The U.S. military can fight on land, in the air, at sea and in space. Now it has a strategy for operations in a new domain: cyberspace.
Under a new plan unveiled Thursday, the Defense Department said it is preparing to treat cyberspace "as an operational domain," with forces specially organized, trained and equipped to deal with cyberthreats and opportunities.
The strategy presumes that "cyberattacks will be a significant component of any future conflict" and that the United States must be prepared to retaliate, possibly even with military force.
"The United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of its choosing," Deputy Defense Secretary William Lynn said.
A cyberattack on the United States could prompt a military response under the Pentagon guidelines, however, only if it qualified as "an act of war," with effects comparable to those brought about under a traditional "kinetic" or physical attack, and it would be up to the president to make that judgment.
"If there is massive damage, massive human losses [or] significant economic damage, it would be in those circumstances that I think the president would consider all the tools that he has — economic, diplomatic and, as a last resort, military," Lynn said in remarks introducing the new cyberstrategy.
Theft Of 24,000 Files
The Pentagon plan highlighted efforts by foreign governments to penetrate Defense Department networks and steal sensitive data. In one example cited by Lynn, a foreign intelligence service apparently acquired 24,000 files from a Pentagon contractor in March. "A nation state was behind it," Lynn said, though he would not identify the government.
Lynn said other cyberthefts resulted in the loss of sensitive data concerning "aircraft avionics, surveillance technologies, satellite communications systems and network security protocols." Normally, Pentagon officials are far less specific in describing their losses from cybertheft.
The Pentagon's emphasis on cyberthreats and its warning that cyberattacks could prompt military retaliation has prompted some debate within the U.S. government, with some agencies concerned that a result could be a "militarization" of cyberspace. One of the more controversial aspects of the Pentagon strategy was its official designation of cyberspace as a potential war-fighting domain.
Too Much Focus On War?
The White House cybersecurity adviser, Howard Schmidt, is among those who have argued that too much attention on war scenarios diverts attention from more pressing cybersecurity challenges and mischaracterizes current cyber intrusions.
"My father was in a war. My son's been in a war. I've been in a war. And this is not what we're going through right now," Schmidt said in a recent interview with NPR.
The Pentagon's new strategy contrasts with cyber agendas pursued in other U.S. government agencies, where the focus is on such issues as Internet commerce and the exchange of information.
"We have to recognize that cyberspace is predominately a civilian space used predominately for civilian purposes," said Christopher Painter, the new cyber policy coordinator at the State Department.
Painter, however, sat in the front row as Pentagon officials introduced their cyber strategy in a presentation at the National Defense University. In an interview, Painter said Internet and cybersecurity policies across the U.S. government need to be coordinated, but that communication across agencies is far better now than it was a few years ago.
"You had people who were looking at the economic aspects, you had people looking at the security aspects, [and] you had people looking at the Internet freedom aspects. Those communities seldom talked together," Painter said. "Now that's changing."
The State Department and other U.S. agencies will soon introduce their own cyberpolicy plans. Defense officials insist they see no potential conflict with the Pentagon strategy.
"Far from 'militarizing' cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes," Lynn said. He characterized the Pentagon approach as focused on the improvement of computer defenses, so that an adversary sees less benefit in carrying out an attack.
"If an attack will not have its intended effect, those who wish us harm will have less reason to target us," Lynn said.
MARY LOUISE KELLY, Host:
It's MORNING EDITION from NPR News. I'm Mary Louise Kelly, in for Renee Montagne.
STEVE INSKEEP, Host:
Here's NPR's Tom Gjelten.
TOM GJELTEN: Computer systems underlie virtually every aspect of daily life in America, from power and transportation systems to communication and commerce. The U.S. military relies heavily on data networks in war-fighting. But this leaves the nation vulnerable to a major cyber attack and until now, the Pentagon has not said how, exactly, it would respond. Yesterday, it took a step in that direction. Here's Deputy Defense Secretary William Lynn.
D: The United States reserves the right, under the laws of armed conflict, to respond to serious cyber attacks with a proportional and justified military response at the time and place of its choosing.
GJELTEN: In other words, Lynn explained, if the effects of a cyber attack on the United States are comparable to what a traditional military attack would bring about, the U.S. could strike back just as it would if the country were bombed.
D: If there's massive damage, massive human losses, significant economic damage, it would be in those circumstances that I think the president would consider all of the tools that he has - economic, diplomatic, and as a last resort, military.
GJELTEN: For a cyber attack to be met with military retaliation under the Pentagon guidelines, it would have to be considered an act of war. Of course, that would be a call for the president or Congress, not the Pentagon, as General James Cartwright pointed out yesterday. He's the vice chairman of the Joint Chiefs of Staff.
GJELTEN: An act of war is a judgment. It's subjective. It's in the eyes of the beholder.
GJELTEN: Christopher Painter is the coordinator of cyber issues at the State Department.
LOUISE KELLY: We have to recognize that cyberspace is predominately a civilian space used for predominately civilian purposes.
GJELTEN: But under the Pentagon strategy, cyberspace is now, officially, also a war-fighting domain. Pentagon officials don't dispute that it's important to promote cyber cooperation among countries, but they also feel the need to warn that countries are conducting more and more espionage in cyberspace.
LOUISE KELLY: avionics, surveillance technology and missile tracking, for example. And he revealed that a U.S. Defense contractor in March suffered a huge theft of secret data.
D: It was large - 24,000 files. It was done, we think, by a foreign intelligence service. In other words, a nation-state was behind it.
GJELTEN: The State Department's Christopher Painter says Internet and cybersecurity policies will need to be coordinated, but he says communication across government agencies is better than it used to be.
LOUISE KELLY: You had people who were looking at the economic aspects; you had people looking at the security aspects; you had people looking at the Internet freedom aspects. They seldom - really, those communities seldom talk together.
GJELTEN: Tom Gjelten, NPR News, Washington. Transcript provided by NPR, Copyright NPR.