Lynn: Norms for offensive cyber action are not different from kinetic

Tools

What constitutes an attack in the cyber domain that would warrant a U.S. response is not vastly different from other military domains, said Deputy Defense Secretary William Lynn during a press availability following the July 14 announcement of the first unified DoD cyber strategy.

"If the affect of some sort of action breached the threshold that the nation and the president and the Congress considered it an act of war, we would feel that we would have military response as an option," said Lynn, who unveiled the strategy at the National Defense University in Washington, D.C. 

"We always look at the use of military force as a last resort, we would try to exhaust other options before turning to that," he said.

Lynn added that it's important that all U.S. military capabilities--cyber included--have a full spectrum of capabilities.

The department is currently in a research and development stage that will later inform decisions on where to best invest in a cyber offense--as opposed to cyber defense--said Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff.

Cartwright added that DoD is "fleshing out" a command and control structure, a sensor network and what responses "are appropriate and proportional."

It's unlikely the DoD will definitely say what would be considered an act of war in the cyber realm, however.

"There is some value in keeping it ambiguous as a deterrent, but it's ultimately that the damage either human or economic is such that the president and Congress would treat it as an act of war and respond accordingly. I can't give you precise dimensions," Lynn told members of the press.

It's also unlikely traditional treaties would be utilized in the cyber domain, although Lynn did say the DoD intends to pursue development of established "norms" in international forums.

"As we start to understand the threat-side of this equation, it is likely that we're going to have increased regulation of some sort, on a global scale, in order to have an assurance level that we can use these networks safely," said Cartwright.

The thrust of the DoD cyberstrategy is defensive and emphasizes the protection of its networks and the .mil domain. But department officials also acknowledged it's dependence on critical infrastructure and the defense industrial base.

According to the strategy, DoD will provide "support" for critical infrastructure protection as designated by the Homeland Security Department, which is the lead federal agency when it comes to cybersecurity aid to the private sector, excepting the defense industrial base. A White House cybersecurity proposal calls for critical infrastructure operators to prioritize cyber threats, develop a framework for addressing those threats and have a third-party auditor assess implementation.

A senior Homeland Security Department official said at the time of the White House announcement that although the legislation defines "critical infrastructure," DHS hasn't determined the "most critical of critical infrastructure" to which the framework and auditing requirements would apply.

Work is already underway in improving the security of the defense industrial base, however. Lynn and Cartwright said a 90-day cyber pilot is currently underway with about 12 DIB companies. As part of the pilot, DoD is helping the companies upgrade their cyber defenses and share more information on incoming cyber threats.

"By furnishing this threat intelligence, we are able to help strengthen these companies' existing cyber defenses," said Lynn. He added that if the pilot is successful, it could scale vertically--to more DIB companies--or horizontally to other sectors DoD deems critical to the military.

Lynn also acknowledged that questions remain on where the money for a large-scale and more permanent program, following the cyber pilot's model, would come from.

For more:
- listen to the July 14 event
- download the strategy document (.pdf)
- download a transcript of Lynn's remarks

Related Articles:
24,000 files stolen from DoD contractor in single March attack 
White House: U.S.-Russia operational relationship for cyberspace expected by year end 
DHS official: Security vulnerabilities present in technology supply chain
Commerce: Private sector should adopt codes of conduct to strengthen cybersecurity
White House unveils proposed cybersecurity legislation