DoD: Cyber attack is act of war

The Pentagon's new cyber-strategy will lay down a warning for potential cyber-miscreants, but everything depends on the details.

The United States could respond to a cyber-attack with real-life military retaliation, DoD will say in its pending cyber-strategy, the Wall Street Journal’s Siobhan Gorman and Julian Barnes report. Military officials hope that making such a proclamation will deter potential bad guys from attempting a “Die Hard 4” scenario, shutting down power grids, traffic lights, cell phone networks or other essential infrastructure.

Wrote Gorman and Barnes:

“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

Recent attacks on the Pentagon’s own systems—as well as the sabotaging of Iran’s nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.

The report will also spark a debate over a range of sensitive issues the Pentagon left unaddressed, including whether the U.S. can ever be certain about an attack’s origin, and how to define when computer sabotage is serious enough to constitute an act of war. These questions have already been a topic of dispute within the military.

One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.

It’s a fascinating concept, and could be the rare situation in which a Pentagon strategy document includes something new, rather than just buzzwords, happy talk and pretty pictures. The “equivalence” doctrine especially would make for very interesting reading: You can imagine a two-column chart with causes and effects; on one side it would say “East Coast blackout,” and next to it would say, “10-15 JDAMs.”

But realistically, it’s hard to imagine the cyber-strategy will have any deterrent effect on potential cyber attackers. It’s very difficult to prove conclusively where such attacks actually come from, and even if you did, could the military respond quickly enough with an air strike or a special operations raid to get the bad guys? Not only that, let’s be honest here: Our own government says that Chinese hackers already are constantly probing defense and other networks in the U.S., and presumably have spent years vacuuming up who knows what. Is the U.S. willing to start a hot war over that?