The Pentagon is updating its classified rules for warfare in cyberspace
for the first time in seven years, an acknowledgment of the growing
threat posed by computer-network attacks — and the need for the United
States to improve its defenses and increase the nimbleness of its
response, the nation’s top military officer said Thursday.
The officer, Gen. Martin E. Dempsey,
chairman of the Joint Chiefs of Staff, also said that, globally, new
regulations were needed to govern actions by the world community in
cyberspace. He said that the Chinese did not believe that hacking
American systems violated any rules, since no rules existed.
Discussing efforts to improve the Pentagon’s tools for digital defense
and offense, General Dempsey said the military must be “able to operate
at network speed, rather than what I call swivel-chair speed.”
“Cyber has escalated from an issue of moderate concern to one of the
most serious threats to our national security,” he said. “We now live in
a world of weaponized bits and bytes, where an entire country can be
disrupted by the click of mouse.”
Under a presidential directive, the Pentagon developed “emergency
procedures to guide our response to imminent, significant cyberthreats,”
and is “updating our rules of engagement — the first update for cyber
in seven years,” he said. This effort has resulted in the creation of
what General Dempsey called an interagency “playbook for cyber.”
During a speech at the Brookings Institution, a policy research center,
General Dempsey said these new “standing rules of engagement” for
military actions remained in draft form, and had not yet been approved.
In his first major address on the new, virtual domain of computer
warfare, General Dempsey gave an outline of what a significant attack
might look like, and how the United States might respond.
If the nation’s critical infrastructure came under attack from poisonous
code over a computer network from overseas, the first effort would be
gathering information on the malware and the systems under attack.
Network defenses would be in place, as “our first instinct will be to
pull up the drawbridge and prevent the attack, that is to say, block or
defend,” he said.
If the attack could not be repulsed, the new playbook calls for “active
defense,” which General Dempsey defined as a “proportional” effort “to
go out and disable the particular botnet that was attacking us.” It is
notable that, in this situation, the line between active defense and
offense might be blurry.
“If it became something more widespread and we needed to do something
beyond that, it would require interagency consultation and authorities
at a higher level in order to do it,” he said. Although these plans are
classified, his statement indicated that the rules for responding in an
escalated manner in cyberspace, or with a conventional retaliation,
would require decisions by the civilian leadership.
General Dempsey’s speech drew a clear distinction between the nation’s
two major efforts in cyberspace. The military’s role is in defending
computer networks and, if so ordered by the president, carrying out
offensive attacks. That is related to, but separate from, the
intelligence community’s efforts to gather intelligence in cyberspace.
Several of those highly classified intelligence-gathering programs were
exposed via leaks from a former contract worker for the National
Security Agency.
Assessing adversaries in cyberspace, General Dempsey said that China,
in particular, had chosen a niche in stealing intellectual property.
“Their view is that there are no rules of the road in cyber,” General
Dempsey noted. He said American and Chinese officials would meet over
coming days to discuss ways to “to establish some rules of the road, so
that we don’t have these friction points in our relationship.”
The military headquarters responsible for computer-network warfare, the
United States Cyber Command, will grow by 4,000 personnel with an
additional investment of $23 billion, General Dempsey said. (Cyber
Command and the National Security Agency are led by the same officer,
Gen. Keith B. Alexander.)
“We are doing all of this not to address run-of-the mill
cyberintrusions, but to stop attacks of significant consequence — those
that threaten life, limb and the country’s core economic functioning,”
General Dempsey said.