As the world's economic powers squabble over the intricacies of cause and effect in a vicious cycle of currency devaluation and domestic economic defense; it appears, NYTimes reports, that the US is leading the way in another direction. A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad - i.e. if we 'suspect' someone is going to hack us, we can hack them. In what appears to be Stuxnet's bigger (and scarier) brother,one official noted, "there are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done." New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code - even if there is no declared war. Cyberweaponry is the newest and perhaps most complex arms race under way, based in Cyber Command at The Pentagon, with the unspoken question being, ‘What are we going to do about China?’
Via NY Times,
A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.
Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow.
Mr. Obama is known to have approved the use of cyberweapons only once, early in his presidency, when he ordered an escalating series of cyberattacks against Iran’s nuclear enrichment facilities.
As the process of defining the rules of engagement began more than a year ago, one senior administration official emphasized that the United States had restrained its use of cyberweapons. “There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done,” the official said.
The attacks on Iran illustrated that a nation’s infrastructure can be destroyed without bombing it or sending in saboteurs.
While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.
One senior American official said that officials quickly determined that the cyberweapons were so powerful that — like nuclear weapons — they should be unleashed only on the direct orders of the commander in chief.
While the rules have been in development for more than two years, they are coming out at a time of greatly increased cyberattacks on American companies and critical infrastructure. The Department of Homeland Security recently announced that an American power station, which it did not name, was crippled for weeks by cyberattacks. The New York Times reported last week that it had been struck, for more than four months, by a cyberattack emanating from China. The Wall Street Journal and The Washington Post have reported similar attacks on their systems.
“While this is all described in neutral terms — what are we going to do about cyberattacks — the underlying question is, ‘What are we going to do about China?’ ” said Richard Falkenrath, a senior fellow at the Council on Foreign Relations. “There’s a lot of signaling going on between the two countries on this subject.”
International law allows any nation to defend itself from threats, and the United States has applied that concept to conduct pre-emptive attacks.
Pre-emption always has been a disputed legal concept. Most recently Mr. Bush made it a central justification for the invasion of Iraq in 2003, based on faulty intelligence about that country’s weapons of mass destruction. Pre-emption in the context of cyberwar raises a potentially bigger quandary, because a country hit by a pre-emptive cyberstrike could easily claim that it was innocent, undermining the justification for the attack. “It would be very hard to provide evidence to the world that you hit some deadly dangerous computer code,” one senior official said.
During the attacks on Iran’s facilities, which the United States never acknowledged, Mr. Obama insisted that cyberweapons be targeted narrowly, so that they did not affect hospitals or power supplies. Mr. Obama frequently voiced concerns that America’s use of cyberweapons could be used by others as justification for attacks on the United States. The American effort was exposed when the cyberweapon leaked out of the Iranian enrichment center that was attacked, and the “Stuxnet” code replicated millions of times on the Internet.
But the military, barred from actions within the United States without a presidential order, would become involved in cases of a major cyberattack within the United States. To maintain ambiguity in an adversary’s mind, officials have kept secret what that threshold would be; so far, Defense Secretary Leon E. Panetta has only described the “red line” in the vaguest of terms — as a “cyber 9/11.”
The Obama administration has urged stronger firewalls and other systems to provide a first line of defense, and then “resiliency” in the face of cyberattacks. It failed to get Congress to pass cybersecurity legislation that would have allowed the government to mandate standards.