The United States and foreign countries should broker a code of conduct for offensive cyber actions that bans knocking out banking, power and other critical infrastructure networks except when nations are engaged in war, some former U.S. defense and intelligence officials said.
Their recommendation follows the White House's release of an international cybersecurity doctrine that states the country "will respond to hostile acts in cyberspace as we would to any other threat to our country" and "use all necessary means . . . in order to defend our nation." In recent years, the sophistication of network attacks has sparked debate about the nature of cyberwar -- specifically over those "means" and how they should be deployed.
"It may not be impossible to develop a rule of the road among nation states that you don't touch the financial sector unless it's World War III" because the economic effects would be so devastating and widespread, said Franklin Miller, who served from January 2001 to March 2005 as senior director for defense policy and arms control on the National Security Council staff.
At a conference Wednesday sponsored by the nonprofit Center for Strategic and International Studies, Miller and several other former senior officials agreed that electrical grids and other critical systems, which, if disrupted could upend innocent lives, should be off-limits unless nations are signaling their intent to start a war.
The threshold for war would be, for instance, "100 percent take down" of the power grid, said Judith Miller, Defense Department general counsel from 1994 to 1999. Many high-profile incidents -- such as one originating from China in late 2009 that targeted the Gmail accounts of political activists and Google's proprietary technology -- should not be perceived as cyberwar, however, even if sponsored by a foreign government, she said.
Similarly, the act of probing U.S. electricity networks for vulnerabilities may not warrant military action -- unless, perhaps, the intruders leave behind "logic bombs" or other malicious software that lie dormant until activated. Such malware might meet a trigger point for armed response, she said.
Jim Lewis, a former Foreign Service officer and now a cybersecurity expert at the center, said the Stuxnet worm that apparently commandeered systems operating Iran's nuclear development machinery "would for me qualify as an act of force."
But other former federal officials said it is not clear that Stuxnet caused enough harm to merit a military response on the part of Iran.
Policymakers should ask themselves, "Physical destruction: yes or no?" and then weigh the extent of that destruction, Franklin Miller said.
Lewis, who has advised the Obama administration on cybersecurity, broached the concept of a pact, similar to the 1975 Helsinki Accords between Soviet and Western nations, that would stipulate boundaries defining where network penetration is permissible.
"To an authoritarian state, freedom of information is a threat," Franklin Miller said. "To us, it's the lifeblood of our political process . . . I think the idea of a Helsinki conference that talks about various national security requirements is not a bad place to start."
In discussing breaches of .mil networks, Bob Giesler, director for information operations and strategic studies at the Defense Department from January 2004 to December 2007, said Americans may be misinterpreting some intrusions as hostile actions by nation states. "We tend to still over-hype these things not only in policymaking but also in the media, where it becomes a massive echo chamber that vastly outstrips what really happened on the ground," he said. "It could very well have been a Chinese variant to Google looking for their search algorithms in source code [in 2009]."
Also, people may be exaggerating the implications of a recent incursion into networks at military contractor Lockheed Martin Corp., Giesler said. That event was a two-pronged operation: the perpetrators began execution in March by stealing data about network login devices that many federal and corporate personnel use, according to RSA, the makers of the products; then, last month, the instigators applied the information to launch a "significant and tenacious attack" on Lockheed's networks that company officials said was later thwarted.
"The media went absolutely crazy on this," Giesler said. The hackers "did it nicely from a technology perspective" but he questioned the attack's real consequences and whether anything of value was lost.
"We, from a policy perspective, need to hear the rest of the story before we start building all the options that we would present to the White House" for responding to the incident, he said.
Franklin Miller dismissed the notion that the defense contractor exploit was a unique event, saying he hopes the United States is conducting the same kind of reconnaissance on foreign adversaries' networks.
"This honestly doesn't excite me very much because it implies that we aren't doing the same thing to other countries," Miller said. "If that were the case, I would think the percentage of my tax dollars that goes to the [intelligence community] is being badly spent. This is going to happen."