The United States would use cyberweapons against an adversary’s computer networks only after those at the highest levels of government approved of the operation because of the risks of collateral damage, a senior U.S. military official said this week.
The director of intelligence at U.S. Cyber Command, Navy Rear Adm. Samuel J. Cox, said cyberattacks can do significant harm to a country’s infrastructure and never should be carried out in a cavalier manner.
Offensive cyberoperations are difficult to conduct with enough precision to avoid unintended casualties and damage to unrelated systems, he said.
“If you’re trying to do precision strike in cyberspace with a very high degree of confidence,” Adm. Cox said, “that takes enormous amounts of intelligence, planning, great care and very carefully crafted cybertools that won’t boomerang against you down the road.”
Adm. Cox also downplayed the prospect that an enemy of the United States could completely disable the nation’s electric power grid or shut down the Internet because these systems are designed to withstand severe cyberattacks.
“There’s huge amounts of resiliency and redundancy built into the system nowadays that makes that kind of catastrophic thing very difficult,” he said.
Cyber Command is in charge of defending U.S. military networks from attacks and intrusions. The command’s top officer, Army Gen. Keith B. Alexander, also is the director of the secretive National Security Agency, which gathers electronic intelligence from foreign governments.
Both NSA and Cyber Command are headquartered at Fort Meade, Md.
The Defense Department is developing rules of engagement for how commanders will operate in cyberspace and what missions they can conduct under their own authority.
During congressional testimony last month, Gen. Alexander said decisions on how to respond to adversaries in cyberspace would be made by the president and secretary of defense. But military commanders would have authority if circumstances demanded immediate action.
“Our job would be to defend and protect and to stop some of these attacks analogous to the missiles coming in and give the administration options of what they could do to take it to the next step, if they choose,” Gen. Alexander told the Senate Armed Services Committee.
The House of Representatives on Thursday will consider legislation to better defend critical U.S. industries and corporate networks from electronic attacks and intrusions by foreign governments, cybercriminals and terrorist groups. However, there are deep divisions over how best to accomplish the goal.
The U.S. Chamber of Commerce and other business groups oppose cybersecurity regulations. Rules imposed by Washington would increase their costs without reducing their risks, they say.
But Obama administration officials and security experts say companies that operate power plants, communication systems, chemical facilities and other such entities should have to meet basic performance standards to prove they can withstand cyberattacks or recover quickly from them.
There is broad agreement, though, on the need for the private sector and government to share information about hackers and the techniques they use to control the inner workings of corporate networks. With a system to securely exchange information, there is a much better chance of blocking cyberattacks and the theft of proprietary information.