A US cyberwar doctrine? Pentagon document seen as first step, and a warning.

Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an “act of war,” according to new Defense Department cyberwarfare policies that have yet to be officially unveiled.

A not-yet-released Pentagon document outlining US military cyberwarfare doctrine cites the example of cybersabotage – the use of a malicious computer program to attack US infrastructure or military systems – which could under new policy guidelines elicit a response of American bombs and bullets, according to a Wall Street Journal article Tuesday that revealed the existence of the document.

The document, which reportedly includes an unclassified as well as a secret portion, is described as partly policy document – and partly a warning to any future adversaries to step gingerly – or else. It discusses the idea of “equivalence” – a military concept whose premise is that if a cyberattack causes destruction and death or significant disruption, then the “use of force” in response should be considered, the Journal reported.

If the new Pentagon document does indeed lay out what the United States considers an “attack” worthy of a military response to be, it would be a key move toward a far more coherent policy on responding to cyberattacks, experts say.

“There is value in the US drawing a line and saying – ‘Hey, this really important, so if you mess with us in this area, we're going to take it seriously,’ ” says Dan Kuehl, a cyberwarfare expert and professor at National Defense University.

“The US has had a longstanding policy, that we're not just going to respond to cyberattacks with cyber,” a former US national security official said in an interview earlier this year. “If somebody really cripples the US electric grid, a nuclear power plant, or starts to kill people with cyberattacks we’re going to retaliate.”

Still, for at least 15 years, the US military has been wrestling with how to categorize cyberattacks against US systems – and whether or how they might fit within the international Law of Armed Combat, Dr. Kuehl says. How much damage does a cyberattack have to do to warrant a military response? Would the US retaliate even if it wasn't 100 percent sure about the source of the computer-based attack? If it can't be sure, is retaliation possible or ethical?

The document, as reported, seems to concur that cyberattacks against the US – and potentially those cyberattacks by the US itself – fit squarely under the umbrella of that international law, which governs the proportionality of any military response.

'Important first step'

Still, because the document has yet to be released, it’s not clear yet whether it will have the president’s stamp and the force that entails – or whether it will have only the limited force that other defense documents laying out cyberwar policy have had thus far.

“If this turns out to be a national policy rather than just a Department of Defense document, then I think it would be an important first step,” says Michael Vatis, a partner at the New York law firm Steptoe & Johnson. He served on a National Research Council committee that produced a seminal 2009 study on the legal and ethical issues surrounding US use of cyberweapons. “The document, as it has been reported, suggests an advance or maturation in government thinking,” he says.

With America's military, government, and corporate networks under constant assault from hackers, computer viruses and other malicious software, the question of just what constitutes a cyberattack worthy of a full-throated US military response has been a growing question mark – and a gap in US war doctrine, cyberwar experts say.

The attack on Lockheed Martin this past week probably would not qualify as a “cyberattack” under previous cyberwar doctrine. But any attempt by an adversary to slow down deployment of a carrier battle group probably would be an act of war.

Any new policy will have to guide the actions of the US, as the world’s leading cyber superpower, as well. Several experts believe Israel and the US may well have worked together to deploy Stuxnet – the world’s first confirmed cyberweapon – against Iran’s nuclear fuel enrichment facility at Natanz. If the US was involved in Stuxnet, was that an act of war – or simply enforcing international sanctions?

“There has been no clear boundary there in cyber,” the former US national security official says. “You lay out frameworks for thinking about whether a certain set of activities are an act of war – but determining something is an act of war is a political decision. It’s not something you write into statute.”

The benefit of vague definitions

In fact, it’s best that any document purporting to lay out what the US considers to be a cyberattack be left somewhat fuzzy – in order to keep potential attackers off guard, and to leave the president and his generals with an array of options. Otherwise, an attacker could simply walk up to the line – and back off – exploiting US definitions.

“You shouldn't draw white lines in advance,” the former national security official says. “There’s a body of literature that would say keep it vague. Still, it’s increasingly clear, that if something happens in cyberspace, if it’s significant enough, we’ll use the full range of national means available to punish or address the situation.”

Of course, the question of “who did it” still remains. Attributing a cyberattack can be fiendishly difficult given the Internet’s ability to cloak attacks, with commands going through computers in many countries. Who does the US retaliate against if an attack comes from a computer in New Orleans or New York?

For that reason, the US has been working flat out on the attribution problem. It also created a new Cyber Command in 2010 to defend the nation and conduct offensive cyberattacks. In the meantime, military theoreticians have been busily churning out documents with titles like: “Defending a New Domain: The Pentagon's Cyberstrategy” or “Warfare by Internet: the logic of strategic deterrence, defense and attack.”

'It's 1946 in cyber'

But the pressure to come to terms with the difficulty of doing battle and defending cyberspace important to the US continues to grow. Consulting groups, academics and others have formed organizations and are now churning out papers exploring the intellectual underpinning of cyberwar doctrine.

“Here's the problem – it's 1946 in cyber,” James Mulvenon, a founding member of the Cyber Conflict Studies Association, a nonprofit group in Washington said in an interview earlier this year. Not unlike the dawning nuclear era after World War II, “we have these potent new weapons, but we don’t have all the conceptual and doctrinal thinking that supports those weapons or any kind of deterrence.”

Even if that overarching problem is not going to be solved by the Pentagon cyberwarfare document when it is unveiled, it still could be a “good first step,” says Mr. Vatis. Others agree its high time the US put the world on notice on at least some aspects of what will and won’t be tolerated in cyberspace.

“What makes this important is that everyday that goes by more and more of what our society, economy, and military depends upon to make the system work happens in cyberspace,” Kuehl says. “Some lines in the sand need to be laid down.”