Amid much press reporting on the soon-to-be-unveiled Department of Defense (DoD) cybersecurity strategy, The Wall Street Journal has zeroed in on a critical aspect of the plan: “The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.”
Establishing an explicit linkage between the cyber and the physical, from the standpoint of both threats and responses, is to be applauded. We wrote in these pages last summer that conflicting approaches to these two types of threats have represented a critical shortcoming, and that recasting such threats as basically “two sides of the same coin” will open the door to more effective responses, not to mention improved sharing of the best practices that both security communities bring to the table.
What’s equally intriguing – and encouraging – about this strategic nod to the notion of convergence between the two realms is that the government appears prepared to get its collective head around prioritizing the value of cyber assets in the same manner it currently applies to physical assets, perhaps taking its cues from the framework DoD uses to value defense industrial base assets or the one the Department of Homeland Security (DHS) created for each of its 18 critical infrastructure/key assets (CIKR) sectors.
The number of attacks occurring daily against corporate and government IT systems can sometimes appear overwhelming, and it increases the danger of a disproportionate – and therefore ineffective – response, one that attempts to “boil the ocean” rather than focusing on protecting the most vital assets based on an assessment of the consequences of their degradation or destruction. The latter is a fundamental tenet of security risk management, and it’s encouraging to see the principle being applied by DoD strategic planners.
The new strategy also reportedly introduces the related notion of “equivalence” in shaping a U.S. response to a cyber attack, which the Journal calls an idea that is “gaining momentum at the Pentagon… If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a ‘use of force’ consideration, which could merit retaliation.” The Journal quotes a DoD official this way: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
The full Journal article is here.
––––––––––––––––
Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.
Comments and Discussion
Join The Conversation +Be the first to comment!
Join The Conversation