It is official. The United States military has explicitly stated that it has the right to retaliate with military force against a cyber-attack.
In a 12-page report sent to Congress and made public Nov. 21, the Department of Defense said the military can launch a physical attack in the case of a cyber-attack against its systems. The threat of military action would act as deterrence on people who think they can carry out “significant cyber-attacks directed against the U.S. economy, government or military,” the Pentagon wrote in the report, which appears to be an update to the cyber-strategy plan released over the summer.
The president would be in charge of authorizing these attacks, which are approved only to defend computer networks in “areas of hostilities” or actual battle zones, such as Afghanistan. While the report talked about the necessity of securing critical infrastructure, the report said the Pentagon would work with the Department of Homeland Security, which has oversight of this sector. It does not appear from the report that attacks on critical infrastructure by themselves could automatically lead to military action.
“When warranted, we will respond to hostile attacks in cyber-space as we would do to any other threat to our country,” according to the report, which the Pentagon is mandated to complete under the 2011 Defense Authorization Act.
The Defense Department operates a massive network environment, with more than 15,000 computer networks consisting of seven million computers scattered around the world, Army Gen. Keith Alexander, head of the National Security Agency (NSA) and commander of U.S. Cyber Command, told eWEEK recently. Defense officials have stated in the past that the networks are probed millions of times a day trying to find and extract data. One defense company lost more than 24,000 files as part of a network breach in March.
The report “reserves the right to defend, not just the nation, but various other related interests as well,” said Cameron Camp, a security researcher at ESET, noting that the policy would cover the use of proxy force so long as it can be considered as being in “our interests.”
The United States will conduct a military strike only when all other options have been exhausted and only when the risks of not doing anything outweigh the risks of acting, the report said. The cyber-operations will still follow the same rules of armed conflict the defense department follows for “kinetic” warfare on the ground, according to the Pentagon.
Pentagon Confirms Military Action Is an Acceptable Response to Cyber-Attacks
title=Identifying the True Cyber-Attackers Remains a Challenge}
The Pentagon’s team of cyber-security experts are developing defenses that would block adversaries from breaching networks and make attackers pay a price for attacking the network, the report said. In addition to these “deny objectives,” the DoD will maintain, and further develop, “the ability to respond militarily in cyber-space and other domains” if the defenses are not adequate, the report said.
The report said “all necessary means” could include various electronic attacks or more conventional military tactics. However, the report did not provide any details about the kind of attacks that would qualify for physical retaliation.
The challenge facing the United States military is to be able to definitely identify the perpetrators. Before launching a military strike, the army needs to improve its identification capabilities, the report said. The Pentagon is supporting research focused on tracing the physical source of an attack and developing behavior-based algorithms that can identify potential individuals as the attacker, according to the report.
The use of network proxies and chaining them together would allow attackers to hide their tracks and lead investigators on “wild goose chases that could span the globe,” ESET’s Camp said. Being able to assign attribution with the “degree of certainty” necessary to support military action would be a “tough test,” he said. Improving the attribution capability is “easier said than done,” according to Camp.
“If a bad actor is bent on causing larger nations to clobber each other (regardless of reason), this would seem to be a low-hanging fruit of the network underworld,” Camp wrote.
China is often blamed for cyber-attacks. While some of the attacks are launched by Chinese criminals, there are also accusations that the Chinese government or military is backing some of the attacks on the United States. Richard Clarke, former cyber-security czar for President George W. Bush, pulled no punches in a recent speech in Washington, D.C., where he explicitly called out China for conducting cyber-espionage against U.S. companies to benefit its own economic interests.
The Office of the National Counterintelligence Executive, a U.S. intelligence arm, said in a report to Congress last month that China and Russia are using cyber-espionage to steal U.S. trade and technology secrets and that they will remain “aggressive” in these efforts.
This kind of an aggressive stance may have a “me-too” effect on other nations, Camp said. “One can only wonder if this will usher in a fresh new arms race, this time not governed by the amount of missiles, tanks, ships and planes, but by networks, hackers, bandwidth and street smart young kids to run the whole thing,” he wrote.
