Cyber Security pundits have been keenly watching the development of nascent state targeted attacks such as the Stuxnet worm with interest for some time and warning of the possible implications, but now it’s official. According to The Wall Street Journal,
“The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to US nuclear reactors, subways or pipelines as a hostile country’s military.” Continuing, “Computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military.”
Private industry has felt the brunt of cyber attacks for years now, causing real financial damage and impacting business processes, and unsavory actors have been all-too-happy to utilize such attacks for nefarious intent. Following recent cyber attacks against defense contractors containing sensitive military information, the U.S. Government now appears poised to raise the stakes to a new level, hopefully providing a stern enough stance to deter would-be attackers from future endeavors.
Answering cyber attacks by military force raise new questions, however. While the details (we hope) will be forthcoming, terms of engagement will be something to watch. There are many famous movies about an evil mastermind pitting two larger powers against each other with the goal of Mutual Assured Destruction (MAD) through the use of proxy threats/attacks (Tomorrow Never Dies, Dr. Strangelove) . This raises the term proxy war to a new level, this time using a technological proxy to affect the same outcome. In a related vein, there is the difficulty of proving the origin of the threat, especially with a fast moving internet-based target. No small task, especially in a short enough timeframe to be effective, and yet to a high enough standard of proof to justify military action.
Time will tell, as state targeted attacks are sure to continue and improve in effectiveness. The burden of proof will be on the U.S. Government to prove conclusively enough to the public that a) there was an attack, b) the target was aimed at sufficiently critical targets to warrant a military response, c) we know who did it. We have yet to see a first test case.
All this raises the awareness (or should) of protecting critical infrastructure from cyber attacks of all types, whether targeted or opportunist, as a first line of defense. Successfully defended, it may obviate the need to determine whether a Sidewinder missile or subpoena will need to be fired at all. The time seems to have arrived when these questions are reaching the very top of Capitol Hill and not just in server rooms and boardrooms, where protections have been preached about for quite some time. It seems a proactive approach is ramping all the way up to the Pentagon level, stay tuned …we will.
Author Cameron Camp, ESET