The ancient art of war is coming to the internet.
The House and Senate agreed to give the U.S. military the power to conduct “offensive” strikes online — including clandestine attacks, via a little-noticed provision in the military’s 2012 funding bill.
The power, which was included in the House version but not the Senate version, was included in the final “reconciled” bill that is all but guaranteed to pass into law.
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to–
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
While “offensive” action isn’t defined, that’s likely to include things like unleashing a worm like the Stuxnet worm that damaged Iran’s nuclear centrifuges, hacking into another country’s power grid to bring it down, disabling websites via denial-of-service attacks, or as the CIA has already done with some collateral damage, hacking into a forum where would-be terrorists meet in order to permanently disable it.
The conference report goes on to say:
The conferees recognize that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations and that it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles, and legal regimes that pertain to kinetic capabilities.
The conferees also recognize that in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged. The conferees stress that, as with any use of force, the War Powers Resolution may apply.
Despite mainstream news accounts, there’s been no documented hacking attacks on U.S. infrastructure designed to cripple it. A recent report from a post-9/11 intelligence fusion center that a water pump in Illinois had been destroyed by Russian hackers turned out to be baseless — and was simply a contractor logging in from his vacation at the behest of the water company.
Over the last few years, there’s been a drumbeat from D.C. and security contractors about the possibility of “cyberwar,” and the military has been pushing for, and largely receiving, increased funding for internet security research and more power to monitor and operate on the civilian internet.
Chinese hackers, perhaps affiliated with the government, have targeted large U.S. corporations, defense contractors and human rights groups with data-stealing trojans, something Bloomberg News trumpeted Tuesday as an “undeclared global cyber war.”
However, spying isn’t an act of war — just ask the NSA and CIA, who spend billions of dollars a year spying on other countries by intercepting communications and persuading foreign citizens to give the U.S. valuable intelligence. It’s certainly an aggressive state action, and a diplomatic issue. But if spying was an act of war, every CIA agent hiding under diplomatic cover would count as cause for a country to attack the U.S.
After perfunctory votes in both the House and Senate, the spending measure — and the cyberwar green light — will go to the President for his signature.
Via Stephen Aftergood’s Secrecy News