Risk
5/31/2011
02:41 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

DOD Says Cyber Attacks May Mean War

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to published reports.

>Slideshow: Next Generation Defense Technologies
Slideshow: Next Generation Defense Technologies
(click for larger image and for full slideshow)
Future computer attacks against the U.S. will risk the possibility of an armed response.

The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to The Wall Street Journal.

The Pentagon is expected to release unclassified portions of its Defense Strategy for Operating in Cyberspace later this month. According to The Wall Street Journal, the 12-page unclassified report--the classified report runs 30 pages--concludes that the Law of Armed Conflict--the sum total of various international treaties related to warfighting--applies to cyberspace as it does on the battlefield. This equivalency means that damaging acts may be met with a damaging response, regardless of whether the cause is truck bomb or a logic bomb.

A spokesperson for the Department of Defense declined to comment.

This marks a significant change in military thinking, at least in terms of formal doctrine--presumably a sufficiently damaging cyber attack would have provoked an armed response no matter how formal policies were worded. Back in 1997, a research paper by then Major Daniel M. Vadnais, concluded that, "The current body of international law seems to mitigate against including 'hacking' in the definition of 'armed force,' the standard necessary for unilateral military armed reprisal actions. In that case, unless the initial attack rises to the level that would permit some action by the 'victim' in self–defense, that nation is relegated to seeking action from the United Nations Security Council."

Times have changed since then. Though this paper was academic in nature and did not represent official doctrine, it nonetheless reflects an era before hacking had been demonstrated as an effective complement to, or alternative to, military action. Given the 2007 cyber attack on Estonia, the 2008 cyber attack on Georgia, and the 2010 Stuxnet attack on Iran's nuclear infrastructure, among other noteworthy cyber incidents, it has become clear that hacking can have as much consequence as a kinetic attack.

Such thinking is reflected in the Obama administration's International Strategy for Cyberspace, published two years ago. On page 14, it states, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The administration's policy also makes it clear that an armed response to a cyber attack would be a last resort, after diplomatic options have been exhausted.

For government officials, the challenge will be determining when an attack is significant enough to ready the missiles. In all likelihood, the low-level cyber attacks launched against U.S. infrastructure from various countries on a daily basis will continue, undeterred by the pugilistic policy to come.

At the 2011 RSA Conference in San Francisco in February, Deputy Secretary of Defense William Lynn III referred to the Defense Strategy for Operating in Cyberspace as "Cyber 3.0," and said the plan was in the process of being finalized. Rather than highlighting the possibility of a kinetic response to a virtual attack, Lynn stressed that U.S. cyber defense requires partnership and cooperation, because so much U.S. critical infrastructure is in private hands.

"In the cyber domain, soldiers are not the only ones on the front lines," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.