The Pentagon’s new 33-page cybersecurity strategy is an important evolution in how America proposes to address a top national security threat. It is intended to warn adversaries — especially China, Russia, Iran and North Korea — that the United States is prepared to retaliate, if necessary, against cyberattacks and is developing the weapons to do so.
Preparing for Warfare in Cyberspace
by The New York Times Editorial Board
http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html
The Pentagon’s new 33-page cybersecurity strategy is an important evolution in how America proposes to address a top national security threat. It is intended to warn adversaries — especially China, Russia, Iran and North Korea — that the United States is prepared to retaliate, if necessary, against cyberattacks and is developing the weapons to do so.
As The Times recently reported, Russian hackers swept up some of President Obama’s email correspondence last year. Although the breach apparently affected only the White House’s unclassified computers, it was more intrusive and worrisome than publicly acknowledged and is a chilling example of how determined adversaries can penetrate the government system.
The United States’ cybersecurity efforts have typically focused on defending computer networks against hackers, criminals and foreign governments. Playing defense is still important, and the Obama administration has started to push Silicon Valley’s software companies to join in that fight. But the focus has shifted to developing the malware and other technologies that would give the United States offensive weapons should circumstances require disrupting an adversary’s network.
The strategy document provides some overdue transparency about a military program that is expected to increase to 6,200 workers in a few years and costs billions of dollars annually. Officials apparently hope talking more openly about America’s plans will deter adversaries who view cyberattacks as a cheap way to gather intelligence from more destructive operations.
The cyberthreat is “increasing in severity and sophistication,” Defense Secretary Ashton Carter said last week. Recent attacks — Russian intrusions against the Pentagon, State Department and White House as well as North Korea’s 2014 attack on Sony Pictures — have driven home that point. One worry is that investing in offensive tools and planning could militarize cyberspace and create a new front for conflict. More than a dozen other countries are making similar investments.
The new strategy, though overly broad in some of its language, begins to lay out the conditions under which the United States would use cyberweapons. Detecting and fending off routine attacks on American assets, like theft of intellectual property, would be the responsibility of private companies, which control 90 percent of the cybernetworks. In complex cases, the Department of Homeland Security would be responsible for detecting attacks and helping the private sector defend against them.
The government would have a “limited and specific role” in defending against the most serious attacks (estimated at about 2 percent of all attacks), described as involving “loss of life, significant damage to property, serious adverse U.S. foreign policy consequences or serious economic impact on the United States.”
At first, the government would use network defenses, and law enforcement agencies like the F.B.I. would respond. Then, if ordered by the president, the military could conduct operations to counter “an imminent or ongoing attack against the U.S. homeland or U.S. interests in cyberspace.”
It is essential that the laws of armed conflict that govern conventional warfare, which call for proportional response and reducing harm to civilians, are followed in any offensive cyberoperations. With so many government agencies involved in cybersecurity — the National Security Agency, the Department of Homeland Security, the Central Intelligence Agency, the F.B.I. and the Pentagon — the potential for turf fights and duplication is high.
The new strategy is the latest evidence that President Obama, having given up on Congress, is putting together his own response to the challenge. Since this is a global issue, still needed are international understandings about what constitutes cyberaggression and how governments should respond.