by Austin Bay
May 31, 2011Hack the United States with a crippling computer virus, and
the Pentagon may respond with smart bombs and commando teams.
The military and intelligence communities have known for at
least two decades that "cyberwar" is war. Everyday experience has
confirmed that the digital fight is very real, as cyber-attackers probe and
occasionally crack the digital communications and data storage systems of
military organizations, intelligence agencies, financial institutions and,
frankly, just about everyone with a networked digital device.
Now the definition of warfare and military doctrine --
theory, principles and policies that guide the use of military force -- are
catching up with reality.
According to a Wall Street Journal report this week, the
Pentagon's new doctrinal term is "equivalence." If a cyberspace based
attack inflicts damage comparable (equivalent) to a conventional attack using
bombs, gunfire or beam weapons, then the cyber-attacker can expect the U.S. to
retaliate with a range of weaponry, not just anti-viral software or a
cyberspace-only counterattack.
Essentially, the U.S. military will no longer treat
cyberspace as a semi-mystical gray zone somehow detached from the physical
world. In 21st century Information Age societies that rely on digital devices
for an array of critical safety, economic and security services, cyberspace
provides fundamental connectivity. Fundamental reliance creates fundamental
vulnerabilities. Vulnerabilities require protection.
Determining equivalence relies on judgment, and very likely
a judgment made in the midst of a crisis. The odds are, however, like
pornography, you and the Joint Chiefs of Staff will know it when you see it --
for example, when every computer screen in Washington freezes, geosynchronous
military communications satellites suddenly fritz and die, and the entire East
Coast's electrical grid stalls then quits.
Yet simply suggesting a notional Doctrine of Equivalence
serves a valuable purpose: deterrence. The U.S. is indicating that it will not
limit its response to a digital attack to cyberspace. A nation, transnational
terror organization, gang or even an individual engaging in a cyber-attack on
U.S. digital assets and capabilities risks physical counterattack -- a fancy
way of saying they risk death for wreaking large-scale digital havoc.
For the last decade, defense and intelligence agencies have
been slowly creeping toward a Doctrine of Equivalence between cyber-attack and
kinetic attack. The rub in cyberspace has been twofold: deniability and
lethality. Cyberspace is a vast, global jungle providing camouflage for clever
snipers, crooks and armies. Determining where the cyber-shot came from can be
difficult. Attackers can blame other organizations for the assault.
Estonia's cyber-battle with Russia illustrates the problem
of deniability. In April and May 2007, Estonia suffered a sophisticated,
sustained and coordinated "hack" of the country's digital systems.
Estonia claimed that the attacks originated at the Internet addresses of
"state agencies in Russia." Russia denied the charge, attributing the
attacks to criminal organizations. Were the criminals proxies? Estonia lacked
absolute proof of Russian culpability.
As for lethality, a digital attack doesn't leave shell
craters or bleeding human casualties -- at least, not in the same overt sense
of an assault with artillery and bombs. But the contingent lethality of a
cyber-attack is real; a sustained digital attack erodes defense capabilities.
Destroying spy and communications satellites in order to blind and disrupt U.S.
command capabilities is a rough equivalent.
Moreover, the economic costs of a digital attack can be much
larger than a classic barrage or bombing campaign.
The international agreements, customs and understandings
that attempt to give warfare a legal framework will also adapt to these 21st
century conditions. Treaties don't bind rogues and fanatics, but perception of
a common threat and common vulnerabilities can bridge differences between
rational antagonists and competitors.
The Wall Street Journal reported that the U.S. is attempting
to reach a consensus position with American allies on how to respond to
cyber-attacks, though the U.S. leans toward the position that holding countries
which create cyber-weapons responsible for their use serves a deterrent
function.
As a member of NATO and cyber-attack victim, Estonia will no
doubt forcefully contribute to that discussion.