The U.S. will launch “offensive cyber operations” in response to hostile cyber acts directed at the U.S. government, economy, or military,” according to a new report by the Pentagon.
The new report remains consistent with previous iterations of Pentagon policy which have held that “computer sabotage coming from another country can constitute an act of war” and may warrant a military strike. But it focuses on offensive cyber operations as a “deterrence in cyberspace.”
Both policies raise questions. First, the U.S. is known to have used cyber-terrorism without provocation – notably the Stuxnet virus against Iranian civilian nuclear facilities – and so laying down a principle that cyber attacks may rightly warrant a military retaliation seems to leave the U.S. open for attack.
Secondly, beefing up the Pentagon’s ability to launch offensive cyber operations against other countries prompts concerns that they will be used not in response to any hostile acts, but as a preemptive offensive weapon. Iran is again a perfect example of this, but another is Libya.
The Obama administration considered using cyber warfare against Muammar Gadhafi’s regime before ultimately deciding to enforce a no-fly zone and conduct a campaign of airstrikes. But Gadhafi posed no threat to the U.S. and certainly did not direct a hostile act towards the U.S.
It’s also possible the Pentagon could covertly use their offensive cyber operations against domestic websites or networks deemed subversive by the President or political and military powers. The report was issued after a request from Congress, but to date nobody in Congress has moved to make the cyber policies transparent in a way that Congress and the people can control and be aware of.