Yet it remains silent on a number of important issues, such as rules of engagement outside designated battle zones and whether neutral countries would be consulted before their systems were used to carry out counterattacks in cyberspace. The report does not discuss the advisability of demonstrating cybercapabilities.
The report is more explicit than the Pentagon’s cyberstrategy released in July, which focused on the importance of deterring attacks by building defenses that would “deny” adversaries the benefits of success. In the latest report, the Pentagon states directly that it “has the capability to conduct offensive operations in cyberspace to defend our nation, allies and interests.”
When defense-based deterrence fails to stop a hostile act, the report says, the Pentagon “maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.”
James E. Cartwright, the recently retired vice chairman of the Joint Chiefs of Staff, said the report “is a good start at documenting how the U.S. will both defend our interests in this vital domain and deter those who would threaten those interests.” Cartwright had publicly stated in July that a strategy dominated by defense would fail.
In May, the White House released an international cyberstrategy declaring that the United States reserves the right to use all necessary means — diplomatic, military and economic — to defend the nation against hostile acts in cyberspace. But it said that the United States will “exhaust all options prior to using force whenever we can” in response to a hostile act in cyberspace.
This week’s report was issued in response to a congressional requirement to answer key cyberwarfare policy questions by March 1, 2011. There was no explanation in the report for why it was months overdue.
The new report suggests a need for automated, preapproved defensive responses to some hostile acts in cyberspace. It also makes clear that any counterattacks will be carried out only as directed by the president. And it states that specific rules of engagement for the defense of computer networks have been approved for “areas of hostilities” or battle zones. There is just one area of hostility today — Afghanistan.
The rules outside of battle zones are still the subject of debate within the administration, with some military officials arguing that because attacks can happen in cyberspace in a matter of milliseconds, the speed of human decision making may not be sufficient for effective responses. Formulating appropriate rules is complicated by the difficulty of determining who launched a cyberattack and the danger that any U.S. military response could accidentally damage systems not directly targeted.
The prospect of automated responses has caused particular concern. “The question is, how, and to what extent, are they thinking about automated responses?” said Herbert Lin, a cyber expert at the National Academy of Sciences. Such responses, he said, “are fraught with danger. Without people in the loop, you’re much more likely to do unintended stuff.”
The report also suggested that stand-alone cyber operations that do not involve the use of military personnel in a battle zone likely would not trigger the congressional notification requirement under the War Powers Resolution. Cyber operations may, however, be part of larger operations that could trigger such a requirement.
James A. Lewis, a cyber expert with the Center for Strategic and International Studies, said the report “ducked” a series of other questions, including what constitutes a “use of force.”
The report says that the ultimate arbiter on that matter is the president.