Pentagon: Military Action Is an Acceptable Response to Cyber-Attacks
It is official. The United States military has explicitly stated that it has the right to retaliate with military force against a cyber-attack.
In a 12-page report sent to Congress and made public Nov. 21, the Department of Defense said the military can launch a physical attack in the case of a cyber-attack against its systems. The threat of military action would act as deterrence on people who think they can carry out "significant cyber-attacks directed against the U.S. economy, government or military," the Pentagon wrote in the report, which appears to be an update to the cyber-strategy plan released over the summer.
The president would be in charge of authorizing these attacks, which are approved only to defend computer networks in "areas of hostilities" or actual battle zones, such as Afghanistan. While the report talked about the necessity of securing critical infrastructure, the report said the Pentagon would work with the Department of Homeland Security, which has oversight of this sector. It does not appear from the report that attacks on critical infrastructure by themselves could automatically lead to military action.
"When warranted, we will respond to hostile attacks in cyber-space as we would do to any other threat to our country," according to the report, which the Pentagon is mandated to complete under the 2011 Defense Authorization Act.
The Defense Department operates a massive network environment, with more than 15,000 computer networks consisting of seven million computers scattered around the world, Army Gen. Keith Alexander, head of the National Security Agency (NSA) and commander of U.S. Cyber Command, told eWEEK recently. Defense officials have stated in the past that the networks are probed millions of times a day trying to find and extract data. One defense company lost more than 24,000 files as part of a network breach in March.
The report "reserves the right to defend, not just the nation, but various other related interests as well," said Cameron Camp, a security researcher at ESET, noting that the policy would cover the use of proxy force so long as it can be considered as being in "our interests."
The United States will conduct a military strike only when all other options have been exhausted and only when the risks of not doing anything outweigh the risks of acting, the report said. The cyber-operations will still follow the same rules of armed conflict the defense department follows for "kinetic" warfare on the ground, according to the Pentagon.
The Pentagon's team of cyber-security experts are developing defenses that would block adversaries from breaching networks and make attackers pay a price for attacking the network, the report said. In addition to these "deny objectives," the DoD will maintain, and further develop, "the ability to respond militarily in cyber-space and other domains" if the defenses are not adequate, the report said.
The report said "all necessary means" could include various electronic attacks or more conventional military tactics. However, the report did not provide any details about the kind of attacks that would qualify for physical retaliation.