In 2008 a cyber attack against the Pentagon’s computer network—it was believed to have originated in Russia but the Russian government denied complicity—rattled the Defense Department to the point of briefing then President George W. Bush. Defense contractor Lockheed Martin’s computer systems were hacked just last week, exposing sensitive military hardware information. And on the offensive side of things, the “Stuxnet” computer virus unleashed on Iran’s nuclear centrifuges from an unknown source (Israel, the U.S.?) is credited with slowing down that country’s development of nuclear weapons. Cyber warfare is an increasingly expected part of traditional warfare and as such requires the usual doctrines of engagement. The Pentagon first formal cyber strategy goes as far as classifying certain types of cyber attacks as acts of war—under the concept of equivalence, if a cyber attack produces death, destruction or high-level economic disruption then it could be a candidate for a “use of force” response. But can the identity of cyber attackers ever be truly confirmed, and can bullets best megabytes?
Stewart Baker, partner in the law firm Steptoe & Johnson; former Assistant Secretary for Policy at the Department of Homeland Security