Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The Pentagon will soon release a strategy that formalizes a long-articulated position: the United States reserves the right to launch conventional attacks in response to the cyber kind. But figuring out who is behind such attacks may be difficult, or impossible.

“To say that cyberattacks can be acts of war, and that they can be met by kinetic responses, simply confirms a longstanding Department of Defense consensus,” says Stewart Baker, a lawyer who was policy chief at the Department of Homeland Security for part of the Bush administration. “Neither of those statements make a strategy, however.”

Baker adds that the threat “is much less effective than we’d like, because we largely lack the ability to identify who is attacking us in cyberspace. Until we solve that problem, we might as well claim that we’ll respond to cyberattacks by blowing horns until our attackers’ fortifications all fall down and their ships all sink.”

This problem is illustrated by the famous recent cyberattack involving Stuxnet—a computer worm that damaged Iran’s nuclear centrifuges last year.

The Stuxnet worm was a highly sophisticated piece of code that specifically attacked Siemens control systems, causing centrifuges to self-destruct. It leveraged four separate and previously unknown holes in Windows software. And it took care not to damage computers themselves, or other systems.

This technical sophistication, extreme specificity, and lack of other discernible payoff are suggestive of a state-sponsored effort. Many published reports suggest involvement by U.S. and Israeli agents. But as Eric Sterner, a fellow at the George C. Marshall Institute, argued last year, a defender could say a competitor to Siemens might have launched the worm, or that intelligence agencies could have let it loose simply to study its propagation.

If something similar were to infect and disable a U.S. nuclear facility or military network, and the United States wanted to strike back, it would be difficult to know whom to strike. However, “we should recognize that perfect attribution is not required,” says Charles Barry, a Vietnam-era combat veteran and a senior research fellow at the National Defense University’s Institute for National Strategic Studies in Washington, D.C. “We didn’t check to see that the Japanese fleet was acting on orders from Tokyo before declaring war on Japan in December of 1941.”

5 comments. Share your thoughts »

Credit: US Navy

Tagged: Web, cyber attacks, cybersecurity, cyberwar, DOD

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me