...but shoot WHO...with WHAT?
Lawmakers on Capitol Hill have delivered a stark warning to the Pentagon: its failure to address key questions surrounding how the United States military would respond to a cyberattack – and what precisely constitutes an act of war in cyberspace, for that matter – remains a “significant gap” in US national security policy.
Senior Pentagon officials for their part are griping, too, that the current Defense Department approach to cyberwarfare is “way too predictable.” Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently lamented that, in cyberspace, “there is no penalty for attacking [the US] right now. We've got to figure out a way to change that.”
To that end, some senior defense officials are increasingly pushing for the US to retaliate against cyber-sieges with counterstrikes – that could ultimately include launching a “land-based attack” on the perpetrator.
This article vacilates back and forth between kinetic response and cyber (sic) response. It is tough to gauge just what it is Defense policy makers want to do.
Interesting views on warfare are heard when coursing through the hallways at USCYBERCOM (a place I've had opportunity to visit). One maxim that one hears is that, unlike traditional warfare, in cyberspace the offense is the stronger of the two. Another is that cyberspace defies sports analogy because offense and defense occur simultaneously. (My current client once opined that two-ball combat soccer may be the only appropriate sports metaphor.)
One thing the cyberspace domain zealots forgot to do when making their pronouncement was to define things like "offense", "maneuver" and other terms of reference so that it may be properly integrated with other military categories.
General Cartwright's laments that it should be 90% offense and 10% are interesting, but presumes a definition of "offense" that does not yet exist. I get his point but I do not think the will exists to go anywhere near that ratio. Also, is kinetics part of that 90% or is he strictly speaking to "cyber" action.
It will be interesting to see how this debate takes shape in the coming days, weeks and months, especially now that we have Defense strategy and are awaiting companion strategies from State, Commerce, and other Cabinet Departments with an interest.
The companion link, entitled "10 Ways to Prevent Cyberconflict" is a combination of a gigglefest and a "really? no kidding" list. To wit:
Start cyberwar limitation talks
Tighten network security
Compel nations to assist those under attack
Define what a cyberwar is
Hold nations responsible for attacks
Ban the 'first use' of cyberweapons against civilian infrastructure, such as the power grid.
Launch an environmental-like initiative to clean up the Internet
Invent technology to safeguard networks
Rewrite cybersecurity laws
Make infrastructure more secure
The giggle part is where the cyberwar talks preceed the definition of cyberwar, and "compelling assistance". The "no kidding" part are items like secure the network by inventing things to secure the network. Also, the vast majority of these are defensive (and arguably "peacenik") suggestions. The treaty is a howler since the US is the only ones who would probably actually comply (while killing ourselves in the process).
This is going to be an big, ugly bear to wrestle. Maybe the multi-headed Hydra is a better analogy...