Cyber Attacks and Military Responses

Today, Secretary of Defense Robert Gates is attending the tenth annual Asian Security Summit, also known as the Shangri-La Dialogue. On the sidelines of the sessions, Secretary Gates is scheduled to meet with the Chinese Defense Minister Liang Guanglie, the most senior Beijing official at the dialogue. Undoubtedly, as Gates and Guanglie discuss security threats and cooperation, cyberwarfare will feature prominently.

On Wednesday, Google revealed that it had “recently uncovered a campaign to collect user passwords, likely through phishing…[which] appears to originate from Jinan, China.”  That location is significant since it is reportedly where the People’s Liberation Army (PLA) “technical reconnaissance bureaus” teach computer science, and from where previous sophisticated cyber attacks have apparently originated. Many China watchers have described the PLA’s open interest in building up its cyber attack capabilities. The Pentagon’s latest congressionally mandated report on China’s military and security developments noted: “Numerous computer systems around the world, including those owned by the U.S. Government, continued to be the target of intrusions that appear to have originated within the PRC.” However, as the report continued: “It remains unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government.”

Preceding the announcement of the Gmail hacking, it was reported that the Pentagon is in the final stages of developing an updated cyber strategy, long overdue given vast number of incidents against Pentagon websites. As James Miller, the Principal Deputy Under Secretary of Defense for Policy, testified before Congress in March: “DOD networks are attacked thousands of times each day, and scanned for vulnerabilities millions of times each day. Over one hundred foreign intelligence agencies are attempting to get into DoD’s networks.”

One aspect of the forthcoming Pentagon strategy is to clarify under what circumstances the U.S. military might respond to a cyber attack with military force. The Obama administration addressed this issue in general terms last month in its International Strategy for Cyberspace: “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” The Pentagon’s strategy, however, may be more specific and vivid. As one unnamed U.S. military official described potential military responses: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”

The new Pentagon strategy will not be the first articulation of American military doctrine in cyberspace, however. My CFR colleague, Adam Segal, pointed out to me that in 2006, then-Defense Secretary Donald Rumsfeld signed the National Military Strategy for Cyberspace Operations, which stated that “DOD will conduct kinetic missions to preserve freedom of action and strategic advantage in cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects.”

Several points regarding the United States’ cyber strategy bear clarification. An editorial in this morning’s Los Angeles Times asks the three pertinent questions for such a potential strategy: “What constitutes an act of cyberwarfare? When would a military response be appropriate? And what are the rules of engagement?”

It is impossible to answer the first question, since there is no official or generally accepted definition of cyberwarfare. In addition, the United States does not have the ability to rapidly detect, characterize, and attribute all offensive cyber attacks against U.S. government computer networks, let alone against private sector firms, such as Google. In March, Gen. Keith Alexander, Commander of U.S. Cyber Command, which is a subordinate unified command under U.S. Strategic Command, testified before Congress: “What can you do to stop somebody in a neutral country? And in cyberspace it’s easy to jump to neutral countries to attack someone. And the third and the most difficult is what happens if they use the United States infrastructure to attack the United States?”

There are further dilemmas when considering appropriate military responses. The first principle might be that the use of force had some deterrent effect to persuade an adversary to refrain from future cyber attacks by threatening something it values. This requires both articulating in either specific or general terms what actions would result in a military response, and having an updated set of adversaries’ high-value targets. The second principle could be that a military response be timely enough that an adversary recognized it was as a consequence of an attack—particularly difficult given how long it often takes to recognize and then attribute cyber attacks. The final principle might be that the weapons systems selected could degrade or destroy the offensive cyber capabilities if deterrence has failed, and cyber attacks were persistent enough to threaten U.S. vital interests. Here, there are few good options for state-directed attacks, and none for non-state actors, since such targets would be limited to individuals, cyber cafes, electronic grids, or servers, which can be located in third countries.

Finally, nobody has yet articulated what should be the rules of engagement delineating the circumstances and limitations under which the United States would respond to a cyber attack with military force. As my colleague and associate professor of law at Columbia University, Matthew Waxman, points out in a forthcoming paper, it will be very difficult to interpret when, if ever, a cyber attack would constitute “armed attack” that justified military responses conducted under the “inherent right of individual or collective self-defence” in Article 51 of the UN Charter.  Hopefully, the Obama administration will work with emerging powers to help develop and enforce internationally agreed-upon rules of the road that define a cyber attack, and what electronic networks will be prohibited from any attacks, such as civilian hospitals and schools.

As I’ve written elsewhere, including in book-length form, the proposed military responses to cyber attacks represent a pattern. When confronted with persistent foreign policy problems, civilian policymakers routinely call on using the responsive, impressive, and low-cost tool of limited military force. However, all such proposals are based in a fundamental lack of understanding of the limits of force, which does not always achieve its military and political objectives. Intelligence fails, missiles misfire, and targets rarely alter their behavior substantially and constructively.