landmark decision the Pentagon, central
command for the U.S. Armed Forces, reportedly has ruled that cyber attacks can
constitute an act of war. In an era where foreign powers are increasingly flexing their cyber-muscle, the decision could
dramatically affect world diplomacy and raise some serious questions.
I. Cyber Attack - War?
These days your power, water, natural gas are all tied to the internet.
The U.S. Military is highly dependent on the internet for communications,
as is the federal government. If someone cut the U.S. access to the web
the nation could see a massive communications blackout. Worse, if the
attacker sabotaged critical networks and/or spread misinformation via internet
connections, the nation could essentially be crippled.
In short, the internet offers a sophisticated attacker the means to cripple the
U.S., drastically reducing its ability to defend itself against threats.
Of course the U.S. is not going to sit idly by while its networks are under
attack. But in an era in which tech savvy powers like Russia and,
particularly, China regular probe and/or attack U.S. government networks, the
risk of a full fledged cyber assault becomes a very grave one.
In his seminal 1984 cyberpunk novel Neuromancer, William
Gibson envisioned a world at war, in which internet offensives were used as
preludes to physical attack. Today that possibility seems prescient.
II. Pentagon Publishes Cyber Strategy
In the face of a new frontier of warfare, the Pentagon has completed its first
formal cyber strategy. The report will be made public next month with
classified portions redacted.
The new strategy will explore alarming scenarios like how the Armed Forces
would respond to a cyber attack on U.S. nuclear reactors, subways or pipelines.
The Wall Street Journal has already leaked the
report's most serious conclusion -- cyber attacks can now be considered an act
of war. Unnamed Pentagon officials are cited as saying that the new
policy is meant as a warning for foreign adversaries who might consider
attacking the U.S.
Comments one anonymous military official, "If you shut down our power
grid, maybe we will put a missile down one of your smokestacks."
III. Crafted in Fire: How World Events Shaped Document
Recent events compelled the Pentagon to begin work on the policy last year.
One of the highest profile catalysts include the massive loss of military and state department data to Wikileaks,
which is suspected to have been executed by a young
U.S. Army Specialist, Bradley Manning.
But Mr. Manning's breach arguably wasn't even the most compelling one. A 2008 infection across U.S. Military systems in Iraq is
considered in many circles to have been worse, as it potentially exposed a greater
amount of classified data. That attack is suspected to have been the work
of Russian operatives, who pulled it off by connecting a single, infected USB
drive to a military laptop.
Other significant events include reported infiltration of the U.S. power grid by cyber
spies; the sale
of Military USB sticks in Iraqi and Afghani bazaars; and
breaches of Lockheed Martin's servers in 2009 and earlier this month.
Also noteworthy was the semi-successful sabotage of Iran's nuclear
power facilities, which some argue the U.S. was implicated in. Even if a
U.S. hand were behind the attack, its success would serve a powerful wakeup call
to the Pentagon of what a well-placed cyberassault can do.
IV. A Time to Kill
One of the most significant questions raised by the report is when to respond
to a cyber-attack with physical force.
According WSJ, the Pentagon is favoring a concept called "equivalence".
This policy is to only respond with physical force if an attack produced
similar effects to a physical assault -- e.g. death, damage, destruction,
and/or high-level disruption.
Charles Dunlap, a retired Air Force Major General and professor at Duke
University law school comments; "A cyber attack is governed by basically
the same rules as any other kind of attack if the effects of it are essentially
Gen. Dunlap says that the U.S. Military dislikes the term "act of
war", which it views as a political term. It prefers the term
"use of force" to describe armed attacks.
A tough question facing the Armed Forces, however, is how to accurately
determine where an attack originated. For example, an attack might be
traced to Russia or China, but it's not as easy to determine whether those
nations' governments were involved. Much like the U.S. court system is
realizing that an IP address does not identify an individual accurately, the
military faces the dilemma of the inherent ambiguity of online routing.
V. Additional Details
According to three unnamed U.S. Department of
Defense officials, the report covers 30 pages for the
classified form and 12 pages for the declassified version.
The officials say the report closes by stating that the Laws of Armed
Conflict [DOC] — a series of international rules derived from
various treaties and international customs, that serve as a blueprint of what
nations can and can't do with regards to conflict — apply to the online world,
much as they do the physical one. They say the report closes with a
discussion of how nations much cooperate to achieve international
What exactly the net result of the new rules is remains to be seen. The
U.S. thus far has been viewed as somewhat of a "cyber-weakling" when
it comes to responding to serious foreign threats.
The concept of equivalence still leaves questions such as how the U.S. should
respond to threats against its businesses' economic prosperity,
or foreign attacks that look to silence free speech. Reportedly
Chinese parties have been carrying out both kinds of attacks against parties in
the U.S. But thus far the Chinese government's "cyberwar" against
America has yet to escalate into the territory covered in the new rules --
conduct that could provoke a physical counterattack.