As the pace of cyber attacks quickens on U.S. retailers, banks, political parties and the government itself, legislators worry over what looms ahead and wrestle with when to elevate a crippling cyber attack to an act of war.
Parallel bills in the House and Senate, titled “Cyber Act of War Act of 2016,” would require the president to outline how a cyber attack might rise to the level of an attack with conventional weapons.
But debate about the subject only underscores the complexities of tracing attacks to their perpetrators, calculating what to reveal about U.S. capabilities, and weighing how to respond if an attack causes major economic damage but little or no loss of life.
“Do we hack the hackers or do we respond with physical force?” Rep. Robin Kelly, D-Ill, asked at a hearing this week on “digital acts of war.”
Cyberspace has already become “a digital battleground,” the nation’s former top cyber warrior, retired Gen. Keith B. Alexander, told two House panels meeting jointly. He cited an urgent need for a robust strategy and doctrine.
Some believe it is high time for the U.S. government to let the world know what it will not tolerate in cyberspace, given the accelerating pace of intrusions. They suggest a display of offensive capabilities might have a salutary effect.
“I could see situations where that might be beneficial,” said Sean Kanuck, a lawyer who until earlier this year was the Obama administration’s national intelligence officer for cyber issues.
“Think about Teddy Roosevelt painting a Navy white and sailing around the world,” Kanuck said, alluding to the voyage of U.S. battleships and escorts that made 20 ports of call on six continents between 1907 and 1909. The flotilla became known as the Great White Fleet.
“Every port of call knew about the U.S. Navy,” he said, adding that a similar strategy might be timely in the cyber realm. “You probably don’t want to reveal all your capabilities. But you might want to reveal a battleship or two.”
The Pentagon, tipping its hand slightly, has acknowledged employing cyber weapons to combat the Islamic State, or ISIS, as the terrorist group entrenched in parts of Iraq and Syria is known.
“We are dropping cyber bombs. We have never done that before,” Deputy Secretary of Defense Robert Work told reporters in April.
U.S. offensive cyber weapons have been in existence for years. In a joint operation in 2012, U.S. and Israeli experts are believed to have deployed a devastating computer worm, known as Stuxnet, to damage Iran’s nuclear program. Neither government openly confirmed use of Stuxnet, although U.S. officials did so anonymously.
Cyber intrusions come from an array of hackers, criminals, spies and government agencies, experts say, and motives range from ransom and sabotage, to obtaining business strategy and government intelligence.
Not a week goes by without a major U.S. retailer or bank suffering a cyber intrusion.
Two competing teams of Russian government hackers were blamed last month for penetrating the computer network of the Democratic National Committee and stealing files and opposition research on Donald Trump, the presumptive Republican presidential nominee.
Tracking and pinning blame for cyber attacks can take time, and determining whether they come from rogue hackers or foreign governments is challenging.
“It can take anywhere from a few weeks to a few months,” said Timothy Edgar, a cyber conflict expert at the Watson Institute of International and Public Affairs at Brown University. “The idea of instant attribution is a pipe dream.”
Edgar said an attack with no loss of life could still be highly disruptive.
“The thing that really worries me the most is an attack on the financial sector. The stakes are really high,” Edgar said.
U.S. officials blamed North Korea for hacking into Sony Pictures in 2014, and the FBI in March accused seven members of Iran’s Revolutionary Guard Corps of trying to hack into the operating system of a small dam northeast of New York City.
State-sponsored hackers from adversarial governments are routinely blamed for breaking into computer systems of the U.S. government. Agencies or offices that have reported hacks include the State Department, the Internal Revenue Service, the U.S. Postal Service and the White House.
Fingers often point to hackers in China or Russia although no claim of responsibility ever occurs.
“In cyberspace, most countries, even when it’s their military acting, do it with the equivalent of a boat that is painted black with no number and no flag on it,” Kanuck said.
A critical breach of information occurred early in 2015 at the federal Office of Personnel Management, where hackers obtained personal data on 22 million people, including, in many cases, fingerprints.
In some cases, experts suggest a brute cyber counterattack might be less effective than other methods.
“Threatening to reveal the private financial data of an authoritarian regime’s leader, his family and allied oligarchs may be far more potent than a counter cyber strike,” said Peter W. Singer, an expert on 21st Century warfare at the New America Foundation, a public policy think tank in Washington.
Tim Johnson: 202-383-6028, @timjohnson4