Wednesday, June 1, 2011

NEWS: And Lack of Context...

The NYTimes is reporting that the Pentagon is now going to consider cyber attacks formal acts of war:

Several administration officials, in comments over the past two years, have suggested publicly that any American president could consider a variety of responses — economic sanctions, retaliatory cyberattacks or a military strike — if critical American computer systems were ever attacked.

The new military strategy, which emerged from several years of debate modeled on the 1950s effort in Washington to come up with a plan for deterring nuclear attacks, makes explicit that a cyberattack could be considered equivalent to a more traditional act of war. The Pentagon is declaring that any computer attack that threatens widespread civilian casualties — for example, by cutting off power supplies or bringing down hospitals and emergency-responder networks — could be treated as an act of aggression.

The article completely fails to mention that this is not idle future-think. After all, the United States won't deny that they've used it:

In an interview for a TV documentary about cyber security, Deputy Defense Secretary William Lynn twice failed to address reports that the US was a partner in the internet-borne attack.

The presenter of CodeWars: America’s Cyber Threat, asked him “was the US involved in any way in the development of Stuxnet?”
His initial response was to discuss the general problem of tracing cyber attacks.

“The challenges of Stuxnet, as I said, what it shows you is the difficulty of any, any attribution and it’s something that we’re still looking at, it’s hard to get into any kind of comment on that until we’ve finished our examination,” he said.

“But sir, I’m not asking you if you think another country was involved,” the presenter replied, “I’m asking you if the US was involved: if the Department of Defense was involved.”

Mr Lynn then flatly refused to answer.

If it's true (which it may not be -- the DoD might just want Iran to think that it is), then we've (by our own logic) committed an act of war against Iran.

Or how about this recent news story:

On Saturday, Lockheed Martin released a statement confirming the attack, which it described as "significant and tenacious." But it said its information security team "detected the attack almost immediately and took aggressive actions to protect all systems and data."

As a result, the company said, "our systems remain secure; no customer, program, or employee personal data has been compromised."

Hackers reportedly exploited Lockheed's VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. Attackers apparently possessed the seeds--factory-encoded random keys--used by at least some of Lockheed's SecurID hardware fobs, as well as serial numbers and the underlying algorithm used to secure the devices.

In other words, cyber attacks are now an act of war, and we've both committed and received those attacks in the last year. While we're already fighting three wars, we've had acts of war exchanged with at least one other country.

All context that is missing from the NY Times article.

(UPDATE: Just after posting this I read this article about the arsenal the Pentagon is putting together to fight cyber warfare).