The Pentagon made headlines earlier this week when it was revealed to be preparing to publish a draft of rules of cyber-engagement, which ruled that cyber-sabotage could be an act of war.  Drawing on the concept of "equivalence", the draft proposes that the U.S. only respond to web attacks with physical force if there's loss of life from the attack.

I. New Rules to Govern U.S. Cyberwarfare

New details have emerged in The Washington Post about a corresponding classified document, which lists a set of cyber-tools/weapons at the disposal at the U.S. Department of Defense (DoD) and national intelligence agencies.  The document refers to "weapons" like computer worms or viruses as "fires".

The list fills a critical gap as it establish a broad and uniform set of rules of what the U.S. government views as acceptable uses of cyber force.  That might help prevent incidents like the Stuxnet sabotage of Iran's nuclear power plant, which the U.S. was reportedly implicated in.

Describes a military official, "[W]hether it’s a tank, an M-16 or a computer virus, it’s going to follow the same rules so that we can understand how to employ it, when you can use it, when you can’t, what you can and can’t use."

II. Offense v. Defense

Under the new rules, the deployment of a worm like Stuxnet for the purposes of sabotage would be strictly forbidden.  The rules allow military and intelligence officials to penetrate foreign networks to study their capabilities, identify critical infrastructure like power plants, and plant "beacons"/back-doors that allow for quick future attacks by viruses or other means, if needed.

That strategy is consistent with what is believed to be employed by the government of China who is accused of hacking U.S. power grid operators, defense contractors, businesses, and DoD servers for the purpose of information gathering.

The strategy focuses largely on cyber-defense -- something the U.S. is currently very poor at.  An official commented, "[T]he United States is actively developing and implementing [capabilities] to deter or deny a potential adversary the ability to use its computer systems."

Formally the proposal requires all offensive cyber-weapons like Stuxnet to be pre-approved.  However, during times of war/open hostility, the President can pre-approve cyber-attacks to allow commanders to make timely responses.

By contrast, when not at war or is operating outside of a war zone, any use of offensive cyber-force is referred to as "direct action" and requires explicit and specific presidential authorization.  If such an action was ever taken it would be required to responded proportional to the threat, not inflict undue collateral damage, and avoid civilian casualties.

III. The "Inspire" Case Study

The proposal does fail to address one key debate that's waging between the U.S. military and the nation's intelligence agencies.  The military says that it should be able to treat cyberattacks on terrorist websites as clandestine operations and command attacks against them.

The U.S. Central Intelligence Agency and other intelligence agencies argue that such operations are covert operations, and must be authorized by the intelligence community.  They argue that such operations can disrupt valuable sources of intelligence and endanger U.S. operatives.

Both sides have powerful supporters.  House Armed Services Committee Vice Chairman Rep. Mac Thornberry (R-Texas) has added language to the House-approved 2012 defense authorization bill which would allow the military "to carry out a clandestine operation in cyberspace" under certain stipulations.  The bill calls such operations "traditional military" actions.  

Rep Thornberry states, "I have had colonels come back to me [from Iraq and Afghanistan] and talk about how they thought they could do a better job of protecting their troops if they could deal with a particular Web site. Yet because it was cyber, it was all new unexplored territory that got into lots of lawyers from lots of agencies being involved." 

The Obama administration has announced unspecified "concerns" with the measure, though.

The battle has already played out once.  In a high profile incident in 2010 the U.S. military proposed a takedown or defacement of a new English language radical Islamic jihadist publication named Inspire, which was published by an al-Qaida affiliate.  The head of the newly formed U.S. Cyber Command, Gen. Keith Alexander said taking down the magazine, which featured specials like how to “Make a Bomb in the Kitchen of Your Mom", would help safeguard U.S. troops overseas. But he face firm opposition from the CIA who protested any action against the magazine.

In the end the CIA won -- the Obama administration ordered the attack plans scrapped.  

In the end British cyber-warriors stepped in, making up for the Americans' inaction.  They defaced the posted version of the magazine so pages 4 through 67 -- which included the bomb tutorial -- were blurred and unintelligible.  It took a couple weeks for the publisher to repair the damage and repost a new version; by that time many would-be jihadists reportedly had grown bored and moved on.