Risk
5/31/2011
02:41 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

DOD Says Cyber Attacks May Mean War

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to published reports.

>Slideshow: Next Generation Defense Technologies
Slideshow: Next Generation Defense Technologies
(click for larger image and for full slideshow)
Future computer attacks against the U.S. will risk the possibility of an armed response.

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to The Wall Street Journal.

The Pentagon is expected to release unclassified portions of its Defense Strategy for Operating in Cyberspace later this month. According to The Wall Street Journal, the 12-page unclassified report--the classified report runs 30 pages--concludes that the Law of Armed Conflict--the sum total of various international treaties related to warfighting--applies to cyberspace as it does on the battlefield. This equivalency means that damaging acts may be met with a damaging response, regardless of whether the cause is truck bomb or a logic bomb.

A spokesperson for the Department of Defense declined to comment.

This marks a significant change in military thinking, at least in terms of formal doctrine--presumably a sufficiently damaging cyber attack would have provoked an armed response no matter how formal policies were worded. Back in 1997, a research paper by then Major Daniel M. Vadnais, concluded that, "The current body of international law seems to mitigate against including 'hacking' in the definition of 'armed force,' the standard necessary for unilateral military armed reprisal actions. In that case, unless the initial attack rises to the level that would permit some action by the 'victim' in self–defense, that nation is relegated to seeking action from the United Nations Security Council."

Times have changed since then. Though this paper was academic in nature and did not represent official doctrine, it nonetheless reflects an era before hacking had been demonstrated as an effective complement to, or alternative to, military action. Given the 2007 cyber attack on Estonia, the 2008 cyber attack on Georgia, and the 2010 Stuxnet attack on Iran's nuclear infrastructure, among other noteworthy cyber incidents, it has become clear that hacking can have as much consequence as a kinetic attack.

Such thinking is reflected in the Obama administration's International Strategy for Cyberspace, published two years ago. On page 14, it states, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The administration's policy also makes it clear that an armed response to a cyber attack would be a last resort, after diplomatic options have been exhausted.

For government officials, the challenge will be determining when an attack is significant enough to ready the missiles. In all likelihood, the low-level cyber attacks launched against U.S. infrastructure from various countries on a daily basis will continue, undeterred by the pugilistic policy to come.

At the 2011 RSA Conference in San Francisco in February, Deputy Secretary of Defense William Lynn III referred to the Defense Strategy for Operating in Cyberspace as "Cyber 3.0," and said the plan was in the process of being finalized. Rather than highlighting the possibility of a kinetic response to a virtual attack, Lynn stressed that U.S. cyber defense requires partnership and cooperation, because so much U.S. critical infrastructure is in private hands.

"In the cyber domain, soldiers are not the only ones on the front lines," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.