The Pentagon will soon release a strategy that formalizes a long-articulated position: the United States reserves the right to launch conventional attacks in response to the cyber kind. But figuring out who is behind such attacks may be difficult, or impossible.
“To say that cyberattacks can be acts of war, and that they can be met by kinetic responses, simply confirms a longstanding Department of Defense consensus,” says Stewart Baker, a lawyer who was policy chief at the Department of Homeland Security for part of the Bush administration. “Neither of those statements make a strategy, however.”
Baker adds that the threat “is much less effective than we’d like, because we largely lack the ability to identify who is attacking us in cyberspace. Until we solve that problem, we might as well claim that we’ll respond to cyberattacks by blowing horns until our attackers’ fortifications all fall down and their ships all sink.”
This problem is illustrated by the famous recent cyberattack involving Stuxnet—a computer worm that damaged Iran’s nuclear centrifuges last year.
The Stuxnet worm was a highly sophisticated piece of code that specifically attacked Siemens control systems, causing centrifuges to self-destruct. It leveraged four separate and previously unknown holes in Windows software. And it took care not to damage computers themselves, or other systems.
This technical sophistication, extreme specificity, and lack of other discernible payoff are suggestive of a state-sponsored effort. Many published reports suggest involvement by U.S. and Israeli agents. But as Eric Sterner, a fellow at the George C. Marshall Institute, argued last year, a defender could say a competitor to Siemens might have launched the worm, or that intelligence agencies could have let it loose simply to study its propagation.
If something similar were to infect and disable a U.S. nuclear facility or military network, and the United States wanted to strike back, it would be difficult to know whom to strike. However, “we should recognize that perfect attribution is not required,” says Charles Barry, a Vietnam-era combat veteran and a senior research fellow at the National Defense University’s Institute for National Strategic Studies in Washington, D.C. “We didn’t check to see that the Japanese fleet was acting on orders from Tokyo before declaring war on Japan in December of 1941.”
In addition to the unsolved attribution problem, Barry says that military planners face challenges in determining what sort of cyberattack “constitutes an act of war.” The Pentagon’s new cyberwar strategy is expected to declare, in part, that computer attacks on military networks, or attacks that pose hazards to civilians, such as damage to air-traffic control systems or power grids, could be treated as akin to conventional aggression.
Some of these issues will be taken up next week, when military planners and others gather for the annual NATO cyberwar conference in Tallinn, Estonia. That nation was itself the victim of a famous cyberattack in 2007 that highlighted some of the new challenges. The attack commenced after the Estonian government, ignoring protests by Russia, moved a bronze statue of a Soviet soldier that had been installed to commemorate World War II dead.
Soon after, attackers based mainly in Russia launched denial-of-service campaigns against government, media, and telecom Web targets in Estonia, paralyzing them for weeks. The Russian government denied orchestrating the event, attributing it to “patriotic hackers.”
If such an event happens again, and it results in loss of life or damage to military systems, the victim nation will need to decide whether to believe such national claims of innocence—or, if it doesn’t believe those claims, whether to punish a state for the sins of its citizens.
Meanwhile, there is no agreement within or outside of NATO on how a cyberconflict should play out—including to what extent allies should step in. A NATO report chaired by Madeleine Albright last fall noted that large-scale attacks on NATO infrastructure could lead to defensive measures by all members.
The United States created a unified Cyber Command in 2010 to both defend national networks and plan its own cyberattacks if needed. Almost exactly one year ago, General Keith Alexander, who heads the Cyber Command and also directs the National Security Agency, called for global rules of engagement for cyberwar. The forthcoming Pentagon report will be a step toward defining those rules, but it may do little to clarify who’s playing the game.