Pentagon finds another way to chase its tail: bombs in response to cyberattacks
'Missile down the smokestack' works better against enemy not working from mom's basement
The U.S. military's top brass have decided, after long deliberation and tens of thousands of attacks from opponents overseas, many embarrassingly successful, that computer sabotage from another country can sometimes be considered an act of war.
To the brass whose asset lists include boomers, door-kickers and trigger-pullers, the declaration means it may now be permissible to use traditional military force to respond to an attack online.
The real impact of the report – 30 pages in classified form and 12 in unclassified but unreleased form, according to the WSJ – is the conclusion that the U.S. Laws of Armed Conflict can be applied to cyberspace.
Not that applying that level of analysis or decision-making structure will make things clearer. The Laws of Armed Conflict are a conglomeration of best practices and rules of engagement pulled from various treaties, international law and sober considerations of whether a particular opponent has nuclear weapons or other off-putting military force, or whether it's a smaller nation the U.S. can invade safely after the .mil shuts down its radar, shoots down its plane and sinks its boat.
Among the Big Thoughts circulating slowly around under be-medalled uniform hats is the idea of "equivalence" in response. You hack my system, I hack yours; you disrupt my infrastructure, I turn you into a cloud of pink mist.
"If you shut down our power grid, maybe we will put a missile down one of your smokestacks," one anonymous military official told the Wall Street Journal.
While undoubtedly effective against hackers who leave clear trails back to their workstations – clustered in mom-basements clustered around smokestacks, the policy sounds more like the less-effective versions of Insurgent Whack-a-Mole than it does an effective response to online threats to U.S. security.
What the report doesn't address is the .mil's almost continuous and largely ineffective effort to slow or stop the stream of online attacks from China, Russia and countries with more virtual-boom military capability than the real kind.
Parties as yet unidentified, for example, may have hacked RSA earlier this year to get data they then used to gain entry to servers at a Lockheed Martin data center in Gaithersburg, Md. through a VPN, and attempted to access both information on customers and Lockheed's own projects – design information on F-16, F-22 and F-35 fighter jets, naval missile-warfare systems and THAAD missile-defense systems.
Data on the F-35 was reportedly stolen in a 2009 attack as well.
In 2007 part of the Pentagon network serving the defense secretary's office had to be shut down after a successful breach.
If that's not enough, for at least the last five years, China in particular has been wearing down security and to reveal secret data in U.S. military and civilian databases like a hose washing away a sand castle.
Russia has been no slouch, either, though most of the more public attacks seem to be commercially directed by organized crime than for flat-out espionage directed by the government.
(They may simply be more subtle than the Chinese, which has twice been able to get a look at inaccessible Internet traffic by having much of the Internet rerouted through its own servers for a little while. Even in more stealthy mode, the tremendously effective Chinese MO relies on spear-phishing techniques that shouldn't fool a relatively smart 14-year-old, let alone government operatives supposedly trained in sophisticated security techniques such as not giving secret passwords to strangers on the Internet.)
This newest report probably won't be much of an improvement, other than to validate the egos of foreign crackers, who will be Woot!ing each other in non-Western fonts and virtual high-fiving themselves at having been recognized as a threat by the big dogs they don't fear anyway.
The primary foreign-policy implication is to give the U.S. government permission to threaten foreign governments with physical retaliation for digital attacks.
In other words, the Pentagon doesn't have to find or shut down the Ukraine mafia sweatshop that's the source of a hack if the U.S. government can realistically threaten to bomb the bytes out of some valuable part of Ukraine if it doesn't shut the crackers down itself.
That's fine for grand cyber-powers who are more worried about losing their fighter jet than their kickbacks from the mafia.
It's less effective against China or Russia, which have more than one plane and more than one boat with which to resist or respond to a missile down the smokestack.
If this particular, sudden realization that the U.S. can be attacked online from overseas is an indication the U.S. military is going to coordinate and ramp up its own defenses and offensive capabilities – that's great.
It's 10 years late, but it's a great idea.
If it just means the Pentagon or someone in the current administration wants to create a way to saber-rattle in response to digital provocations as well as those in the physical world, it's a weak response that just barely acknowledges that cyberwar exists, let alone makes any progress toward defending against or winning one.