The Wall Street Journal reports that the Department of Defense has formalized its doctrine for responding to cyber-attacks. (Hat tip: Thinh Nguyen.) Unsurprisingly, the Pentagon has adopted a pragmatic posture of equivalence: cyber-attacks of sufficient impact could meet with a kinetic response. In other words, logic bombs might prompt America to employ real ones. The unclassified version of the strategy document will be released soon. The WSJ’s summary, though, shows that there are several vital unaddressed questions: how sure do we need to be? When will the U.S. fire first? And what about our friends?
- How sure? How certain must we be that a particular entity – a state, a terrorist group, a movement – is responsible for a cyber-attack before we respond with force? I argue strongly in Conundrum, my paper on cybersecurity, that attribution is a nearly unsolvable problem. We aren’t certain still whether North Korea was behind the July 2009 attacks on the U.S. and South Korea, or whether Russia was behind the cyberattacks on Estonia in 2008 – and that’s years later. What level of uncertainty would we tolerate in the wake of a devastating cyberattack before responding? (This isn’t a new problem – the U.S. faced precisely this question when assessing whether to invade Iraq based on the risk that the country had weapons of mass destruction.) There may be virtue in remaining publicly vague on this question of certainty, but policymakers need to grapple with this problem.
- What about offense?
The U.S. strategy is reactive – it addresses how America might respond to a computer or network attack. It does not mention – and, indeed, the Pentagon has been chary of discussing – the conditions under which the United States might launch its own cyber-attack. (There’s at least one model for assessing what Pentagon rules look like: Stuxnet.) Will we have a “no first use” policy? Would an American cyberattack be attributable, in that the target could verify that the code was of U.S. origin? How would the U.S. handle the inevitable effects of a military cyberattack on civilian infrastructure, and civilians themselves? There are legitimate concerns over disclosing the extent of U.S. capabilities, but establishing some ground rules could potentially deter adversaries.
- What about allies? How does the new doctrine treat cyberattacks on U.S. allies? When Estonia, a NATO member, came under cyberattack, NATO decided that the attack did not trigger mandatory assistance from other NATO countries. The new Pentagon strategy takes up the usual rhetoric about coordination with allies and international institutions, but so far that aspect has been worth the paper it (isn’t yet) written on. Cyberattacks are inherently international. Effective investigation, and response, will require significant cooperation from other countries – some of whom may be reluctant participants. Better to build bridges in peacetime, in advance of need.
Code is a new form of war. We’ve already used it, as have our enemies. As usual, theory is lagging practice. It’ll be interesting to see to what degree the Department of Defense document deals with these hard questions, and how it tries to answer them.