The Pentagon will soon release a strategy that formalizes a long-articulated position: the United States reserves the right to launch conventional attacks in response to the cyber kind. But figuring out who is behind such attacks may be difficult, or impossible.
“To say that cyberattacks can be acts of war, and that they can be met by kinetic responses, simply confirms a longstanding Department of Defense consensus,” says Stewart Baker, a lawyer who was policy chief at the Department of Homeland Security for part of the Bush administration. “Neither of those statements make a strategy, however.”
Baker adds that the threat “is much less effective than we’d like, because we largely lack the ability to identify who is attacking us in cyberspace. Until we solve that problem, we might as well claim that we’ll respond to cyberattacks by blowing horns until our attackers’ fortifications all fall down and their ships all sink.”
This problem is illustrated by the famous recent cyberattack involving Stuxnet—a computer worm that damaged Iran’s nuclear centrifuges last year.
The Stuxnet worm was a highly sophisticated piece of code that specifically attacked Siemens control systems, causing centrifuges to self-destruct. It leveraged four separate and previously unknown holes in Windows software. And it took care not to damage computers themselves, or other systems.
This technical sophistication, extreme specificity, and lack of other discernible payoff are suggestive of a state-sponsored effort. Many published reports suggest involvement by U.S. and Israeli agents. But as Eric Sterner, a fellow at the George C. Marshall Institute, argued last year, a defender could say a competitor to Siemens might have launched the worm, or that intelligence agencies could have let it loose simply to study its propagation.
If something similar were to infect and disable a U.S. nuclear facility or military network, and the United States wanted to strike back, it would be difficult to know whom to strike. However, “we should recognize that perfect attribution is not required,” says Charles Barry, a Vietnam-era combat veteran and a senior research fellow at the National Defense University’s Institute for National Strategic Studies in Washington, D.C. “We didn’t check to see that the Japanese fleet was acting on orders from Tokyo before declaring war on Japan in December of 1941.”