- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - A formal Pentagon cyber strategy may define which acts of digital sabotage constitute acts war that warrant conventional military retaliation, but cases clear-cut enough to justify such retaliation may be few and far between, experts say.
The problem is attribution - identifying that an attack comes from the government of another sovereign state so its assets can be attacked, they say.
"The U.S. military is setting itself up for failure because attribution is difficult, and it's easy to spoof your identity thereby falsely implicating the wrong government or group," says Jay Bavisi, president of EC-Council, an international cyber security education body. "A military attack could be misplaced, as a result, but at the same time not responding will now be seen as a sign of weakness."
BACKGROUND: Is cyberwar lawful?
The pending publication of a cyber war strategy from the Pentagon next month was reported by the Wall Street Journal, and drew interest because it promises to justify bombs and troops as appropriate responses to data theft and worms.
A string of similar recent announcements from other countries has raised the volume about if and when it's appropriate to answer a cyber attack with a physical response, or what would amount to a more traditional act of war.
But conclusively determining the source of attacks is difficult. An attack might be traced to computers in a given country, but that doesn't mean the government of that country is behind it, Bavisi says. It might be launched by zombie machines in that country that are controlled by someone else.
Still, clearly stating what the consequences would be might be an effective deterrent. "If we can source an attack, we could take appropriate action," says John Pironti, president of IP Architects security consulting. "This would set a framework for the level of activity we might take. What a measured response would look like might be a bomb."
A few highly visible actions against countries that do make these attacks might make others think twice before inviting dire consequences, says Andy Purdy, chief cyber security strategist for Computer Sciences Corporation (CSC) and former director of the national cyber security division of the Department of Homeland Security
"This preparation is appropriate and positive," he says. "It's clear we need greater clarity between cyber attacks and the laws of armed conflict."
Responding with equivalency is the key to cyber war just as it is in traditional warfare, he says. Retaliation needs to be in proportion with the severity of the assault. Responses need to be appropriate so they are admissible under international law, Purdy says.
Formalizing a policy - stating what the U.S. will do if attacked in cyber space - may push international organizations to develop and accept international codes of behavior for cyber war. What is needed is acknowledgment that nations have a right to respond, he says.
Attacks on power grids, for example, could be considered acts of war because they threaten lives or can result in physical destruction, say, of the power grid itself or of industrial production capacity. In such a case, he says, military response might be proper because it could be a means for bringing about similar consequences for the enemy.