PPI - Radically Pragmatic
  • Donate
Skip to content
  • Home
  • About
    • About Us
    • Locations
    • Careers
  • People
  • Projects
  • Our Work
  • Events
  • Donate

Our Work

Defense Contractors Suffer Network Attacks as Pentagon Issues Cyber Strategy

  • June 6, 2011
  • Matthew Dahl

Last week reports emerged about attempted cyber attacks against the internal networks of three major U.S. defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman. All of the attempted hacks tried to access the companies’ internal networks using compromised remote-access security tokens, which are believed to be linked to yet another hack that occurred at a different government contractor, RSA, in March.

Amidst news of last week’s attacks, DoD is preparing a formal cyber strategy and a list of deployable cyber weapons. The strategy is not in response to the incursions, but as the first formal cyber strategy written by the Pentagon, it obviously has bearing on USG’s response to them, as well as future assaults.

The strategy is not yet public, but two important provisions are known: First, that the Pentagon may use conventional force to respond to a cyber attack against the U.S.; second, that the strategy explicitly contains an authorization framework, reportedly requiring the military to obtain presidential approval before deploying cyber weapons.

While it’s time that the U.S. government assembled clear policies to respond to cyber attacks, it is important to recognize the unique challenges contained therein. Two of the most important are 1) assigning responsibility for an attack and 2) assuring that any retaliation avoids excessive collateral damage.

First, unlike attacks with conventional weapons, an attacker has more opportunities to hide his origin in cyberspace. For example, state actors can create plausible deniability behind contracted criminal groups, a tactic likely used by Russia and China. It’s unclear how the new strategy will deal with this point.

Second, if the U.S. government is able to correctly attribute an attack, its response would have to comport with international law, specifically a statute known as the Law of Armed Conflict (LoAC). The United States is bound to the LoAC through multiple treaties such as the 1907 Hague Conventions and the 1949 Geneva Conventions, as well as through customary international law. Two elements of the LoAC pose particular challenges in the cyber realm: proportionality and distinction.

Proportionality may be a particularly tough nut to crack, as we know that the Pentagon’s policy will permit retaliating against a cyber attack with conventional weapons. It’s new ground, and the argument could be made that launching a missile in response to a computer-based attack is inherently disproportionate. However, we must recognize that a cyber attack has the ability to cause actual loss of life if, for example, it were aimed at air traffic control systems and caused planes to crash. Under the new policy, only an attack of this magnitude would allow a conventional response to a cyber attack, and it is imperative that such a response be proportionate.

Distinction is another problematic element of the LoAC because cyber weapons can have unintended consequences. The amount of damage that a conventional weapon does is known before it is used even though it may damage unintended targets. Not so in the cyber world: Vital military and civilian assets may reside on the same network, thus making it difficult to limit damage to the legitimate military target. Furthermore, cyber weapons are different because entities that reside in cyberspace are interconnected on a global scale: attacking a target on a server in China can also cause damage to another server in Canada. This actually happened in 2010 when the U.S. military took down a jihadist website hosted in Saudi Arabia that led to disruption to more than 300 servers in Saudi Arabia, Texas, and Germany.

These are only a couple of considerations that complicate the use of cyber weapons, and developing a strong cyber capabilities must occur within the context of these considerations. With so much of its vital national assets relying on the Internet, the U.S. must equip itself with both the strong defensive capabilities and project power in cyberspace, as well as with robust policies to regulate these capabilities.

Photo Credit: West Point Public Affairs.

Related Work

Op-Ed  |  June 18, 2025

Weinstein Jr. for Forbes: It’s The Early 1990s Bond Market Again

  • Paul Weinstein Jr.
Budget Breakdown  |  June 18, 2025

Senate Changes to House Reconciliation Bill Are a Mixed Bag

  • Ben Ritz Nate Morris
Blog  |  June 17, 2025

Trump Courts Chaos With His Middle East Failures

  • Peter Juul
Press Release  |  June 17, 2025

New PPI Report Calls on Democrats to Reclaim National Security Leadership

  • Peter Juul
Publication  |  June 17, 2025

An Affordable Necessity: The Case for a Larger Defense Budget

  • Peter Juul
Press Release  |  June 10, 2025

New PPI Report Finds Tech and E-Commerce Sectors Are a Powerful Engine for Local Resilience

  • Michael Mandel
  • Never miss an update:

  • Subscribe to our newsletter
PPI Logo
  • Twitter
  • LinkedIn
  • Facebook
  • Donate
  • Careers
  • © 2025 Progressive Policy Institute. All Rights Reserved.
  • |
  • Privacy Policy
  • |
  • Privacy Settings