The Pentagon's forthcoming cyber strategy will formalize the possibility of a physical response to a virtual attack, according to The Wall Street Journal.
The Pentagon is expected to release unclassified portions of its Defense Strategy for Operating in Cyberspace later this month. According to The Wall Street Journal, the 12-page unclassified report--the classified report runs 30 pages--concludes that the Law of Armed Conflict--the sum total of various international treaties related to warfighting--applies to cyberspace as it does on the battlefield. This equivalency means that damaging acts may be met with a damaging response, regardless of whether the cause is truck bomb or a logic bomb.
A spokesperson for the Department of Defense declined to comment.
This marks a significant change in military thinking, at least in terms of formal doctrine--presumably a sufficiently damaging cyber attack would have provoked an armed response no matter how formal policies were worded. Back in 1997, a research paper by then Major Daniel M. Vadnais, concluded that, "The current body of international law seems to mitigate against including 'hacking' in the definition of 'armed force,' the standard necessary for unilateral military armed reprisal actions. In that case, unless the initial attack rises to the level that would permit some action by the 'victim' in self–defense, that nation is relegated to seeking action from the United Nations Security Council."
Times have changed since then. Though this paper was academic in nature and did not represent official doctrine, it nonetheless reflects an era before hacking had been demonstrated as an effective complement to, or alternative to, military action. Given the 2007 cyber attack on Estonia, the 2008 cyber attack on Georgia, and the 2010 Stuxnet attack on Iran's nuclear infrastructure, among other noteworthy cyber incidents, it has become clear that hacking can have as much consequence as a kinetic attack.
Such thinking is reflected in the Obama administration's International Strategy for Cyberspace, published two years ago. On page 14, it states, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." The administration's policy also makes it clear that an armed response to a cyber attack would be a last resort, after diplomatic options have been exhausted.
For government officials, the challenge will be determining when an attack is significant enough to ready the missiles. In all likelihood, the low-level cyber attacks launched against U.S. infrastructure from various countries on a daily basis will continue, undeterred by the pugilistic policy to come.
At the 2011 RSA Conference in San Francisco in February, Deputy Secretary of Defense William Lynn III referred to the Defense Strategy for Operating in Cyberspace as "Cyber 3.0," and said the plan was in the process of being finalized. Rather than highlighting the possibility of a kinetic response to a virtual attack, Lynn stressed that U.S. cyber defense requires partnership and cooperation, because so much U.S. critical infrastructure is in private hands.
"In the cyber domain, soldiers are not the only ones on the front lines," he said.
In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).