The Pentagon's chief information officer is calling for an international set of "rules of engagement" for cyber warfare.
"Rules of the road that apply whether you are inside DOD or frankly if you are on your own [computer] system," explained Terry Halvorsen, the Defense Department's CIO, at a cybersecurity summit in Washington on Thursday.
Halvorsen also said that improving the nation’s cybersecurity defenses would require “a culture change.”
His statement echoes calls from lawmakers and other military and intelligence leaders for the U.S. to create standardized rules of engagement for cyber warfare.
“We don’t know what constitutes an act of war, what the appropriate response is, what the line is between crime and warfare,” Rep. Jim Himes (D-Conn.) said last week during a House Intelligence Committee hearing on global cyber threats.
“[It’s critical that] we commit ourselves as a country to lead the establishment of some rules of the road internationally on how warfare and crime is conducted in the cyber realm,” Himes added.
Lawmakers have questioned who would best spearhead that effort.
At the same hearing, Director of National Intelligence James Clapper and National Security Agency Director Michael Rogers cautioned against placing too much responsibility on the intelligence community to draw up international norms, characterizing such rulemaking as high-level policy decisions more appropriate to Congress.
Clapper and Rogers both suggested that such norms would evolve over time.
There is also debate over whether formal rulemaking is in the U.S.’s best interest from a foreign policy perspective.
Critics claim that just because the U.S. says that some kinds of cyber activity are unacceptable doesn’t mean that either individual hackers or state-based actors will follow the rules.
Others suggest that knowing how the U.S. will respond to redline cyber activity will act as a deterrent.
The challenge that the Defense Department faces, Halvorsen said Thursday, is that digital threats evolve so rapidly that officials can be forced to play catch-up.
A cyber criminal can spend "a fairly small sum of money and cause us to spend quite a bit of money," Halvorsen said. "Right now, we are on the wrong side of that cyber-economic curve.”