Viruses, IT Sabotage Now Sanctioned Cyber-Weapons

 

"We reserve the right to use all necessary means-diplomatic, informational, military, and economic-as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests," the policy said. Military force would be used only after all other options have been exhausted.

The Pentagon has also developed a list of cyber-weapons and tools, including viruses that can sabotage foreign critical infrastructure, that the United States can use "to deter or deny a potential adversary the ability to use its computer systems," an anonymous official recently told the Washington Post.

The techniques to launch a cyber-attack are similar to those of any other military operation, according to Dodd. Extensive reconnaissance, surveillance and research are required before launching a cyber-attack, he said. The executive orders apparently allow the military to transmit code to another country's network to test the route and make sure connections work, much like using satellites to take pictures of a location to scout out specific sites.

Elsewhere on Capitol Hill, government officials have been discussing how to protect critical infrastructure. The federal government is considering creating a separate Internet domain for private-sector critical infrastructure, one that would be subject to monitoring by the government for cyber-threats, Ari Schwartz, Internet policy adviser at the National Institute of Standards and Technology, said before a panel of the Senate Judiciary Crime and Terrorism subcommittee on June 21.

The panel's chairman, Sen. Sheldon Whitehouse, D-R.I., has long supported the creation of a .secure domain, arguing that the government would be able to closely monitor Internet traffic without violating the Fourth Amendment. "You just say, 'OK, look, if you want to go look at these electrical grid things, you've got to be aware that the government is going to be keeping an eye of what's going in and out of there to protect the electrical grid.' I don't think people mind that," Whitehouse said.

Attackers can easily "prove a point" by taking out critical infrastructure, Dodd said.

Whitehouse also said publicly traded companies should be required to disclose their cyber-security risks in Securities and Exchange Commission filings. There is no point in promoting cyber-security awareness if actual attacks are classified if they hit .gov and .mil domains and are treated as proprietary information when businesses are hit so as not to alarm customers, Whitehouse said, calling it a "real information deficit."