How far can foreign hackers go before Pentagon has to blow someone up?
First cyberspace rules of engagement lay out area to be protected, potential for violent countermeasures
The Pentagon put out a report Tuesday that sounds like the worst sort of bureaucratic administrivia, but actually defines the heart of what the military does and how it chooses to do ethically the ugly things it's required to do – but for cyberspace.
The report provides the beginning of a set of answers that will let digital warfighters know what kinds of attack deserve simply to be turned back and which merit a visit from the kind of high-speed packet that goes "boom" when it arrives.
The report – rules of engagement for cyberspace – start the long process of developing rules that will do for cyberspace security forces what Rules of Engagement do for fire teams in the field in Afghanistan or Iraq – name the enemy and say what the difference is between a measured response and murder.
Farther away from the shooting, where people talk about tribes rather than targets, people in suits talk not about ROE, but about policy, strategy or doctrine.
They both answer the same questions: Who is the enemy? How do I know when I'm being attacked? How should I fight back? What will happen to me when I do?
It sounds like administrivia. It's the difference between brutal authoritarian violence and ordered, controlled warfare that may still be hell, but not a circle as deep as if there were no rules at all.
Who is the enemy and when should I kill him?
The Pentagon issued a set of rules like that today to provide for cyberspace the kind of legal, military and political criteria that have been evolving over, literally, thousands of years so separate war from peace, chaos from order, murder from victory.
The game is not completely different online. The enemies are the same, or nearly the same. It's clear when you're under a serious attack in cyberspace as it is when you're in the real world, even if it's a lot less exciting and the stakes are incomparably lower.
More explicit than ever before, but still not what you'd call clear – the report promises the U.S. will launch "offensive cyber operations" in response to attacks.
It does not say what those responses will be. It does say acts that qualify for violent response include 'significant cyber attacks directed against the U.S. economy, government or military,' that the goal would be to "deny" the enemy any benefit from an attack and create enough offensive capability that anyone contemplating an attack against the U.S. would know doing so "would be taking a grave risk."
According to a May article in the Washington Post, approved cyber weapons include malware that will penetrate a foreign network and leave behind a virus that can launch on its own later (a la Stuxnet).
Any such attack or counterattack would require the permission of the president, would have to be proportional to the threat and would have to be effective against the enemy, but not impose undue damage on civilians or systems uninvolved in the attack.
What are you trying to defend?
The U.S. Cyber Command's report contained such broad definitions of the battle "domain" – the area within the Internet defined and defended by the United States – that nearly anything remotely connected to the Unites States would qualify as a target that could merit a counterattack.
Also unclear is the difference between an attack intended as an act of war and one that is an attempt at espionage.
The report didn't define the difference closely, but did say the two categories of digital mayhem each requires a different response.
The "Cyber Domain" includes telecom networks, the Internet, computer systems, processors, controllers or other systems in industries critical to the economy or defense of the U.S.
In a report to Congress last month, the Office of the National Counterintelligence Executive said Russia and China especially are aggressive in their espionage attacks on the U.S. and that the Pentagon has to be aggressive in responding to them.
If we can't stop you, we'll shoot you
The Pentagon is trying to build stronger defenses to stop frequent incursions from outside the country, and to build offensive abilities to deter attackers who realize there is little direct, immediate threat of violence or other downside to attacking the U.S. online.
That will take time, as will more detailed descriptions of tipping points, triggers, violations, offenses and other behavior that might trigger an electronic counter-response.
The final point was one the Pentagon has made before, though: If the U.S. is attacked through the Internet to a serious enough degree, the Pentagon wants to reserve the right to attack the enemy's meatspace, not just its firewalls.
"When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country," the report read. "We reserve the right to use all necessary means - diplomatic, informational, military and economic - to defend our nation, our allies, our partners and our interests."
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.