The Pentagon will soon release a strategy that formalizes a long-articulated position: the United States reserves the right to launch conventional attacks in response to the cyber kind. But figuring out who is behind such attacks may be difficult, or impossible.
"To say that cyberattacks can be acts of war, and that they can be met by kinetic responses, simply confirms a longstanding Department of Defense consensus," says Stewart Baker, a lawyer who was policy chief at the Department of Homeland Security for part of the Bush administration. "Neither of those statements make a strategy, however."
Baker adds that the threat "is much less effective than we'd like,
because we largely lack the ability to identify who is attacking us in
cyberspace. Until we solve that problem, we might as well claim that
we'll respond to cyberattacks by blowing horns until our attackers'
fortifications all fall down and their ships all sink."
This problem is illustrated by the famous recent cyberattack involving Stuxnet—a computer worm that damaged Iran's nuclear centrifuges last year.
The Stuxnet worm was a highly sophisticated piece of code that specifically attacked Siemens control systems, causing centrifuges to self-destruct. It leveraged four separate and previously unknown holes in Windows software. And it took care not to damage computers themselves, or other systems.