IN TODAY’S OPEN-SOURCE HEADLINES . . .
We saw an interesting round of discussions last week related to cyberwarfare, which makes you want to think something’s up. Recall last Tuesday’s White House Blog “Strengthening the Federal Cybersecurity Workforce” that ClearanceJobs.Com addressed. Wednesday, the House called in a high-end panel of intelligence experts and cyber-thinkers to talk threat and response. And on Thursday, the National Press Club hosted Adm. Mike Rogers, Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of Central Security Service for a cyberwar discussion.
Cyberwarfare is here. It’s a field of policy and strategy discussion in its infancy, and we can expect it will develop at an incredibly quick pace. All the familiar conventional terms like proportionality, deterrence, offensive frameworks, and [cyber] laws of armed conflict are adapting, being applied to discussions that echo old Cold War talk about employing nuclear weapons. Given our nation’s vulnerability—and the world’s—to the extensive destruction cyber-attacks could realistically cause in our internet-of-things world, the rhetoric is chillingly appropriate.
Last Thursday at the National Press Club (NPC), Adm. Mike Rogers explained the “Cyber Security Challenges for the United States.” And then he took questions. Thomas Burr, President of the NPC asked a question that could well have been asked in the 1950s about nuclear weapons: “Do you see cyber as a first strike weapon that could incapacitate the United States, or that we could use to incapacitate enemies? And should we integrate cyber into our military planning to defeat or deter potential rivals?”
Rogers couldn’t or wouldn’t answer the first question. He said, “You got to come up with a better question than that.”
CyberWarfare do’s and don’ts
But Rogers’ was anxious to answer the second. Rogers said, “You know, our view within the department is cyber is a tool that we should make available to policymakers and operational commanders . . . much like every other capability in our department. It should be used in a coherent, legal framework in which proportionality and the directness of response is very specifically assessed and measured, and is a primary criteria in the decision to apply it. And that any application of this capability in an offensive framework should be done fully within the law of armed conflict.” He went on, “And so I think over time, we’ve got to change the dynamic where we create concepts of deterrent, norms of behavior where actors in this space understand what is acceptable, what is not acceptable.”
There’s plenty more to mine from Rogers’ remarks and responses.
What is an act of cyber war?
Coincidentally (perhaps), the day before Rogers’ pitch at the NPC, his predecessor, Ret. Gen. Keith Alexander and other cyber-warriors appeared for a two-and-a-half-hour hearing before a combined session of the House Subcommittee on National Security and the Subcommittee on Information Technology to talk about “Digital Acts Of War: Evolving The Cybersecurity Conversation.” Chris Bing summarizes some key points of the hearing in FedScoop’s “Ex-NSA chief: Responding to cyberattacks is a government responsibility.” Bing describes what Alexander imagines an act of cyberwar: “Attacks that cause major loss of life, destruction or incapacitation of significant portions of key infrastructure, or even attacks that cause ‘massive economic damage’ fall within the parameters of what the U.S. should be prepared to call acts of war . . . .”
Aaron Hughes, the Pentagon’s Asst. Secretary of Defense of Cyber Policy was more circumscribed in his definition of a cyberattack that might spark a declaration of war: “not to be cliché, but it really needs be decided on a case-by-case basis.”
And from that, think-tanks and doctoral candidates can begin imagining and churning out responses ad recommendations, case by case.