WASHINGTON, July 15, 2016 —
When assessing whether a cyber incident constitutes an armed attack on the nation, Defense Department leaders take the incidents case by case and consider a range of factors, the deputy assistant secretary of defense for cyber policy told a House panel this week.
Aaron Hughes testified during a July 13 hearing titled, “Digital Acts of War” before the subcommittees on information technology and national security of the House Committee on Oversight and Reform.
Other witnesses included Chris Painter, coordinator for cyber issues at the State Department.
Case by Case
“When determining whether a cyber incident constitutes an armed attack, the U.S. government considers a broad range of factors, including the nature and extent of injury or death to persons and the destruction of or damage to property,” Hughes said.
“Cyber incidents are reviewed on a case-by-case basis,” he added, “… and the national security leadership and the president will make a determination if it's an armed attack.”
If a cyber incident were found to be equivalent to an armed attack, Hughes said the nation would use a whole-of-government approach to responding and deterring future malicious activities in cyberspace.
“The United States has been clear,” Painter said, “that it believes that cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the U.N. Charter.”
But even if the cyber incident is below that threshold, he added, “we still have a number of ways to respond. It could be kinetic. It could be through cyber means. It could be through economic means and sanctions. It could be through diplomacy. It could be through indictments and law enforcement actions.”
Defense, Offense, Deterrence
Since the updated DoD Cyber Strategy was signed in April 2015, Hughes said, “the department has devoted considerable resources to implementing its goals and objectives.”
When Defense Secretary Ash Carter signed the strategy, Hughes added, he directed the department to focus on three primary missions in cyberspace -- defending DoD networks, defending the nation against consequential cyberattacks and providing integrated cyber capabilities to support military operations and contingency plans.
DoD also supports a whole-of-government cyber deterrence strategy, he said, and deterrence is a key part of the cyber strategy.
The strategy describes DoD contributions to a broader national set of capabilities to deter adversaries from conducting cyberattacks.
The document also says the department assumes that cyberattacks on U.S. interests will be achieved through “the totality of U.S. actions, including declaratory policy, substantial indications and warning capabilities, defensive posture, effective response procedures, and the overall resiliency of U.S. networks and systems.”
States have not sought to define precisely or state conclusively what situations would constitute armed attacks in other domains,” Painter said, “and there is no reason cyberspace should be different.”
“In fact, he added, “strategic ambiguity could very well deter most states from getting close to the threshold of an armed attack.”
Working with Partners
The United States and the department face diverse and persistent threats in cyberspace from state and non-state actors that can’t be defeated through the efforts of any single organization, Hughes told the panel.
The DoD Cyber Strategy directs that the department work with its interagency partners, the private sector and allied and partner nations to deter and if necessary defeat cyberattacks of significant consequence on the U.S. homeland and U.S. interests.
Painter said that, unlike in previous years, today there is a very strong interagency process in place to share cyber information.
“All of the different interagency colleagues do talk about these threats, talk about possible responses, and in the end it's up to the national security staff and the president,” he said.
An increasingly wired and interconnected world has brought prosperity and economic gain to the United States while the nation’s dependence on these systems has left it vulnerable to evolving threats posed by malicious cyber activity, Hughes said.
DoD maintains and uses robust and unique cyber capabilities to defend its networks and the nation, but that isn’t enough, he added.
“Securing our systems and networks is everyone's responsibility and requires close collaboration with other federal departments, our allies and partners internationally and the private sector to improve our nation's cybersecurity posture, and to ensure that DoD has the ability to operate in any environment at any time,” Hughes said.
(Follow Cheryl Pellerin on Twitter: @PellerinDoDNews)