The Washington Post has a good article up today capturing comments issued by the United States military that it has the right to return fire when it comes to cyber attacks:
WASHINGTON — The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker’s identity is unknown, the director of the National Security Agency told Congress. Lt. Gen. Keith Alexander, who is the Obama administration’s nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.
"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.
The three-star Army general laid out his views on Cyber Command and the military’s role in protecting computer networks in a 32-page Senate questionnaire. He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command.
Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.
It’s unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations. In cyberspace, he said, it is difficult to deliver an effective response if the attacker’s identity is not known.
But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles … would be lawful."
Senators noted, in their questions, that police officers don’t have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.
This is an interesting point of view, and it extends from the United States’s policy that if it is attacked using conventional weapons, it reserves the right to counter respond in kind. This has been a long accept precept governing US foreign military policy for generations. Yet cyber attacks are different for a couple of reasons:
- In cyber attacks, it is not physical infrastructure that is being attacked, and civilians lives are not directly threatened. It’s a cat-and-mouse game and the response to a cyber attack is hard to respond to in like kind. In other words, how do you know how much damage that you want to do?
- The bolded part above, the second part, is convoluted. It is true that a police officer doesn’t have to know the identity of a shooter in order to shoot back. However, a police officer certainly knows who is shooting at him (or her) because they can see the direction from which the bullets are coming towards them. In other words, there is a line of sight. They don’t know the name of the shooter but they can definitely see them shooting.
In cyberspace, you may not even know who is attacking you. You might see the attacker but it doesn’t mean that the one doing the attacking is the one behind the attack. For example, in a DOS attack, networks of compromised computers would be attacking your infrastructure but the one behind the attack is not directly connecting to your network. Who do you counter attack? Do you do it in real time? There’s no point attacking the zombie computers because they don’t even know that they’re doing it. The analogous to law enforcement is a thriller/horror movie – some bad guy is able to take control of unsuspecting citizens and get them to commit crimes. The police would know the shooter but they’d be returning fire at the “wrong” person.
Continuing onwards in the article:
Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."
Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.
This is a more realistic view, in my opinion. Probably the best step is knowing where your vulnerabilities are and trying to defend them. As some famous coach said, “Offence brings fans, but defense wins championships.” In other words, you can go on the offensive but weakness in your own systems can severely degrade and impair your ability launch an attack. If your internal systems are going haywire you can be totally disarmed and unable to launch a counterstrike.
Of course, once you do have your defensive ability up to snuff, or good enough, you will need a good offensive counterpunch. In boxing, if all you are doing is defending, eventually your attacker will wear you out as you absorb blow after blow (the exception being Homer Simpson where his opponents would hit him and tire themselves out and all he would have to do is push them over without throwing a single punch… the exception to that being Drederick Tatum). The rules of engagement for offensive counter strikes are more tricky. Does the US, after identifying a non-state actor attacking it, go after the actor themselves? Or do they pressure the government where the non-state actor is located to handle them? Or do they launch an attack on the government if they consider their enforcement lackadaisical? Or perhaps even intentionally sheltering cyber attackers?
I suppose that for this, the standard military rules of engagement apply.