Earlier this week, the Wall Street Journal led with the headline "Cyber Combat: Act of War". The article describes an unpublished Pentagon strategy paper finding that a computer network attack can be treated as an act of war. The article also says the military is leaning towards the concept of "equivalence" in determining whether an attack rises to the level of an act of war. In short this means that if a cyber-attack[1] causes or attempts to cause damage equivalent to a military attack, then it would be treated as one. This is a step past the Obama administration's "International Strategy for Cyberspace" document that states that the United States will use a "range of credible response options" to secure cyberspace.
If the reaction to the ISC paper is any indicator, people will immediately begin to lose their fragile little minds over this news. The standard argument will revolve around attribution. But the difficulty in identifying the attacker is a matter of execution, not a matter of policy. Also, a president facing a major incident will use the military as an option if he thinks he needs to, no matter how the attack was delivered. The more interesting question is whether the policy will be an effective deterrent to foreign aggression.
Probably the best public discussion of deterrence in the realm of network security comes from Richard Clarke in his book "Cyber War: The Next Threat to National Security and What to Do About It. Clarke argues that "deterrence theory is probably the least transferable" of concepts from nuclear strategy. In particular the "demonstration effect", the show of force that reminds adversaries of the horrible consequences of a nuclear exchange, is lacking a parallel in cyber warfare. We all have images of mushroom clouds and shadows burnt into the pavements forever ingrained in our minds. But the worst thing we've seen in the realm of network attacks is (for some value of worst) Stuxnet. If the threat is "we'll use a cyber attack if you do", then our adversaries simply won't be deterred.
The lack of "scary" isn't the only challenge deterrence faces when you limit your options to cyberspace. The incredible degree to which the United States relies on computers places it on an asymmetric footing with most other nations of the world. In some scenarios, there simply isn't an "in-kind" option available to the U.S. and it is probably safe to say that the U.S. will do almost anything to avoid an asymmetric conflict. We just can't hurt some countries as much as some countries can hurt us.
The administration seems to have come to a conclusion similar to Clarke's: Without the threat of a kinetic response, there is no chance that attackers will be given pause. Only with the full "panoply of power"[2] available can we hope to deter our adversaries. In the end this is what the American people will demand anyways. It won't matter if twenty people were killed because of a bomb or because a train was intentionally misrouted, they'll be looking for the President to act and act strongly.
In my opinion, the policy statement is reasonable and inline with reality. It deals with the extremes of what we think of as cyber attacks -- those causing substantive real-world damage. The policy reflects the likely response of the United States to an incident that is on par with a military attack regardless of policy. The policy explicitly lays out that all options will be on the table and ensures that all players understand that. Finally, if you were to remove from the policy the fact that we're talking about computer based attacks, there isn't anything unusual in the policy: Attack us and you can expect a response.
So...am I wrong?
[1] - Look, there is going to be a ton of cyber-this and cyber-that in this post, just deal with it.
[2] - "Panoply of power" is a phrase I first saw in Clarke's book. It essentially means: "I'm going to open up the Mary Poppins bag and I can use anything I find in there."