The Pentagon's cyberwarfare doctrine begins to emerge
This week, the Wall Street Journal revealed that Pentagon strategists are completing a document that outlines the government's cyberwarfare strategy. The Pentagon is expected to publish an unclassified version next month. According to the Journal, Pentagon strategists are prepared to declare that a sufficiently damaging cyberattack against the United States could be viewed as an "act of war," warranting equivalent retaliation. And that retaliation would not necessarily be a U.S. cyber-counterstrike. As one official put it, "If you shut down our power grid, maybe we will put a missile down one of your smokestacks." It is good that the government is finally establishing a doctrine for dealing with cyberwarfare. But strategists still must grapple with a challenging form of warfare that combines elements of Cold War-era deterrence theory and modern counterinsurgency doctrine.
According to the Washington Post, the Pentagon has developed a list of cyberweapons, including various worms and viruses, for use either in support of an existing military campaign or for use, with presidential approval, at the strategic level. According to the emerging doctrine, U.S. military commanders in existing war zones would have the authority to use cyberweapons to collect intelligence from adversary networks and support tactical operations in a broader military campaign. At the strategic level, presidential approval would be required for attacks against an adversary's industrial infrastructure like the Stuxnet worm against Iran's nuclear complex.
It is not so simple to find a neat divide between strategic cyberattacks requiring presidential approval and tactical attacks delegated to field commanders. The doctrine appears to reserve to the president the decision to attack portions of an adversary's civilian infrastructure. But in an ongoing military campaign, adversary military forces will use portions of the civilian infrastructure -- for example, the telecommunications system -- for tactical military purposes. This will certainly be true if the adversary is a nonstate actor. A local commander's tactical use of cyberweapons could have wider strategic effects. As with all doctrine, the emerging cyberwarfare doctrine will undergo many changes after decision-makers encounter practical experience.
The Journal article highlighted the threat to use traditional military power in retaliation for a cyberattack that cripples U.S. infrastructure. Reserving the right to expand the boundaries of retaliation should not come as a surprise. Earlier this year, Gregory Schulte, deputy assistant secretary of defense for space policy, discussed a similar retaliatory policy when he rolled out the National Security Space Strategy. As I discussed in a column at that time, that strategy seeks to use diplomacy and soft power to protect U.S. assets and interests in space. But if it became necessary, Schulte asserted a broad retaliatory policy to deter attacks on U.S. space interests. The emerging cyberwarfare doctrine appears to follow the same principle.
Announcing such a policy is one thing. Implementing it in a crisis won't be easy, as Cold War policymakers discovered to their discomfort. Recently, anonymous hackers attempted to penetrate Lockheed Martin's networks and apparently did succeed in cracking into Google's Gmail service. Having caused no deaths or widespread economic calamity, such attacks wouldn't seem to rise to the level requiring the kind of punitive retaliation discussed in the Wall Street Journal piece.
But these incidents expose some of the dilemmas cyberwarfare strategists will face. Who exactly were the attackers? The problem of attribution remains unsolved, at least to the degree necessary to convince world opinion that punitive and deadly U.S. retaliation would be legally and morally justified. The emerging U.S. cyberwarfare doctrine will presumably seek to hold governments responsible for the cyberattacks that originate from their territory. Such a policy is designed to elicit cooperative behavior from governments. But it creates opportunities for mischief by nonstate actors and will set up an agonizing test of the U.S. government's retaliatory credibility.
Policymakers are tempted to view cyber warfare through the lens of deterrence theory. But as long as the attackers remain anonymous, cyberwarfare more closely resembles counterinsurgency -- a form of warfare where the U.S. government is still struggling to crack the code.