Skip to main content

Pentagon doesn't rule out military force against cyberattacks

By Larry Shaughnessy, CNN Pentagon Producer
Click to play
The Pentagon's cyber attack policy
  • "All appropriate options would be on the table"
  • Identifying attacker can be hard, take a long time
  • 2008 incident was wake-up call

Washington (CNN) -- The Pentagon is formulating a new strategy on how to respond to cyberattacks that would include using military force, a spokesman confirmed late Tuesday.

Col. David Lapan said if the attack is serious enough, "a response to a cyberincident or attack on the U.S. would not necessarily be a cyber response, so as I said all appropriate options would be on the table."

The final public portion of the "Defense Strategy for Operating in Cyberspace" is expected to be released in two or three weeks.

But much of it has already been discussed for months by numerous administration officials, including the White House and Deputy Secretary of Defense William Lynn.

In May, the White House released the International Strategy for Cyberspace. It said in part, "We reserve the right to use all necessary means -- diplomatic, informational, military, and economic -- as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."

Protecting yourself in a virtual world

The White House hopes this policy will act to discourage cyberattackers. "There is certainly the deterrent effect of letting our adversaries know how we would consider those actions and what steps we might take," Lapan said.

The Defense Department's appreciation of the serious threat posed by cyberattacks grew substantially after an incident in 2008. That's when someone inserted an infected flash drive (what some call thumb drives) into a U.S. military laptop on a base in the Middle East.

"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems," Lynn wrote last fall in Foreign Policy magazine. "This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call."

According to Lynn's article, the code on that flash drive "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

But Lynn admits one of the more difficult hurdles facing anyone trying to respond to cyberattacks is figuring out who the attacker is.

"Whereas a missile comes with a return address, a computer virus generally does not. The forensic work necessary to identify an attacker may take months, if identification is possible at all," Lynn wrote. "And even when the attacker is identified, if it is a nonstate actor, such as a terrorist group, it may have no assets against which the United States can retaliate."

The Pentagon policy is part of the larger White House plan, but it will not include specifics as to what responses might be triggered by certain levels of cyberattacks.

"We're not going to necessarily lay out if this happens we will do this, because again the point is, if we are attacked we reserve the right to do any number of things in response just like we do now with kinetic attack," Lapan said. "So it makes the idea that attacks in cyber would be viewed in a way that attacks in a kinetic form are now, the military option is always a resort."