Based largely on Deputy Secretary of Defense William Lynn’s recent article in Foreign Affairs, this piece outlines the offensive technologies and policies that the U.S. is considering in the area of cybersecurity.
The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary’s computer network overseas – but it is still wrestling with how to pursue the strategy legally.
But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries’ sovereignty.
Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.
Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the “active defense” of military computer systems, what he called a “fundamental shift in the U.S. approach to network defense.”
The military’s dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.
Still, taking action against an attacker’s computer in another country may well violate a country’s sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions – such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a “covert” action that only it has the authority to carry out, and only with a presidential order.
Policymakers also are grappling with questions of international law. “We are having a big debate about what constitutes the use of force or an armed attack in cyberspace,” said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. “We need to know where those lines are so that we don’t cross them ourselves when we conduct offensive actions in cyberspace against other nations.”
Yet another example of someone who should know better manufacturing ambiguity where it does not exist. What constitutes “use of force” and “armed attack” is the same as it was before, is still based on the same treaties and norms of international behavior as before. See Michael Schmitt’s work on developing metrics for determining when cyber attacks constitute “used of force” or “armed attack” under international law.
The industry official said his concern is “the militarization” of the international dialogue. “Any time Pentagon leaders start using the terms ‘active defense,’ ” he said, “then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat.”