From Siobhan Gorman and Julian E. Barnes, the Wall Street Journal: The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official. . . .
One idea gaining momentum at the Pentagon is the notion of "equivalence." If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation. . . .
The Pentagon’s document runs about 30 pages in its classified version and 12 pages in the unclassified one. It concludes that the Laws of Armed Conflict—derived from various treaties and customs that, over the years, have come to guide the conduct of war and proportionality of response—apply in cyberspace as in traditional warfare, according to three defense officials who have read the document. The document goes on to describe the Defense Department’s dependence on information technology and why it must forge partnerships with other nations and private industry to protect infrastructure.
The strategy will also state the importance of synchronizing U.S. cyber-war doctrine with that of its allies, and will set out principles for new security policies. The North Atlantic Treaty Organization took an initial step last year when it decided that, in the event of a cyber attack on an ally, it would convene a group to "consult together" on the attacks, but they wouldn’t be required to help each other respond. The group hasn’t yet met to confer on a cyber incident. (graphic: Matt Murphy/Economist)