“There is value in the US drawing a line and saying – ‘Hey, this really important, so if you mess with us in this area, we're going to take it seriously,’ ” says Dan Kuehl, a cyberwarfare expert and professor at National Defense University.
“The US has had a longstanding policy, that we're not just going to respond to cyberattacks with cyber,” a former US national security official said in an interview earlier this year. “If somebody really cripples the US electric grid, a nuclear power plant, or starts to kill people with cyberattacks we’re going to retaliate.”
Still, for at least 15 years, the US military has been wrestling with how to categorize cyberattacks against US systems – and whether or how they might fit within the international Law of Armed Combat, Dr. Kuehl says. How much damage does a cyberattack have to do to warrant a military response? Would the US retaliate even if it wasn't 100 percent sure about the source of the computer-based attack? If it can't be sure, is retaliation possible or ethical?
The document, as reported, seems to concur that cyberattacks against the US – and potentially those cyberattacks by the US itself – fit squarely under the umbrella of that international law, which governs the proportionality of any military response.
Still, because the document has yet to be released, it’s not clear yet whether it will have the president’s stamp and the force that entails – or whether it will have only the limited force that other defense documents laying out cyberwar policy have had thus far.