Last week the U.S. Secretary of Defense, Leon Panetta, warned of a possible cyber "Pearl Harbor" attack on the U.S. He called attention to a new battle space: cyberspace.
This speech appeared to have several targets and we can draw several conclusions from it. First, and easiest to discern, is that Panetta is rousing the U.S. Congress to take concrete action and pass into law rules and regulations governing the sharing of information between private enterprises and the government. Many might recall the protests this last spring over the Cyber Intelligence Sharing and Protection Act (CIPSA), and this clarion call from Panetta appears to be harkening back to these same issues. Indeed, this is probably why he explicitly notes that the President is likely to issue an Executive Order should Congress fail to act.
The second target is the American, and perhaps international, audience. With much speculation about the U.S.' potential cyber threat and its response capability, it is high time someone higher up actually address it. While the White House has most certainly put forth documentation regarding its position regarding cyber security, little from the defense community has been forthcoming. Panetta's speech, therefore, unveiled many more specifics than the U.S.' International Cyber Security Strategy, which for the most part aims at such lofty goals as providing for the free flow of information while simultaneously ensuring security of networks.
The final, and to me the largest, target is the potential cyber adversary. Since much pertaining to cyber capability and warfare is classified, the decision for Panetta to show the U.S.' hand is telling. Allow me to explain. Much ink has been spilt over the "attribution problem." This problem states that cyber attacks are very difficult to trace with absolute certainty, and so attributing responsibility to one or more parties is more of a guessing game than anything. Because the issue of attribution calls into question whether we can know with 100% certainty whether an attack came from, say Russia, China, Iran, Lichtenstein, or the Moon, any attempt to either retaliate in self-defense or punish for deterrent effects will be problematic at best. What if we picked the wrong state? What if the cyber-warriors were so talented that they made it appear that it was China attacking and really it was Botswana? We might end up attacking an innocent third party, thereby becoming an aggressor ourselves. But Panetta's speech clears away the uncertainty surrounding the attribution problem. He stated that the "United States has the capacity to locate [the aggressors] and to hold them accountable for their actions." Wow. That is some serious stuff.
What it means is that the U.S. has very good cyber forensic capabilities and that it has probably procured enough consensus from private internet providers to share critical information regarding cyber attacks. What this also means is that the U.S. will not only know who attacked it, but it will use any means it sees fit to either preempt the attack or act to deter potential attackers in the future. That means both cyber and traditional (or sometimes called 'kinetic') warfare is on the table. Most telling still is that the U.S. has marked out three areas where it will act if provoked or attacked: the nation, the national interest, and allies.
Acting to defend the nation is rather unsurprising. Acting to defend national interest(s) is also, given U.S. military and foreign policy history, unsurprising. What does seem surprising, though, is the bit about the allies. The potential here is that if a North Atlantic Treaty Organization (NATO) ally is attacked by a cyber weapon, then the U.S. might retaliate with either cyber or traditional weapons on the ally's behalf. This statement appears to contradict, or at least militate against, earlier NATO findings about cyber attacks against Estonia in 2007.
All in all, Panetta's statement is a clear warning: cyber war is here and the U.S. is prepared to enter the fray with whatever means necessary. The questions for us, now, are what should we do about it? Certainly public rules of engagement should be made available, but more than that, transparency in the policy and governance processes is also a must. It is a must because the greatest weapon a cyber warrior has is a weakness in computer code. If there is no weakness, then there can be no attack. If we make cyber security a common good -- governed by the commons -- than we have more minds at work to secure networks, and this can only be done outside of the shadows.