Skip to: Content
Skip to: Site Navigation
Skip to: Search

A US cyberwar doctrine? Pentagon document seen as first step, and a warning.

A yet-to-be-released Pentagon document on cyberwar reportedly lays out when the US would respond with conventional force to a cyberattack: when infrastructure or military readiness is damaged.

(Page 2 of 2)

The attack on Lockheed Martin this past week probably would not qualify as a “cyberattack” under previous cyberwar doctrine. But any attempt by an adversary to slow down deployment of a carrier battle group probably would be an act of war.

Skip to next paragraph

Any new policy will have to guide the actions of the US, as the world’s leading cyber superpower, as well. Several experts believe Israel and the US may well have worked together to deploy Stuxnet – the world’s first confirmed cyberweapon – against Iran’s nuclear fuel enrichment facility at Natanz. If the US was involved in Stuxnet, was that an act of war – or simply enforcing international sanctions?

“There has been no clear boundary there in cyber,” the former US national security official says. “You lay out frameworks for thinking about whether a certain set of activities are an act of war – but determining something is an act of war is a political decision. It’s not something you write into statute.”

The benefit of vague definitions

In fact, it’s best that any document purporting to lay out what the US considers to be a cyberattack be left somewhat fuzzy – in order to keep potential attackers off guard, and to leave the president and his generals with an array of options. Otherwise, an attacker could simply walk up to the line – and back off – exploiting US definitions.

“You shouldn't draw white lines in advance,” the former national security official says. “There’s a body of literature that would say keep it vague. Still, it’s increasingly clear, that if something happens in cyberspace, if it’s significant enough, we’ll use the full range of national means available to punish or address the situation.”

Of course, the question of “who did it” still remains. Attributing a cyberattack can be fiendishly difficult given the Internet’s ability to cloak attacks, with commands going through computers in many countries. Who does the US retaliate against if an attack comes from a computer in New Orleans or New York?

For that reason, the US has been working flat out on the attribution problem. It also created a new Cyber Command in 2010 to defend the nation and conduct offensive cyberattacks. In the meantime, military theoreticians have been busily churning out documents with titles like: “Defending a New Domain: The Pentagon's Cyberstrategy” or “Warfare by Internet: the logic of strategic deterrence, defense and attack.”

'It's 1946 in cyber'

But the pressure to come to terms with the difficulty of doing battle and defending cyberspace important to the US continues to grow. Consulting groups, academics and others have formed organizations and are now churning out papers exploring the intellectual underpinning of cyberwar doctrine.

“Here's the problem – it's 1946 in cyber,” James Mulvenon, a founding member of the Cyber Conflict Studies Association, a nonprofit group in Washington said in an interview earlier this year. Not unlike the dawning nuclear era after World War II, “we have these potent new weapons, but we don’t have all the conceptual and doctrinal thinking that supports those weapons or any kind of deterrence.”

Even if that overarching problem is not going to be solved by the Pentagon cyberwarfare document when it is unveiled, it still could be a “good first step,” says Mr. Vatis. Others agree its high time the US put the world on notice on at least some aspects of what will and won’t be tolerated in cyberspace.

“What makes this important is that everyday that goes by more and more of what our society, economy, and military depends upon to make the system work happens in cyberspace,” Kuehl says. “Some lines in the sand need to be laid down.”

RECOMMENDED: How much do you know about cybersecurity? Take our quiz.


Read Comments

View reader comments | Comment on this story