U.S. officials have yet to define what cyber-attacks against American networks amount to acts of war, according to several top senators and a Pentagon nominee.
“We’ve got to figure that out pretty quick,” Senate Armed Services Committee Chairman Carl Levin (D-Mich.) said Tuesday.
That document, however, does not define what the Obama administration considers an act of cyberwar, nor does it detail how the military would respond to a major electronic attack. It also features no description of the kinds of actions the military is conducting in the electronic domain.
Those omissions brought fresh questions Tuesday during a Senate Armed Services Committee hearing about whether the Defense Department, White House, federal agencies and industry are truly prepared for a major attack on the U.S. through the Internet.
The Pentagon cyberspace plan and a speech by Deputy Defense Secretary William Lynn on Thursday left some "fundamental questions" unanswered, said Sen. John McCain (Ariz.), the top Republican on the Armed Services panel.
Specifically, the Obama administration has yet to define what moves by individuals, groups and nations would be considered "hostile actions" in cyberspace.
The administration "needs to clarify" foggy details about the military's activities in the electronic domain, as well as when and how the military would "react" to such actions, McCain said.
Senators questioned Madelyn Creedon about what the U.S. policy is for a war act in cyberspace during a hearing to consider her nomination to become assistant defense secretary for global strategic affairs.
Several times, Creedon told the panel she needed to closely review U.S. laws that spell out what Washington has traditionally regarded as an act of war. But under questioning from Sen. Richard Blumenthal (D-Conn.), she finally acknowledged that when it comes to acts in the electronic realm, “the policy is unclear.”
Creedon is a longtime Senate Armed Services Committee counsel and former Energy Department official. She is expected to be confirmed by the Senate.
There was an air of urgency in questioning about the matter from Levin, McCain, Blumenthal, Sen. Scott Brown (R-Mass.) and others.
Lynn last week revealed a "foreign intelligence service" nabbed 24,000 files from the Defense Department in a recent breach.
Blumenthal said he would bet “average Americans” would say that kinds of theft would indeed rise to the level of an act of war against the United States.
Creedon said any eventual policy likely would be nuanced. Factors including the scale of the attack and from what nation or group the attack came would likely have to be considered, she said.
The nominee told the panel the U.S. would almost certainly respond to a major cyberattack with its own electronic actions designed to cut off the perpetrator’s ability to repeat an attack. And she said a major strike that caused a severe disruption might even bring a U.S. ground attack.
“It seems that is at the heart of the matter,” Levin said, adding that how to retaliate to that kind of an attack is “an open question … that we haven’t sorted out.”
Levin said an attack that causes a major disruption seems to “constitute an act of war.” Creedon agreed that such a strike “sure sounds like” a war act.
Levin shot back: “How could it not be?”
The nominee warned against setting “red lines” too soon.
The senators made clear that they want a policy in place that punishes attackers.
Brown called for “throwing the book” at them and fashioning a policy on war acts in cyberspace quickly because “we can’t let this go on willy-nilly.”