The U.S. military can fight on land, in the air, at sea and in space. Now it has a strategy for operations in a new domain: cyberspace.
Under a new plan unveiled Thursday, the Defense Department said it is preparing to treat cyberspace "as an operational domain," with forces specially organized, trained and equipped to deal with cyberthreats and opportunities.
The strategy presumes that "cyberattacks will be a significant component of any future conflict" and that the United States must be prepared to retaliate, possibly even with military force.
"The United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of its choosing," Deputy Defense Secretary William Lynn said.
A cyberattack on the United States could prompt a military response under the Pentagon guidelines, however, only if it qualified as "an act of war," with effects comparable to those brought about under a traditional "kinetic" or physical attack, and it would be up to the president to make that judgment.
"If there is massive damage, massive human losses, [or] significant economic damage, it would be in those circumstances that I think the president would consider all the tools that he has — economic, diplomatic and as a last resort, military," Lynn said in remarks introducing the new cyberstrategy.
Theft Of 24,000 Files
The Pentagon plan highlighted efforts by foreign governments to penetrate Defense Department networks and steal sensitive data. In one example cited by Lynn, a foreign intelligence service apparently acquired 24,000 files from a Pentagon contractor in March. "A nation state was behind it," Lynn said, though he would not identify the government.
Lynn said other cyberthefts resulted in the loss of sensitive data concerning "aircraft avionics, surveillance technologies, satellite communications systems and network security protocols." Normally, Pentagon officials are far less specific in describing their losses from cybertheft.
The Pentagon's emphasis on cyberthreats and its warning that cyberattacks could prompt military retaliation has prompted some debate within the U.S. government, with some agencies concerned that a result could be a "militarization" of cyberspace. One of the more controversial aspects of the Pentagon strategy was its official designation of cyberspace as a potential war-fighting domain.
Too Much Focus On War?
The White House cybersecurity adviser, Howard Schmidt, is among those who have argued that too much attention on war scenarios diverts attention from more pressing cybersecurity challenges and mischaracterizes current cyber intrusions.
"My father was in a war. My son's been in a war. I've been in a war. And this is not what we're going through right now," Schmidt said in a recent interview with NPR.
The Pentagon's new strategy contrasts with cyber agendas pursued in other U.S. government agencies, where the focus is on such issues as Internet commerce and the exchange of information.
"We have to recognize that cyberspace is predominately a civilian space used predominately for civilian purposes," said Christopher Painter, the new cyberpolicy coordinator at the State Department.
Painter, however, sat in the front row as Pentagon officials introduced their cyberstrategy in a presentation at the National Defense University. In an interview, Painter said Internet and cybersecurity policies across the U.S. government need to be coordinated, but that communication across agencies is far better now than it was a few years ago.
"You had people who were looking at the economic aspects, you had people looking at the security aspects, [and] you had people looking at the Internet freedom aspects. Those communities seldom talked together," Painter said. "Now that's changing."
The State Department and other U.S. agencies will soon introduce their own cyberpolicy plans. Defense officials insist they see no potential conflict with the Pentagon strategy.
"Far from 'militarizing' cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes," Lynn said. He characterized the Pentagon approach as focused on the improvement of computer defenses, so that an adversary sees less benefit in carrying out an attack.
"If an attack will not have its intended effect, those who wish us harm will have less reason to target us," Lynn said.