DoD’s cyber fail-safe dilemma
The Pentagon doesn’t like to talk about its offensive cyber-capabilities, but it’s ready to use them if ordered by the president, according to a report Tuesday.
The WaPo’s Ellen Nakashima has a very interesting blog post that cites a new DoD report to Congress:
The Pentagon has laid out its most explicit cyberwarfare policy to date, stating that if directed by the president, it will launch “offensive cyber operations” in response to hostile acts. Those hostile acts may include “significant cyber attacks directed against the U.S. economy, government or military,” Defense Department officials stated in a long-overdue report to Congress released late Monday.
But the report, obtained by The Washington Post, is still silent on a number of important issues, such as rules of engagement outside designated battle zones — a sign of how challenging the policy debate is in the newest and most complex realm of warfare.
It is what it is, right? Of course the military services would act if ordered by the president. The brass today views cyber as just another “venue” of warfare — along with land, air, sea and space. And yet, as we know, it’s not as simple as that. Continues Nakashima:
The new report, though, reflects the tensions inherent in cyber policy. Taken with past budget documents, it suggests a need for automated, pre-approved responses to some hostile acts in cyberspace. But the report makes clear that offensive actions will be carried out only as directed by the president. And it states that specific rules of engagement for the defense of computer networks have been approved for “areas of hostilities” or battle zones. There is just one area of hostility today — Afghanistan.
“The question is, how, and to what extent, are they thinking about automated responses?” said Herbert Lin, a cyber expert at the National Academy of Sciences. Such responses, he said, “are fraught with danger. Without people in the loop, you’re much more likely to do unintended stuff.”
Quite. And yet, given the milliseconds American cyber-operators — or, rather, their computers — might have to respond in case of a concerted attack, there may be no other choice but to set up automated protocols. But how? If an attack could come from anywhere and target any system, there’s no way for planners to sit down the way they might have back in the bad old days, when they could say, “Well, if the Soviets do this, this or this, we’ll do that, that or that.”
Here’s some pure speculation: If DoD has taken the authority for a cyber-attack out of its own uniformed leaders’ hands and given it to the president, does that make it equivalent to the authority to use nuclear weapons? And if so, does that mean DoD’s cyber-capabilities — the ones it never wants to discuss — are, in their way, equivalent to nuclear weapons? The Internet began its life as a U.S. military creation, and although it has grown beyond anything its original inventors dreamed of, you know how the Pentagon is: Marine Gen. James Mattis summed it up nicely when he said: “Be polite, be professional, but have a plan to kill everyone you meet.”
Maybe the cyber-warfare equivalent is that DoD has been planning all along for how to go after networks, and it’s so confident about it’s ability to wreak destruction that it believes only the president should be able to give the go-ahead.