The new U.S. cyber strategy is the latest piece of Washington’s three-pronged drive to improve America’s defenses against computer attackers.
And it is overdue.
Speaking in New York last week, Defense Secretary Leon Panetta said the U.S. military would take pre-emptive action against would-be attackers if their actions, unchecked, would cause widespread destruction of U.S. infrastructure or loss of lives.
While Washington has made it clear it reserves the right to respond kinetically to a cyber attack on American soil, it has never said it would consider taking pre-emptive action to prevent a major computer attack that would create kinetic effects of its own. Indeed, U.S. Cyber Command has bristled that it has lacked a strategy to respond to past attacks.
To give his threat teeth, Panetta said that over the past several years the U.S. has made enormous strides in its ability to identify the perpetrators of impending, ongoing or past attacks, allowing for a targeted response.
Jim Lewis of the Center for Strategic and International Studies think tank in Washington summarized the immediate impact of being able to identify cyber attackers: If they can’t be anonymous anymore, they have to be more cautious.
Despite calls to give lower levels of command the authority to launch pre-emptive attacks, to respond as quickly as possible or at “net speed,” Panetta’s outlined posture makes clear the White House will be in charge — as it should be, given such an attack could be directed at a nation state.
Having declared its position, Washington must follow through by addressing a series of challenges.
First, the Pentagon must construct operational doctrines, plans, procedures and rules of engagement for cyber that exist for every other warfare domain: air, land, sea and space. Along with that, it must also institute requisite training as well as career field management to ensure that the cyber warfare enterprise is up to the job if and when it’s needed.
The new Air Force chief of staff, Gen. Mark Welsh, recently said it’s not entirely clear to him what constitutes a warrior in the cyber career field, given the vast majority are IT specialists and network managers. That someone as senior as Welsh is raising the question means there’s work to be done in defining the cyber warrior career field.
Second, if this new posture is to serve the deterrent function its authors hope to achieve, the Pentagon must be willing to make good on its threat. If and when it does, Washington can’t afford screw-ups such as attacking the wrong guy on poor intelligence. Like any use of force, it must be a last resort and one that is well targeted to achieve desired aims. This new, more aggressive posture is one of three pieces of the U.S. government drive to improve national cyber defenses. The others are getting Internet service providers to more actively screen networks for malware and convincing Congress to enact comprehensive critical infrastructure protection measures that it failed to approve earlier this year.
All of which means cyber is rapidly maturing as a domain of warfare, just as theorists long said it would. And that means everyone in national security must spend more time thinking through global implications of actions and reactions in this new realm.