The Pentagon is developing a new cyberwarfare strategy that calls for the use of military force ― including conventional weapons ― in response to certain kinds of damaging online attacks on U.S. institutions. That’s fine in theory; if foreign agents launch a cyberattack on, say, the nation’s electrical grid, it may be both reasonable and proportionate to fire missiles at, say, the attacker’s energy supplies. But as recent hacks and phishing attacks on Google’s Gmail service and on defense contractor Lockheed Martin indicate, the theory may not translate well to the murky, messy reality of what’s happening online.
It’s no surprise that the United States would reserve the right to use force against those who threaten it through the Internet. That’s standard operating procedure for governments around the world in response to any new type of attack. The Obama administration stated its position simply in the International Strategy for Cyberspace policy paper released May 17, which declared that the United States “will respond to hostile acts in cyberspace as we would to any other threat to our country.”
But what constitutes an act of cyberwarfare? When would a military response be appropriate? And what are the rules of engagement? These are questions that U.S. administrations and defense officials have been struggling to answer for more than a decade.
The new cyberwarfare strategy, which the Pentagon is expected to finish drafting this month, may not provide all the answers. That’s not necessarily a bad thing. It’s not in the country’s interests to be too specific about when and how it will respond to cyberattacks, because that could weaken the potential deterrent effect. What the report may do, according to the Wall Street Journal, is categorize electronic attacks as acts of war if they result in the same level of damage and casualties as a conventional military attack. Such a designation could trigger a military response.
With governmental and corporate networks under seemingly incessant assault, it would certainly help to have a better deterrent, military or otherwise. The tricky part, however, is figuring out where the assaults are coming from, what their motives are and what damage they’re inflicting.
Witness the serious, sophisticated attacks this year on EMC Corp.’s RSA Security Division, L-3 Communications Corp., Lockheed Martin and Google. The RSA Security intrusion enabled hackers to collect undisclosed information about SecurID, a technology in widespread use by governments and corporations to protect internal networks and facilities. Several defense contractors that rely on SecurID, including L-3 and Lockheed Martin, later reported intrusions, although they did not disclose whether any sensitive information was stolen or damage inflicted.
These incidents may be acts of espionage aimed at gathering sensitive information about U.S. weapons systems and military capabilities. One would expect that intelligence officials here are doing the same things in their efforts to identify potential foreign threats to the United States. In a sense, it’s a new Cold War, though with far more combatants.
Other attacks have more ambiguous intentions and are harder to distinguish from the work of the cybercriminals who have proliferated online. On Wednesday, Google disclosed that unidentified attackers had tried to dupe hundreds of Gmail users into revealing their passwords. The victims targeted included “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists,” a Google executive said on a company blog, adding that the attack “appears to originate from Jinan, China.”
Jinan, a provincial capital, just happens to be home to an important Chinese military installation and a military-backed vocational school that teaches computer science ― the same school that investigators say was linked to a sophisticated attack on Gmail that started in 2009. Predictably, Chinese authorities have denied involvement in either episode.
The frequency of these attacks and the seeming impunity enjoyed by those responsible are alarming, and the federal government clearly has to step up its efforts to deter them. The new Pentagon policy will help, but only with the most egregious instances. Meanwhile, as the latest Gmail incident shows, government agencies need to do more to educate officials about online threats and the risks associated with public communications networks. Being conned into disclosing a password is a common occurrence online, which is why officials using Gmail and similar services should behave as if nothing they communicate stays secret.
The Pentagon’s effort follows a series of steps by the Bush and Obama administrations to make the military and the federal government less vulnerable and improve Washington’s response to cyberattacks. But the attacks on EMC and defense contractors are a reminder that private companies control most of the critical networks and infrastructure in the United States, and they have to do a better job of identifying risks, taking preventive steps and alerting authorities when they detect the first signs of trouble.
Last month the White House sent Congress a broad cybersecurity proposal that would have the government designate which companies control critical infrastructure, identify the ones subject to the greatest threats and declare which risks they must guard against. It would not, however, have the government tell them how to ward off cyberattacks or take control of critical facilities in the event of a cyberwar. Instead, it would require those companies to have cybersecurity plans that passed muster with independent evaluators. It’s a modest but important step in response to a glaring cybersecurity gap that Congress should move quickly to fill.