At the end of last month, there was a Wall Street Journal story reporting that the US government had decided that certain types of cyber attacks originating from another country can constitute an act of war, and therefore could trigger a "traditional" military response from the US.
As one military official in the WSJ article stated it:
"If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
Well, today there is a long AP story that says that President Barack Obama signed executive orders about a month ago outlining when and how US military commanders can employ cyber capabilities to mount cyber attacks or conduct espionage against other countries.
Defense officials and security experts told the AP that:
"The orders detail when the military must seek presidential approval for a specific cyber assault on an enemy and weave cyber capabilities into U.S. war fighting strategy."
The executive orders act in a similar fashion as operational theater rules of engagement. The AP story states, for example, that:
"Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission - much like U.S. fighter jets need permission to fly through another nation's airspace."
The full set of cyberwar guidelines have not been announced, but the US Department of Defense is expected to do so soon.
As this week's Spectrum podcast notes, there are likely to be plenty of cyber security incidents for the US military to sort through. It will be interesting to see whether the policy mentions cyber attacks against US defense contractors as warranting a measured response of some kind.
Also interestingly, there is no mention in the AP story about the policy extending to the Central Intelligence Agency, who presumably, operate under their own set of cyber rules that are a bit less constraining than those placed on the US Defense Department.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.