June 06, 2011, 6:26 AM — The Pentagon is expected to announce a cyberstrategy this month that concludes a cyberattack on the U.S. can be an act of war, and while the damage from such an assault may warrant that position, hopefully this just amounts to loud barking given the perils involved.
The Wall Street Journal says the Pentagon's 30-page document (18 pages of which are classified) broaches the idea of the U.S. using military force to respond to a nation-backed cyberattack. The gist: If an attack caused significant damage to our economy, infrastructure or people, the U.S. could respond with an equivalent amount of military force.
The tacit admission here is that our digital crown jewels are insecure enough to warrant this scabbard rattle. While we know our networks are under constant attack, and the government showed as far back as 2007 in the Aurora experiment that a hacker could destroy a generator, perhaps we're more vulnerable than they are letting on.
As if to emphasize the point, just last week defense contractor Lockheed Martin was the target of a "significant and tenacious attack," although the company declined to release more details.
But crafting a position about how we might respond to cyberattacks and actually responding are two different things. Questions abound.
First and most obvious, how do you adequately ascertain who attacked? Stuxnet, after all, has defied efforts to pinpoint the source (or so we are led to believe).
Worse, what if part of the intent of an attack is to mislead us about the source? Spoofing is an art unto itself, but if these are nationally driven attacks, presumably we are talking about the top people in the game so it would certainly be within their grasp.
Related to that, what if the attack emanated from a country but wasn't state-sponsored? How do you determine culpability? How complex does the effort have to be to indicate state-level support?
And to emphasize the folly of that, turn it around into a goose and gander question. What happens when an attack on a country was clearly launched from the U.S.? How do we establish that it wasn't us?