A couple of days ago John wrote about the seemingly new doctrine of armed response to acts of cyber sabotage. I’m broadly with him on the badness of expanding without limit the range of events that we would treat as an act of war. But I think there is much less new here than it seems — and perhaps that lack of novel insight is more of the problem than the risks inherent in treating cyber attacks as a potential casus belli.
First of all, there is a significant trail behind this latest Pentagon statement. A major milestone came with the publication of Presidential Decision Directive 63 in 1998 — a document coming from the Clinton White House/National Security Council. The directive calls for a series of measures aimed at minimizing our vulnerability and enhancing our ability to respond to cyber attacks — response in this case meaning fixing the damage to critical systems to minimize pain, suffering, and economic and/or military damage. But the notion that a digital attack is a form of warfare is already present, part of US official doctrine all the way back in the last century:
Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in non- traditional ways including attacks within the United States. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy.
And of course, this is true. As the WSJ article to which John linked recounts, the Stuxnet virus that seems to have done significant damage to Iran’s nuclear effort struck at a sovereign nation’s economic and perhaps military capacity in a pretty direct way.
Had the authors of Stuxnet managed to set off a bomb in the centrifuge room, that would have been obviously an act of violence, one of war. That the cyber path permitted the same damage to be done less messily does not alter its tactical significance, at least not in any obvious way. If the Pentagon is moving to formalize the logic implied by Clinton-era perceptions of cyber threat — well, there are changes here, but I’m not sure they are as groundbreaking as the WSJ article made it seem.
That is: the reality behind the digital metaphor of infection is one of the facts of life in a networked world. The realms of the virtual and the physical are now deeply interconnected, and disruption of the cyber networks can (and has) produced real consequences in our material circumstances. I don’t see it as a huge stretch to suggest that a cyber attack could cause the deaths of people, and that a response using other weapons that also kill people might be appropriate, if (and only if) you can reliably connect the original attack to the folks you want to target.
Which is the real problem with this not-so-new posture, a twisty little bit you can find by burrowing a little deeper into the WSJ piece:
Less Than Meets The Eye — Cyber War editionPost + Comments (46)