The United States lacks a fully defined policy and legal framework for using offensive cyberwarfare capabilities against adversaries, making it difficult for policymakers to determine the origin of computer attacks and when pre-emptive action is justified against criminals, terrorists and hostile foreign nations, according to current and former government officials.
"This is something where the Congress and the administration need to work closely to determine when and how we will respond," House Homeland Security Emerging Threats Subcommittee Chairman Jim Langevin, D-R.I., said in a recent interview.
The information networks of U.S. government agencies and critical industry sectors, such as the nation's power and banking companies, are under persistent and increasing cyberattack from abroad, including major criminal organizations and countries like China, according to officials and recent high-level reports. Although the U.S. government has an arsenal of cyberwarfare capabilities at its disposal, policymakers are grappling with how and when to use them, along with what kind of privacy and civil liberties issues are raised in doing so.
"It is ... unchartered territory and I know the policymakers are struggling with how and when to use our offensive capabilities," Langevin said. "It's important for the government to have a clear understanding of what our offensive capabilities are and how best to employ them and when. There are a lot of questions that still need to be answered. Should the U.S. include pre-emption action as part of its cyber doctrine? What are the thresholds for proportionality of response?"
One of the most difficult issues for government agencies is determining the origin of cyberattacks. Intruders can hide their identity by using remote servers or by installing malicious code on computers operated by innocent users, officials said. "We don't have the doctrine yet that's codified" said Steven Bucci, former Pentagon deputy assistant secretary for homeland defense.
"What is an act of war in the cyber realm?" Pentagon officials told a cybersecurity commission established by the Center for Strategic and International Studies they need help clarifying existing doctrine for playing offense in the cyber realm, said James Lewis, director of the technology and public policy program at CSIS. "Modernize the laws; clarify the authorities," said Lewis, who serves as the commission's project director. "Clarify what your doctrine is for responding to attacks." Part of the challenge for policymakers is determining whether attacks require a law enforcement response, an intelligence response or a military response, Lewis added.
Langevin said the U.S. government must immediately define a national cyberstrategy with a public component that communicates to adversaries what the United States is capable of doing and prepared to do, something akin to the policy of mutually assured destruction for nuclear weapons. Langevin said the government must immediately train and equip a cybersecurity workforce. The office of the national director of intelligence, which is responsible for coordinating cybersecurity programs, declined to comment.