Three recent moves by the Pentagon, State Department and White House indicate that the pace of preparation for engaging in offensive cyber attacks is increasing. The first was the speech given by Leon Panetta, Secretary of Defense on October 12 where he used the term cyber Pearl Harbor. Of course to anyone who follows these developments the term is not at all new as Jason Healey of the Atlantic Council pointed out at the recent FedCyber conference in D.C., credit for being first goes to Winn Schwartau who warned of an “Electronic Pearl Harbor waiting to happen” in testimony to Congress in 1991. Winn was amazingly far sighted considering that the Internet was in its infancy in 1991. Regardless of the hyperbole, when the former head of the CIA, who most probably has intimate knowledge of the development of Stuxnet and the potential harm that could be caused by attacks against critical infrastructure talks about cataclysmic risks it may be well to pay attention. From the full text of Panetta’s speech:
“As director of CIA and now secretary of defense, I have understood that cyber threats are every bit as real as more well-known threats like terrorism, nuclear weapons proliferation, and the turmoil in the Middle East.”
Less covered by the media was Harold Koh’s comments on September 18 where he laid out the US strategy for international cyber policy creation. He addresses such questions as: May a State ever respond to a computer network attack by exercising a right of national self-defense? and: Must attacks adhere to the principle of proportionality? Koh’s statement is a major milestone and well worth reading.
And then on Wednesday, November 14, Ellen Nakashima at the Washington Post reported that a secret Presidential Policy Directive (PPD 20) had been signed that grants the Department of Defense the legal basis it needed to engage in offensive network attacks to protect itself. It may come as a surprise to many that the US Military did not have the legal standing to do so. It meant that even when they had identified the source of attacks against their systems they were powerless to do anything short of taking military action. Now, presumably, the Defense Department can take down command and control servers for hostile botnets and do a little counter hacking of assailants.
There is one more player that I expect to chime in with its own announcements soon: The Department of Homeland Security. Pay attention to the next speech given by Secretary Janet Napolitano.