Lawmakers on Capitol Hill have delivered a stark warning to the Pentagon: its failure to address key questions surrounding how the United States military would respond to a cyberattack – and what precisely constitutes an act of war in cyberspace, for that matter – remains a “significant gap” in US national security policy.
Senior Pentagon officials for their part are griping, too, that the current Defense Department approach to cyberwarfare is “way too predictable.” Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently lamented that, in cyberspace, “there is no penalty for attacking [the US] right now. We've got to figure out a way to change that.”
To that end, some senior defense officials are increasingly pushing for the US to retaliate against cyber-sieges with counterstrikes – that could ultimately include launching a “land-based attack” on the perpetrator.
RECOMMENDED: Epsilon security breach: 5 signs it's only the tip of the iceberg
These signs point to a growing challenge within the Pentagon to the assumption that what happens in cyberspace stays in cyberspace, say analysts.
An armed counterstrike to a cyberattack “sounds so provocative,” says Kristin Lord, director of studies at the Center for a New American Security (CNAS).
But it may also be stabilizing, she argues. “What the Pentagon and White House are trying to do is say that, in a circumstance when we have been attacked in a way that inflicts damage equivalent to an armed attack, we reserve the right to respond in kind,” explains Dr. Lord, who has co-authored a recent CNAS report on “America’s Cyber Future.”
The Pentagon’s new strategy should focus on threatening retaliation, rather than improving defense against cyber-incursions, Cartwright said in remarks at a Defense Writers Group breakfast on July 14. The current approach is “way too predictable. It’s purely defensive."
While the strategy now focuses on defending networks, Cartwright says the next phase must deliver a message "to the attacker, ‘If you do this, the price to you is going to go up.' ”
Lawmakers, for their part, have been urging the Pentagon to spell out how the military would respond if a particular cyberattack was indeed an act of war.
Although Congress last year demanded a “Strategy for Operating in Cyberspace” by March, Defense officials did not deliver their final report until last week – and what they did deliver, say lawmakers, was dangerously lacking in details.
The Pentagon's obligations "remain unmet," wrote the Senate Armed Services Committee in a letter to Defense Secretary Leon Panetta Wednesday.
This letter came on the heels of a lively confirmation hearing Tuesday for Madelyn Creedon as assistant secretary of Defense for global strategic affairs. Sen. John McCain, the top Republican on the committee, repeatedly pressed Ms. Creedon illustrate a potential consequence of a cyberattack against the US.
“If we knew who did it ... maybe it could be something that would deal with their ability to attack us further,” she said. “It could be a land-based attack.”
Creedon cited Cartwright's estimation that 90 percent of the Pentagon’s approach to cyberattacks is, in his words, “How to build the next best firewall,” while 10 percent is “What we might do to prevent them from attacking us.”
Those figures should be inverted, she told lawmakers, and the responsibilities shared.
“We need to shift from a mostly defensive position to ... at least 50-50 on the part of the US government," she said, with "90 [percent] offense and 10 percent defense” for the military.
She added: "It's one of those longer-term goals."