You hack, we shoot: Pentagon discusses armed counterstrikes to cyberattacks
Lawmakers and some Pentagon officials argue that the US should shift cyberdefense from 'How to build the next best firewall' to an offensive message: Those who attack US computers risk 'land-based attack'.
J. Scott Applewhite / AP / File
Lawmakers on Capitol Hill have delivered a stark warning to the Pentagon: its failure to address key questions surrounding how the United States military would respond to a cyberattack ‚Äď and what precisely constitutes an act of war in cyberspace, for that matter ‚Äď remains a ‚Äúsignificant gap‚ÄĚ in US national security policy.
Senior Pentagon officials for their part are griping, too, that the current Defense Department approach to cyberwarfare is ‚Äúway too predictable.‚ÄĚ Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently lamented that, in cyberspace, ‚Äúthere is no penalty for attacking [the US] right now. We've got to figure out a way to change that.‚ÄĚ
To that end, some senior defense officials are increasingly pushing for the US to retaliate against cyber-sieges with counterstrikes ‚Äď that could ultimately include launching a ‚Äúland-based attack‚ÄĚ on the perpetrator.
These signs point to a growing challenge within the Pentagon to the assumption that what happens in cyberspace stays in cyberspace, say analysts.
But it may also be stabilizing, she argues. ‚ÄúWhat the Pentagon and White House are trying to do is say that, in a circumstance when we have been attacked in a way that inflicts damage equivalent to an armed attack, we reserve the right to respond in kind,‚ÄĚ explains Dr. Lord, who has co-authored a recent CNAS report on ‚ÄúAmerica‚Äôs Cyber Future.‚ÄĚ
The Pentagon‚Äôs new strategy should focus on threatening retaliation, rather than improving defense against cyber-incursions, Cartwright said in remarks at a Defense Writers Group breakfast on July 14. The current approach is ‚Äúway too predictable. It‚Äôs purely defensive."
While the strategy now focuses on defending networks, Cartwright says the next phase must deliver a message "to the attacker, ‚ÄėIf you do this, the price to you is going to go up.' ‚ÄĚ
Lawmakers, for their part, have been urging the Pentagon to spell out how the military would respond if a particular cyberattack was indeed an act of war.
Although Congress last year demanded a ‚ÄúStrategy for Operating in Cyberspace‚ÄĚ by March, Defense officials did not deliver their final report until last week ‚Äď and what they did deliver, say lawmakers, was dangerously lacking in details.
This letter came on the heels of a lively confirmation hearing Tuesday for Madelyn Creedon as assistant secretary of Defense for global strategic affairs. Sen. John McCain, the top Republican on the committee, repeatedly pressed Ms. Creedon illustrate a potential consequence of a cyberattack against the US.
‚ÄúIf we knew who did it ... maybe it could be something that would deal with their ability to attack us further,‚ÄĚ she said. ‚ÄúIt could be a land-based attack.‚ÄĚ
Creedon cited Cartwright's estimation that 90 percent of the Pentagon‚Äôs approach to cyberattacks is, in his words, ‚ÄúHow to build the next best firewall,‚ÄĚ while 10 percent is ‚ÄúWhat we might do to prevent them from attacking us.‚ÄĚ
Those figures should be inverted, she told lawmakers, and the responsibilities shared.
‚ÄúWe need to shift from a mostly defensive position to ... at least 50-50 on the part of the US government," she said, with "90 [percent] offense and 10 percent defense‚ÄĚ for the military.
She added: "It's one of those longer-term goals."