In what appears to be an effort to ensure that James Franco and Seth Rogen are never again sabotaged by evil North Korean hackers, the Pentagon is out with a new plan that explains when it may be necessary to take the cyber fight to the “aggressors” in order to “mitigate potential cyberrisk to the US homeland.”
Unsurprisingly, the list of cyber adversaries is indistinguishable from what might fairly be called Washington’s “usual suspects.” The villains are: Russia, Iran, China, and North Korea. In fact, Defense Secretary Ashton Carter says the Pentagon was recently the target of a Russian “cyber intrusion” which he claims was quickly detected by a government “crack team.” Carter’s comments, which came during a speech at Stanford, also indicated that the US could use cyber attacks as an offensive weapon should circumstances warrant it. Here’s more via NY Times:
The Pentagon on Thursday took a major step designed to instill a measure of fear in potential cyberadversaries, releasing a new strategy that for the first time explicitly discusses the circumstances under which cyberweapons could be used against an attacker, and naming the countries it says present the greatest threat: China, Russia, Iran and North Korea.
But President Obama’s decision to publicly name North Korea’s leaders for ordering the largest destructive attack on an American target, the announcement of new sanctions against state-sponsored and criminal hackers, and the indictment of five members of the People’s Liberation Army for attacking American corporate targets all reflect a sea change in administration policy.
American officials have fumed for years that cyberattacks were largely cost-free. Now, much as Presidents Truman and Eisenhower struggled to define circumstances that could prompt a nuclear response from the United States, Mr. Obama and his aides are beginning to lay out conditions under which the nation would employ cyberattacks — either in retaliation for a strike, as an offensive weapon for conflict or in covert action. They have made no mention of the central role the United States played in the large cyberstrike against Iran’s nuclear program.
In his speech at Stanford, Mr. Carter revealed that — like the White House and the State Department — the Pentagon found itself the victim of a cyberintrusion months ago.
“The sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” he said, saying the attack exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” He said that a “crack team of incident responders” had “quickly kicked them off the network.”
“As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyberrisk to the U.S. homeland or U.S. interests before conducting a cyberspace operation,” the strategy says.
But it adds that “there may be times when the president or the secretary of defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.” That last phrase seemed to leave open the door for pre-emptive cyber attacks.
Amusingly (and as hinted at above), the Pentagon wants cyber enemies to know that the US is prepared to take the same stance on cyber attacks as it does on nuclear deterrence. Namely that America is building up its capabilities for defensive purposes only but will not hesitate to keep its offensive “options” open. Here’s the Department of Defense:
“Still,” Carter said, “adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary.”
And more from The Times:
“Deterrence is partially a function of perception,” the new strategy says. “It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States."
So in other words: the best defense is a good offense.
* * *
Here’s the official fact sheet from DoD: