Excerpt from actual US policy:
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible." (pp.18)
Ars Headline:
"US warns: hack us, and we might bomb you"
I was kinda surprised when I heard about this. I always assumed this would have been US policy already. Russia, for example, has already stated in 1996 that it will consider nuclear retaliation for cyber attacks on their country.
This whole policy assumes that attacks would only occur at a national level - ie government initiated/sponsored attack towards US assets.
Aside from the issue of it being hard it is to be able to successfully geographically locate the source of an attack, what if a bunch of hackers in China, operating privately, decide to hack the US. Is US going to bomb China if the level of the attack is severe enough? Diplomatic efforts will fail pretty quickly if it genuinely isn't anything conducted by the Chinese government.
But hey, let's swap out the contentious example of China for Australia or France - is America going to bomb either of those countries because private citizens in those locations are pursuing a national cyber-security warfare-level attack?
If Al Quedia et al have taught us anything it is that we cannot assume national security attacks (and our defense strategies) to be state-sponsored any more.
Think of how outraged we'd be if Iran responded to Stuxnet by attacking the U.S. or Israel militarily. In general, hacking (aka "cyberwarfare") poses an intelligence challenge to determine whether an attacker is affiliated with or acting on behalf of a state. If United States infrastructure were attacked by a group of highly skilled individuals inside Iran or China, like you suggested, who had no apparent government connections, it would be very hard to determine whether they had been surreptitiously aided or manipulated by a government intelligence agency, perhaps by anonymously sharing technical information to aid their attack or by infiltrating the group with an agent who pushed them to action and steered them toward particular targets.
On 26 March 2010 the North Korean military launched a torpedo sinking a US ally's warship, killing 46 of it's 108 crew during a time of peace. The Cheonan represented a significant loss to the South Korean people, and though economic relations between the two nations broke down, no real military action was taken by either the US or South Korea.
And now you're telling me we'll go to war if someone takes out the internet?
In fairness, taking out the internet may represent far greater damage than sinking a warship. A nationwide disruption could cause billions in economic damage, and more targeted attacks on specific infrastructure like dams, water treatment, etc. have the potential to kill as well.
Hell, shutting off Google for a few days would probably kill more than 46 people if medical residents aren't able to look stuff up as quickly as they can now.
No one is saying we'll go to war if a hack happens. The policy makes clear to potential adversaries that these types of attacks would be considered an act of war by the US and make clear that there could be a military response.
Its a bit like in the Cold War when the US said it would respond to a nuclear attack in kind. Making clear how you intend to respond can be a deterrent.
And now you're telling me we'll go to war if someone takes out the internet?
Interesting. I never thought about someone "taking out" the internet. An internet kill switch would be useful to a government wanting to start a war. Simply kill the internet, then blame it on the country of your choice.
Jeez, if the government want to start a war, evidences and reasons will be fabricated to support it. The Iraq war (alleged weapons of mass destruction) and the Vietnam war (Gulf of Tonkin incident) are two obvious examples.
It is called deterrence. The N.Korea has A-bomb and several hundred of conventional artillery systems in the range of Seoul - several minutes of the artillery fire would cause losses in Seoul on the scale of losses from a nuclear bomb.
It seems like the US is just adding this to its list of excuses for attacking other countries when it sees a benefit in doing so. They can no longer effectively use the WMD bogeyman, so a new one is needed.
Quite a stupid policy, IMO. It's much too easy to make it look like country X is doing the hacking. It would be an exceedingly cheap way for a 3rd party to marshall US resources on their behalf.
Depending on country X's relation with the US, they could actively try to prove the attack came from somewhere else.
Yes, you can live in country 'A' and route all traffic through a country you hate, 'X', making that country get all the heat.
Country 'X' would then attempt to prove that the attackers came from another country.
This is a lost battle... while a country points the blame to other country, that country would forward the blame to yet another country.
There is an insane amount of vulnerability scanning/port scanning coming from China. You can bet that one of those remote attackers is bound to hit an improperly protected box in the US.
It may not even be an attacker, it could be a home PC from a botnet, mindlessly port-scanning IP ranges.
Does that mean the US would bomb China?
I mean, an attack can come from a single source but be routed behind so many countries, even from the US itself!
The US is not going to send missiles in response to some port scanning. But massive attacks, such as the large-scale attack on Google or stealing data from NASA or other government agencies, will now presumably trigger a strong response.
I suspect that that's rather the point. If an US server is hacked, a power plant gets bombed in Canada, Australia, or Sweden. Do you not want the power plants in your country to be bombed? Then you'd better fix the US cyber infrastructure, because the US doesn't care who broke it. They just want it fixed.
It's unfair, bullying, and bad diplomacy, but it's not stupid.
PR. when Japan sends a fleet to Pearl Harbor and bombs us, we know who it was, the crowds ('people') get mad, and we bomb them back. When Chinese hackers target american corporations, there is not nearly so much transparency as to who is behind it (govt sponsored? independent parties? terrorists? businesses?), and the crowds aren't that mad. You can't go starting real-life wars, with killing people and such and the economic consequences thereof, without support of the crowds.
Of course if Chinese hackers shut down our utilities/communications, that's certainly a real-life attack, and it will be easier to convince the crowds that we know a enemy government is responsible.
Maybe I'm naive but couldn't this be used to trick the US into attacking a target that had nothing to do with the cyber attack to begin with? Seems like a huge opportunity for 'bad-guys' to engage the US army to do their bidding, but maybe it's harder to truly conceal or spoof your true origans than I've been led to believe.
This makes sense to me. Computer attacks can cause real damage.
If my neighbor were to be constantly trying to break into my computers at home with the intent of destroying them, and there was no chance to appeal to law enforcement, I could certainly see going and knocking on their door with the desire to stop them from doing that.
However, the US has a history of finding reasons to go to war in unexpected places, since 1960 at least. Any excuse to expand the reasons they can pick is worthy of scrutiny.
So to instigate a war all you'd have to do is be part of a group like Anonymous, throw out some subtle misinformation that made it seem you were acting on behalf of a government entity, then wallah, war.
Ars Headline: "US warns: hack us, and we might bomb you"
Submission title: "Hack us, and we'll bomb you"