Last week reports emerged about attempted cyber attacks against the internal networks of three major U.S. defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman. All of the attempted hacks tried to access the companies’ internal networks using compromised remote-access security tokens, which are believed to be linked to yet another hack that occurred at a different government contractor, RSA, in March.
Amidst news of last week’s attacks, DoD is preparing a formal cyber strategy and a list of deployable cyber weapons. The strategy is not in response to the incursions, but as the first formal cyber strategy written by the Pentagon, it obviously has bearing on USG’s response to them, as well as future assaults.
The strategy is not yet public, but two important provisions are known: First, that the Pentagon may use conventional force to respond to a cyber attack against the U.S.; second, that the strategy explicitly contains an authorization framework, reportedly requiring the military to obtain presidential approval before deploying cyber weapons.
While it’s time that the U.S. government assembled clear policies to respond to cyber attacks, it is important to recognize the unique challenges contained therein. Two of the most important are 1) assigning responsibility for an attack and 2) assuring that any retaliation avoids excessive collateral damage.
First, unlike attacks with conventional weapons, an attacker has more opportunities to hide his origin in cyberspace. For example, state actors can create plausible deniability behind contracted criminal groups, a tactic likely used by Russia and China. It’s unclear how the new strategy will deal with this point.
Second, if the U.S. government is able to correctly attribute an attack, its response would have to comport with international law, specifically a statute known as the Law of Armed Conflict (LoAC). The United States is bound to the LoAC through multiple treaties such as the 1907 Hague Conventions and the 1949 Geneva Conventions, as well as through customary international law. Two elements of the LoAC pose particular challenges in the cyber realm: proportionality and distinction.
Proportionality may be a particularly tough nut to crack, as we know that the Pentagon’s policy will permit retaliating against a cyber attack with conventional weapons. It’s new ground, and the argument could be made that launching a missile in response to a computer-based attack is inherently disproportionate. However, we must recognize that a cyber attack has the ability to cause actual loss of life if, for example, it were aimed at air traffic control systems and caused planes to crash. Under the new policy, only an attack of this magnitude would allow a conventional response to a cyber attack, and it is imperative that such a response be proportionate.
Distinction is another problematic element of the LoAC because cyber weapons can have unintended consequences. The amount of damage that a conventional weapon does is known before it is used even though it may damage unintended targets. Not so in the cyber world: Vital military and civilian assets may reside on the same network, thus making it difficult to limit damage to the legitimate military target. Furthermore, cyber weapons are different because entities that reside in cyberspace are interconnected on a global scale: attacking a target on a server in China can also cause damage to another server in Canada. This actually happened in 2010 when the U.S. military took down a jihadist website hosted in Saudi Arabia that led to disruption to more than 300 servers in Saudi Arabia, Texas, and Germany.
These are only a couple of considerations that complicate the use of cyber weapons, and developing a strong cyber capabilities must occur within the context of these considerations. With so much of its vital national assets relying on the Internet, the U.S. must equip itself with both the strong defensive capabilities and project power in cyberspace, as well as with robust policies to regulate these capabilities.
Photo Credit: West Point Public Affairs.