The Pentagon has laid out its most explicit cyberwarfare policy to date, stating that if directed by the president, it will launch “offensive cyber operations” in response to hostile acts.
Those hostile acts may include “significant cyber attacks directed against the U.S. economy, government or military,” Defense Department officials stated in a long-overdue report to Congress released late Monday.
But the report is still silent on a number of important issues, such as rules of engagement outside designated battle zones — a sign of how challenging the policy debate is in the newest and most complex realm of warfare.
The statements are consistent with preexisting policy, but have never before been stated quite so explicitly, even in the Pentagon’s recently released cyberspace strategy.
That strategy focused on the importance of deterring attacks by building defenses that would “deny” adversaries the benefits of success. In the latest report, the Pentagon states that adversaries threatening a crippling cyber attack against the United States “would be taking a grave risk.”
Indeed, officials noted that when defense-based deterrence fails to stop a hostile act, the Pentagon “maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.”
James E. Cartwright Jr., the recently retired vice chairman of the Joint Chiefs of Staff, who has criticized U.S. cyberstrategy as being too focused on defensive issues, said the report “is a good start at documenting how the U.S. will both defend our interests in this vital domain and deter those who would threaten those interests.”
Cartwright had publicly stated over the summer that a strategy dominated by defense would fail, telling reporters then: “If it’s okay to attack me and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy.”
The latest report, issued in response to a congressional requirement to answer key cyberwarfare policy questions by March 1, 2011, reiterated that the United States will “exhaust all options prior to using force whenever we can” in response to a hostile act in cyberspace.
In May, the White House’s international cyberstrategy declared that the United States reserves the right to use all necessary means — diplomatic, informational, military and economic — to defend the nation against hostile acts in cyberspace.
The new report, though, reflects the tensions inherent in cyber policy. Taken with past budget documents, it suggests a need for automated, pre-approved responses to some hostile acts in cyberspace.
But the report makes clear that offensive actions will be carried out only as directed by the president.
And it states that specific rules of engagement for the defense of computer networks have been approved for “areas of hostilities” or battle zones. There is just one area of hostility today — Afghanistan.
“The question is, how, and to what extent, are they thinking about automated responses?” said Herbert Lin, a cyber expert at the National Academy of Sciences.
Such responses, he said, “are fraught with danger. Without people in the loop, you’re much more likely to do unintended stuff.”