Those perceptions have been driven by the creation of U.S. Cyber Command, a military organization that is allied with the government’s largest and most technologically sophisticated spy agency, the National Security Agency. The Pentagon also has declared that cyberspace is a new “domain” of warfare — alongside air, land, sea and space.
But drafts of a speech introducing the policy, set for delivery Thursday by Deputy Defense Secretary William J. Lynn III, suggest that officials want to tamp down criticism that U.S. cybersecurity policy is more offensive than defensive. “Far from militarizing cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes,” reads one section of a draft obtained by the online publication Nextgov.
The strategy’s rollout was delayed by more than six months, in part to avoid preempting the White House’s release of a global cybersecurity strategy and in part to work through concerns that the language could fuel perceptions of military dominance, said experts briefed on the strategy who spoke on the condition of anonymity because the briefings were confidential. The State Department and other agencies argued that defining cyberspace as a war-fighting domain would complicate relationships with international partners wary of U.S. military domination of cybersecurity policy, they said.
In the end, according to U.S. officials, the Pentagon agreed to refer to cyberspace as a domain strictly in terms of defending military networks rather than as a full-fledged arena of warfare.
The strategy, which has been two years in the making, is expected to emphasize that officials consider a military response to current cyber intrusions unlikely.
“Although it is certainly possible that a destructive or disruptive cyber attack could have an impact analogous to physical hostilities and therefore constitute an act of war, the vast majority of malicious cyber activity today would not cross this threshold, or justify a military response,” says another draft of Lynn’s speech.
In fact, the strategy does not specify how the United States might use computers in a direct attack, said several military officials, who said the document missed an opportunity to delineate how and when offensive means should be used.
The Pentagon’s strategy builds on the White House’s May release of its global cybersecurity strategy, which declared that the United States would “oppose those who seek to disrupt networks and systems, dissuading and deterring malicious actors, and reserving the right to defend these vital national assets as necessary and appropriate.”
The Pentagon strategy’s five “pillars” have been outlined in speeches before and include the establishment of “active defenses” such as sensors and software that can make networks more resilient. Such technologies have prompted debate within the Pentagon over whether they may be used to neutralize potentially malicious code in an adversary’s system — a course of action that could cross the line into offense.
The U.S. military has developed cyber weapons that can be used to deter an adversary from using its computer systems to attack the United States. They include viruses that can sabotage an opponent’s critical networks, similar to the Stuxnet virus, which damaged an Iranian nuclear facility, military officials said. Outside war, such weapons require presidential authority to be used, the officials said.
In March, in response to concerns from various departments and agencies, the White House prepared draft guidance that discussed use of the word “domain” to refer to cyberspace. The unclassified document, which was never formally issued but was obtained by The Washington Post, noted that “the lack of public understanding about the nature and parameters of U.S. military activity in cyberspace mandates messaging on this issue be precise.”
The guidance included the directive that “Cyberspace . . . is not to be characterized as a ‘warfighting,’ ‘military’ or ‘operational’ domain.” The phrase “cyber domain,” it continued, “is to be replaced with ‘cyberspace’ whenever possible.”