Yesterday, the newly minted head of the United States' Cyber Command team and NSA head General Keith Alexander told assembled lawmakers that the US has created offensive cyberwarfare divisions designed to do far more than protect US assets from foreign attacks. This is a major change in policy from previous public statements -- in the past, the US has publicly focused on defensive actions and homegrown security improvements.
"I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” General Alexander told the House Armed Services Committee. "This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone.”
These revelations come as new threat assessments from the NSA indicate that groups like Al Qaeda are no longer credible threats to the continental United States. That doesn't mean US intelligence agencies have dismissed the ability of terrorist groups to cause trouble internationally, but high-profile cyber-attacks from China and Iran are seen as a far greater threat.
Whether or not these public admissions count as news depends on how closely you've paid attention to some of the attacks popping up in other
countries. The United States is widely believed to have had a hand in creating Stuxnet, the virus that may have slowed Iran's nuclear ambitions. Government officials have also made unspecific mention to campaigns the US has engaged in before.
There's no doubt that high-profile hacker attacks
are on the rise, but defining what does and doesn't constitute "cyber warfare" isn't simple. First, there's the simple problem of identifying whether or not an attack is actually being sponsored by a foreign country. Governments aren't the only institutions with the capability to engage in cyberwarfare. They certainly aren't the only institutions that could benefit from information gathering.
And that brings up another point. In the physical world, war -- even asymmetric guerilla warfare -- necessitates a physical presence. Physical warfare revolves around a set of concrete goals. Sometimes, as with Stuxnet,
cyberwarfare has goals -- the point of the virus was to sabotage Iran's attempts to build its own nuclear reactors. More often, the goal of cyberwarfare is to establish intelligence networks that can then be mined for general information. Sometimes it's obvious what the other guy is looking for (and that information can, in turn, be used to finger a culprit.) Sometimes it isn't.
In physical warfare, there's a defined understanding of proportional response that applies even in asymmetrical warfare. Al Qaeda's attack on September 11 led directly to the invasion of Afghanistan. It did not, however, result in the widespread deployment of tactical nukes. Why? Because that level of response wasn't called for, and would have led to an unacceptable loss of innocent life and enormous, long-lasting ecological damage.
What's proportional response to China probing at utility companies? Who ought to be blamed for Red October
? What's the equivalent of a warning shot in cyberspace? When we detect foreign governments probing at virtual borders, who handles the diplomatic fallout as opposed to the silent retribution? And most of all, how do we create new strategies for addressing these questions without trampling on the rights of our own citizens?