In the fiscal year 2012 defense authorization act, Congress explicitly gives the president and the Department of Defense the legal authority to carry out offensive cyberwar activities.
“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests”, the act’s conference report said.
In addition, the White House and DoD issued a defense strategic guidance this week that emphasized the need for the US to invest in “advanced capabilities” to carry out operations in cyberspace.
The guidance, entitled Sustaining US Global Leadership: Priorities for 21st Century Defense, stressed that US adversaries have the capabilities and intent to conduct cyber espionage and attacks on the US.
“Our planning envisages forces that are able to fully deny a capable state’s aggressive objectives in one region by conducting a combined arms campaign across all domains – land, air, maritime, space, and cyberspace”, the guidance said.
The document's emphasis on the ability to conduct both offensive and defensive operations in cyberspace is consistent with recent DoD policy statements, noted Kurt Bertone, vice president and security strategist at Fidelis Security Systems, which works closely with DoD on cybersecurity.
“It makes a lot of sense to treat cyberspace [as an operational domain] because it reflects the reality that cyberspace is a globally shared resource that is really important for economic and politically stability. By designating cyberspace as an operational domain, it enables the DoD to protect us and our allies from global cyberwar”, Bertone told Infosecurity.
Last July, the DoD issued its first comprehensive report on its cyberspace strategy. In that document, the department said it would “treat cyberspace as an operational domain to organize, train and equip so that DoD can take full advanced of cyberspace’s potential."
The July document did not contain the more aggressive language used by some US military officials who spoke with the Wall Street Journal two months before the strategy’s release. According to the WSJ, the Pentagon cyber strategy would classify a major cyber attack against US infrastructure as an act of war that could trigger a conventional military response. As one Pentagon official put it, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
However, attributing a cyberattack to a foreign government in order to justify a blatant physical attack is tricky business. For example, the report by US security vendor McAfee detailing Chinese involvement in cyberattacks on US and European oil, gas, and energy companies, dubbed Night Dragon, stopped short of fingering the Chinese government. McAfee researchers confessed that they had “no direct evidence to name the originator” of the Night Dragon attacks but rather relied on “circumstantial evidence.”
So while the DoD might have gained the legal authority to conduct offensive cyber operations, translating that into the practical ability to carry out such operations in the face of uncertain evidence might be a difficult political hurdle to overcome.