Awhile back we noticed signals from the US Pentagon that they were considering the possibility of a traditional military response to cyber attacks on US physical infrastructure. Basically, a cyber attack on infrastructure could be considered an act of war. We now see the official report released, confirming this.
The report states, “When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we reserve the right to use all necessary means—diplomatic, informational, military, and economic—to defend our Nation, our Allies, our partners, and our interests.” Basically, they will be treating cyber attacks like any other act of aggression.
The language here is interesting for several reasons. First, it reserves the right to defend, not just the nation, but various other related interests as well. That seems like a pretty wide net as defined in the document. As written, it covers the use of proxy force if it meets the burden of being in “our interests.”
Speaking of proxies, chained multiple proxies used to anonymize the origin of the cyber attack traffic could lead efforts at attribution on wild goose chases that could span the globe. If a bad actor is bent on causing larger nations to clobber each other (regardless of reason), this would seem to be low-hanging fruit of the network underworld. Certainly it’s less difficult to scrape up some servers and a laptop as a C&C, than a pallet of black market missiles. After all, the Pentagon says it sees millions of hacking attempts every day, so obviously various folks are poking a toe in the water.
In the best of cases, assigning attribution with the degree of certainty necessary for public support of a traditional military response promises to be a tough test. We have yet to see a test case, but the Pengtagon says they are working on it, “Continuing to improve our ability to attribute attacks is a key to military response options.” Easier said than done.
The report continues, “Deterrence in cyberspace, as with other domains, relies on two principal mechanisms: denying an adversary’s objectives and, if necessary, imposing costs on an adversary for aggression.” While not language of pre-emption, it certainly strikes a potentially aggressive tone.
Also, a stance like this might have a me-too effect on other nations struggling with similar issues relative to protecting critical networks and information. One can only wonder if this will usher in a fresh new arms race, this time not governed by the amount of missiles, tanks, ships and planes, but by networks, hackers, bandwidth and street smart young kids to run the whole thing.
And what about aligning aggressive acts along national borders? Acts of cyber aggression are often carried out by communities of interest, not always groups within a certain national border, so would a military response leveled against a nation as a physical attack work? This has been a long-running diccussion, centering especially on hacktivism groups. But what country would the US attack against that style of group?
These questions (and others) will be entering the radar of public discussion as we grapple with how to deal with potential nasty state (or otherwise) actors who seek real harm to basically peaceful civilian infrastructure. To be sure, the world is filled with billions of people who want basic security and safety for themselves and the ones they love. Unfortunately, it also contains a handful of cyber nut cases. So how should we deal with the few bad actors when they get a little crazy and try widespread cyber destruction? These are major questions of the day, and for the coming generation.
Author Cameron Camp, ESET