DOD's challenge: Balancing bits and bombs
There were few surprises last month when Deputy Defense Secretary William Lynn formally unveiled the Defense Department’s strategy for operating in cyberspace. As had already been reported, it is a defensive strategy built on proportional response and the equivalence of electronic and kinetic attacks.
On the one hand, there were complaints that the strategy is not aggressive enough in ensuring consequences for those who would launch cyberattacks against the United States and, on the other hand, that it risks militarizing the Internet by reserving the right to respond with conventional weapons to electronic attacks.
But Lynn’s comments included three points that should reassure both camps.
DOD's 5-point cyber plan sees Internet as an 'operational zone'
Cyber Command still struggling to define cyber war
For those who want a more aggressive posture, there is the doctrine of equivalency. In the event of an attack, the United States will not distinguish between bits and bombs. If a cyberattack results in real damage or loss of life, we reserve the right to respond with traditional kinetic weapons as appropriate. At the present time, however, DOD has emphasized a defensive strategy of deterring attacks by denying the attacker benefits rather than threatening retaliation.
This is wise because, at the moment, attribution that would allow the military to respond aggressively to a cyberattack is a problem. It might be tempting to launch a cruise missile when a piece of malware disrupts a critical network, but who do we address it to? It might look like the packets came from China, North Korea or Venezuela, but it is unlikely an attacker would advertise his or her identity. And someone might want to frame an innocent third party.
Attribution still requires considerable forensic investigation and probably the use of traditional human intelligence to identify a cyber attacker with any degree of confidence. Because of this, “we cannot rely on the threat of retaliation alone,” Lynn said.
For those who worry that the Internet will be militarized by the doctrine of equivalency, Lynn explicitly said any response to a cyberattack would be made “under the laws of armed conflict.”
These are the laws that have, with varying degrees of success, helped to civilize modern warfare. Civilized warfare is an oxymoron, but the laws are intended to protect civilian populations and ensure that any military response is proportional to the action that prompts it. This means that we should not be throwing hand grenades at hackers, launching missiles against spammers or taking down an enemy’s civilian power grid. These laws have been broken in the past when convenient, and winners seldom are called to account, but Lynn’s statement that the United States intends to abide by them in cyberspace is a good sign.
And finally for both camps, its creators do not pretend that this strategy is a finished product. The cyberspace domain is too new and is changing too quickly to be fully understood. And its weapons, both offensive and defensive, are not mature. This strategy will evolve with time and experience. Lynn called it “one part of the effort to learn and change over time.”
It would be a mistake to be too aggressive in an arena we do not fully understand with tools and weapons with which we have little real-world experience. At the same time, it would be foolish to ignore the threats or allow potential aggressors to believe we are an easy target. The DOD strategy is a realistic first step toward addressing these concerns in a new domain.