Continued from page 1

Mr. Aland said the nature of cyberconflict made it practically impossible to distinguish warfare from crime or terrorism.

“The only real difference is in the target set, which bleeds over dramatically from one [category] to the next - and the intent of the actors,” which is all but impossible to determine, he said.

“It becomes impractical to work out who the actors are… and apply the relevant legal framework,” Mr. Aland said, adding that there needs to be a “wholly new approach.”

Gen. Lord agreed.

“When does a cyberattack on a bank change from being just a cybercriminal to being someone attacking the nation’s banking system?” he asked.

“Some would argue it doesn’t matter,” he said, “and it may not matter if you are inside the bank, but it matters if you are following U.S. law in determining what action, what activity, you can take against — if you can figure out who the attacker is.”

He also said the laws that govern traditional conflicts apply to U.S. cyberwarfare efforts, much the same way targeting decisions for U.S. air power are bound by the restrictions of the Geneva Conventions.

“You still have to look at reciprocity, at collateral damage,” he said. “We do consider cyber as a war-fighting domain, but one in which places like the Internet exist, and you have to de-conflict all that.”

Those decisions lie with the combatant commanders and, specifically, with the commander of U.S. Strategic Command, which is also setting the requirements for the Air Force’s cyberforces.

Gen. Lord said the top-priority requirement right now is training, “all the way down from the Air [Force] Institute of Technology to basic military training.” He likened the basic training to “equipping airmen with cybersidearms… officers, enlisted and maybe even contractors, so that they know their responsibilities for behavior on the network today.”

Gen. Lord said the numbered Air Force cybercomponent will also support U.S. Northern Command, which controls all U.S. military forces within the continental United States, whether it is needed in response to a cyberattack or as a result of a more conventional disaster, such as a hurricane.

“It’s not just the attack-and-defense piece; there’s consequence management, too,” he said, “where military personnel and equipment could get broken networks up and running for the civilian population.”