones on the front lines," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.