The Pentagon made headlines earlier this week when it
was revealed to be preparing to publish a draft of rules of cyber-engagement,
which ruled that cyber-sabotage could be an act of war.
Drawing on the concept of "equivalence", the draft proposes
that the U.S. only respond to web attacks with physical force if there's loss
of life from the attack.
I. New Rules to Govern U.S. Cyberwarfare
New details have emerged in The Washington Post about
a corresponding classified document, which lists a set of cyber-tools/weapons
at the disposal at the U.S. Department
of Defense (DoD) and national intelligence agencies. The document
refers to "weapons" like computer worms or viruses as
The list fills a critical gap as it establish a broad and uniform set of rules
of what the U.S. government views as acceptable uses of cyber force. That
might help prevent incidents like the Stuxnet sabotage of Iran's nuclear power plant,
which the U.S. was reportedly implicated in.
Describes a military official, "[W]hether it’s a tank, an M-16 or a
computer virus, it’s going to follow the same rules so that we can understand
how to employ it, when you can use it, when you can’t, what you can and can’t
II. Offense v. Defense
Under the new rules, the deployment of a worm like Stuxnet for the purposes of
sabotage would be strictly forbidden. The rules allow military and
intelligence officials to penetrate foreign networks to study their
capabilities, identify critical infrastructure like power plants, and plant
"beacons"/back-doors that allow for quick future attacks by viruses
or other means, if needed.
That strategy is consistent with what is believed to be employed by the
government of China who is accused of hacking U.S. power grid operators, defense contractors, businesses, and DoD
servers for the purpose of information gathering.
The strategy focuses largely on cyber-defense -- something the U.S. is
currently very poor at. An official commented,
"[T]he United States is actively developing and implementing
[capabilities] to deter or deny a potential adversary the ability to use its
Formally the proposal requires all offensive cyber-weapons like Stuxnet to be
pre-approved. However, during times of war/open hostility, the President
can pre-approve cyber-attacks to allow commanders to make timely responses.
By contrast, when not at war or is operating outside of a war zone, any use of
offensive cyber-force is referred to as "direct action" and requires
explicit and specific presidential authorization. If such an action was
ever taken it would be required to responded proportional to the threat,
not inflict undue collateral damage, and avoid civilian casualties.
III. The "Inspire" Case Study
The proposal does fail to address one key debate that's waging between the U.S.
military and the nation's intelligence agencies. The military says that
it should be able to treat cyberattacks on terrorist websites as clandestine
operations and command attacks against them.
The U.S. Central Intelligence Agency and other
intelligence agencies argue that such operations are covert operations, and
must be authorized by the intelligence community. They argue that such
operations can disrupt valuable sources of intelligence and endanger U.S.
Both sides have powerful supporters. House Armed Services Committee Vice
Chairman Rep. Mac Thornberry (R-Texas)
has added language to the House-approved 2012 defense authorization bill which
would allow the military "to carry out a clandestine operation in
cyberspace" under certain stipulations. The bill calls such
operations "traditional military" actions.
Rep Thornberry states, "I have had colonels come back to me [from Iraq and
Afghanistan] and talk about how they thought they could do a better job of
protecting their troops if they could deal with a particular Web site. Yet
because it was cyber, it was all new unexplored territory that got into lots of
lawyers from lots of agencies being involved."
The Obama administration has announced unspecified "concerns" with
the measure, though.
The battle has already played out once. In a high profile incident in
2010 the U.S. military proposed a takedown or defacement of a new English
language radical Islamic jihadist publication named Inspire, which
was published by an al-Qaida affiliate. The head of the newly formed U.S.
Cyber Command, Gen. Keith Alexander said taking down the magazine, which
featured specials like how to “Make a Bomb in the Kitchen of Your Mom",
would help safeguard U.S. troops overseas. But he face firm opposition from the
CIA who protested any action against the magazine.
In the end the CIA won -- the Obama administration ordered the attack plans
In the end British cyber-warriors stepped in, making up for the Americans'
inaction. They defaced the posted version of the magazine so pages 4
through 67 -- which included the bomb tutorial -- were blurred and
unintelligible. It took a couple weeks for the publisher to repair the
damage and repost a new version; by that time many would-be jihadists
reportedly had grown bored and moved on.