No agency has developed good defenses against such attacks. Unless the United States produces new technologies and new strategies to counter these threats, the hackers will get through. So far, though, what the United States has mostly produced is an outpouring of new law-review articles, new legal opinions, and, remarkably, new legal restrictions.
Across the federal government, lawyers are tying themselves in knots of legalese. Military lawyers are trying to articulate when a cyberattack can be classed as an armed attack that permits the use of force in response. State Department and National Security Council lawyers are implementing an international cyberwar strategy that relies on international law "norms" to restrict cyberwar. CIA lawyers are invoking the strict laws that govern covert action to prevent the Pentagon from launching cyberattacks.
Justice Department lawyers are apparently questioning whether the military violates the law of war if it does what every cybercriminal has learned to do -- cover its tracks by routing attacks through computers located in other countries. And the Air Force recently surrendered to its own lawyers, allowing them to order that all cyberweapons be reviewed for "legality under [the law of armed conflict], domestic law and international law" before cyberwar capabilities are even acquired.
The result is predictable, and depressing. Top Defense Department officials recently adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations, even as Marine Gen. James Cartwright, then vice chairman of the Joint Chiefs of Staff, complained publicly that a strategy dominated by defense would fail: "If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy."
Today, just a few months later, Cartwright is gone, but the lawyers endure. And apparently the other half of the U.S. cyberwar strategy will just have to wait until the lawyers can agree on what kind of offensive operations the military is allowed to mount.
We've been in this spot before. In the first half of the 20th century, the new technology of air power transformed war at least as dramatically as information technology has in the last quarter-century. Then, as now, our leaders tried to use the laws of war to stave off the worst civilian harms that this new form of war made possible.
Tried and failed.