A formal Pentagon cyber strategy may define which acts of digital sabotage constitute acts war that warrant conventional military retaliation, but cases clear-cut enough to justify such retaliation may be few and far between, experts say.
The problem is attribution -- identifying that an attack comes from the government of another sovereign state so its assets can be attacked, they say.
"The U.S. military is setting itself up for failure because attribution is difficult, and it's easy to spoof your identity thereby falsely implicating the wrong government or group," says Jay Bavisi, president of EC-Council, an international cyber security education body. "A military attack could be misplaced, as a result, but at the same time not responding will now be seen as a sign of weakness."
BACKGROUND: Is cyberwar lawful?
The pending publication of a cyber war strategy from the Pentagon next month was reported by the Wall Street Journal, and drew interest because it promises to justify bombs and troops as appropriate responses to data theft and worms.
A string of similar recent announcements from other countries has raised the volume about if and when it's appropriate to answer a cyber attack with a physical response, or what would amount to a more traditional act of war.
But conclusively determining the source of attacks is difficult. An attack might be traced to computers in a given country, but that doesn't mean the government of that country is behind it, Bavisi says. It might be launched by zombie machines in that country that are controlled by someone else.
Still, clearly stating what the consequences would be might be an effective deterrent. "If we can source an attack, we could take appropriate action," says John Pironti, president of IP Architects security consulting. "This would set a framework for the level of activity we might take. What a measured response would look like might be a bomb."
A few highly visible actions against countries that do make these attacks might make others think twice before inviting dire consequences, says Andy Purdy, chief cyber security strategist for Computer Sciences Corporation (CSC) and former director of the national cyber security division of the Department of Homeland Security
"This preparation is appropriate and positive," he says. "It's clear we need greater clarity between cyber attacks and the laws of armed conflict."
Responding with equivalency is the key to cyber war just as it is in traditional warfare, he says. Retaliation needs to be in proportion with the severity of the assault. Responses need to be appropriate so they are admissible under international law, Purdy says.
Formalizing a policy -- stating what the U.S. will do if attacked in cyber space -- may push international organizations to develop and accept international codes of behavior for cyberwar. What is needed is acknowledgment that nations have a right to respond, he says.
Attacks on power grids, for example, could be considered acts of war because they threaten lives or can result in physical destruction, say, of the power grid itself or of industrial production capacity. In such a case, he says, military response might be proper because it could be a means for bringing about similar consequences for the enemy.
Some basic principles that ought to be followed are clear, Purdy says. If an attack against a power grid were in progress and damage could endanger lives, striking back in a narrow, focused attack against its source would clearly be self defense and appropriate, he says.
But there will be gray areas that need to be resolved. "We need greater clarity between cyber attacks and the laws of armed conflict," he says.
A sound policy also needs to address what authority is needed in order for the U.S. to respond and whether it is adequate Purdy says. "It's not as clear as it needs to be," he says.
Pironti says sourcing an attack is key and that is also very difficult. The better the attacker -- and nations have the resources for creating the most effective attacks -- the better he can hide, he says.
Stuxnet, for example, was so sophisticated that very few groups would be capable of carrying it off so nations are suspected of creating it, but there is conclusive evidence to lay it on any country's doorstep, he says.
Even if an attack is sourced to a particular country, how can it be pinned on the government? It could be rogue elements inside the country. They may consider themselves patriots but not be directed by the government.
Basic to the formal Pentagon strategy will be a definition of what constitutes cyberwar, something that has proved difficult to do, Bavisi says. Without that no one can know what cyberwar looks like, when it starts and stops. "We're trying to defend against something we can't even define," he says.
Is a formal Pentagon policy just saber rattling? "It will be difficult for it to be anything else at this moment," Bavisi says.
Read more about wide area network in Network World's Wide Area Network section.
This story, "US Readies Cyberwar Strategy" was originally published by Network World.