In the November 2011 Section 934 report issued to Congress, the U.S. Department of Defense (DOD) stated that it will use force if warranted to defend the nation from cyber attacks, and that it will ensure that the U.S. military has all the necessary capabilities in cyberspace to protect its interests.
“The language here is interesting for several reasons. First, it reserves the right to defend, not just the nation, but various other related interests as well,” commented ESET’s Cameron Camp.
He was speaking to the language used by the DOD in their fiscal cyberspace policy report, which explains their view almost immediately.
“When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we reserve the right to use all necessary means—diplomatic, informational, military, and economic—to defend our Nation, our Allies, our partners, and our interests,” the DOD stated.
“In doing so, we will exhaust all options prior to using force whenever we can; we will carefully weigh the costs and risks of action against the costs of inaction; and we will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support wherever possible. For its part, DoD will ensure that the U.S. military continues to have all necessary capabilities in cyberspace to defend the United States and its interests, as it does across all domains.”
Camp noted that the DOD’s policy language cast a wide net as it covers the use of proxy force if it meets the burden of being in the U.S.’s interests. “Speaking of proxies, chained multiple proxies used to anonymize the origin of the cyber attack traffic could lead efforts at attribution on wild goose chases that could span the globe.”
In their policy outline, the DOD focused on two principal mechanisms - denial and cost imposition for aggressive actions.
“Accordingly, DoD will continue to strengthen its defenses and support efforts to improve the cybersecurity of our government, critical infrastructure, and Nation. By denying or minimizing the benefit of malicious activity in cyberspace, the United States will discourage adversaries from attacking or exploiting our networks,” the report said.
While not pre-emptive, Camp said, the wording is certainly phrased in a potentially aggressive tone.
“One can only wonder if this will usher in a fresh new arms race, this time not governed by the amount of missiles, tanks, ships and planes, but by networks, hackers, bandwidth and street smart young kids to run the whole thing... And what about aligning aggressive acts along national borders?
“Acts of cyber aggression are often carried out by communities of interest, not always groups within a certain national border, so would a military response leveled against a nation as a physical attack work? This has been a long-running discussion, centering especially on hacktivism groups.”