What's the News: Cyber attacks undertaken by another nation can be considered an act of war, according to a new Pentagon policy to be released in the next month. If you mess with the US online, the Pentagon has decided, it may retaliate offline, in the form of bombs, missiles, and other very real attacks. One military official sums it up thusly to the Wall Street Journal, which broke the story
: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks." How exactly this stance will be put into practice, though, isn't clear. What's the Context:
This document is the Pentagon's first attempt to codify a policy on cyber attacks. It's in response to several prominent hacks in the last few years: three years ago, US military computers were infiltrated by a virus hiding in a thumb drive; in 2010 Iranian nuclear centrifuges were knocked out of commission by the Stuxnet virus, which seems to have originated in Israel; and just this weekend, major military contractor Lockheed Martin admitted that its systems had breached, though it said no information had been compromised.
It's an update to the laws of armed conflict, a set of rules governing warfare that are pulled together from various treaties (similar to the way case law is developed). Officials say that the US's response will be in proportion to the damage caused by an online attack: to justify use of force, they will have to show that the effect is the equivalent of what could be done with more conventional weapons of war. If, for instance, a foreign power builds a virus that causes fatal crashes in train systems across the country, the US's reaction would in theory be the same as if the attack had been accomplished with bombs.
The military has also developed a list of cyber-weapons and the situations in which they can be used, the Washington Postreported yesterday. The list has been in use for several months by various security agencies and specifies when a tailored computer virus needs the president's approval and when it doesn't.
Not So Fast:
It's all well and good to say that if another nation launches a cyber attack against the United States that causes serious mayhem, the US will retaliate. But how will the government know where the attack truly originated---it's not hard to fudge IP addresses, after all---and whether a country's government, as opposed to a disgruntled hacker, was behind it? As the WSJ notes, previous cyber attacks, such as the one that struck Georgia during its 2008 war with Russia, have been hard to trace to their sources.
The Future Holds: Unclassified sections of the Pentagon's policy--about 12 pages out the the 30-page document--will be available next month. Stay tuned for further discussion on its implications. Image credit: randomduck/flickr
