Sketching Out the Rules for Offensive Cyber Operations

     With the changing of the guard at the government’s top cybersecurity
official, the government released its long hinted at Cybersecurity policy last
week. The policy trickledown effect should see the release of the Department of
Defense strategy to support the new government position on cyber effects. As
the stick in behind the government’s policy, “DOD’s new strategy will
clarify how U.S. Cyber Command and other DOD components will integrate
cyberspace operations into their efforts to defend against state and non-state
actors capable of posing strategic level threats to U.S. interests”

Based upon the quotes from industry mentioned in the article, such as “The document talks about ‘disrupt and dismantle threat actors.’ I love that because that’s the ability to push back. Sometimes defense is good offense.” On the surface, the new policy can help open the door for holding cyber-criminals and nation states responsible for attack on the homeland. However, like their biological weapon counterparts, offensive cyber capabilities have the potential to ignore intentions and the desire to limit effects to the target. The typical fallback position for measuring military action, reciprocal and proportional response, has the potential of becoming a quagmire of ever-increasing international lawyer billing hours trying to determine if Stuxnet-like infection can be pinned first-striker or the party responding to an attack. God help the US if it’s like the personal foul penalties in the NFL which tend to stick it to those whose reaction is seen by the referees.

     Statements such as, “Experts are hoping for more—even if the public doesn’t get to see it,” do not help to ease concerns about the potential for boldly striking out under the auspices of enforcing a new policy. It may be me being cautious in my old age or ignorance of cyber-weapon controls, but I think that a conservative, a well thought approach with branches and sequels to account for and mitigate unintended consequences is the best way to proceed.