A US cyberwar doctrine? Pentagon document seen as first step, and a warning.

Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an “act of war,” according to new Defense Department cyberwarfare policies that have yet to be officially unveiled.

A not-yet-released Pentagon document outlining US military cyberwarfare doctrine cites the example of cybersabotage – the use of a malicious computer program to attack US infrastructure or military systems – which could under new policy guidelines elicit a response of American bombs and bullets, according to a Wall Street Journal article Tuesday that revealed the existence of the document.

The document, which reportedly includes an unclassified as well as a secret portion, is described as partly policy document – and partly a warning to any future adversaries to step gingerly – or else. It discusses the idea of “equivalence” – a military concept whose premise is that if a cyberattack causes destruction and death or significant disruption, then the “use of force” in response should be considered, the Journal reported.

If the new Pentagon document does indeed lay out what the United States considers an “attack” worthy of a military response to be, it would be a key move toward a far more coherent policy on responding to cyberattacks, experts say.

“There is value in the US drawing a line and saying – ‘Hey, this really important, so if you mess with us in this area, we're going to take it seriously,’ ” says Dan Kuehl, a cyberwarfare expert and professor at National Defense University.

“The US has had a longstanding policy, that we're not just going to respond to cyberattacks with cyber,” a former US national security official said in an interview earlier this year. “If somebody really cripples the US electric grid, a nuclear power plant, or starts to kill people with cyberattacks we’re going to retaliate.”

Still, for at least 15 years, the US military has been wrestling with how to categorize cyberattacks against US systems – and whether or how they might fit within the international Law of Armed Combat, Dr. Kuehl says. How much damage does a cyberattack have to do to warrant a military response? Would the US retaliate even if it wasn't 100 percent sure about the source of the computer-based attack? If it can't be sure, is retaliation possible or ethical?

The document, as reported, seems to concur that cyberattacks against the US – and potentially those cyberattacks by the US itself – fit squarely under the umbrella of that international law, which governs the proportionality of any military response.

'Important first step'

Still, because the document has yet to be released, it’s not clear yet whether it will have the president’s stamp and the force that entails – or whether it will have only the limited force that other defense documents laying out cyberwar policy have had thus far.

“If this turns out to be a national policy rather than just a Department of Defense document, then I think it would be an important first step,” says Michael Vatis, a partner at the New York law firm Steptoe & Johnson. He served on a National Research Council committee that produced a seminal 2009 study on the legal and ethical issues surrounding US use of cyberweapons. “The document, as it has been reported, suggests an advance or maturation in government thinking,” he says.

With America's military, government, and corporate networks under constant assault from hackers, computer viruses and other malicious software, the question of just what constitutes a cyberattack worthy of a full-throated US military response has been a growing question mark – and a gap in US war doctrine, cyberwar experts say.

1 | 2

Next