The Pentagon suffered one of its largest ever cyberthefts this spring. | REUTERS DOD could use force in cyber war

The Pentagon is ready to fight hackers with their own weapons in cyberspace, the newest domain for warfare but also “reserves the right” to respond to a cyberattack with military force, defense officials said Thursday.

At the National Defense University in Fort McNair, the Department of Defense unveiled its 13-page, de-classified cyberstrategy detailing how the U.S. would defend its networks and systems against cyberattacks.


Defense officials also disclosed that the Pentagon suffered one of its largest ever cyberthefts this spring when 24,000 files were stolen by a foreign government. Officials said the files were taken from a defense industry computer in March, but they did not identify the culprit.

“It would be irresponsible, and a failure of the Defense Department’s mission, to leave the nation vulnerable to a known threat,” Deputy Defense Secretary William Lynn told reporters. “Accordingly, the United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing.”

Lynn addressed concerns that the department is taking an aggressive, offensive role in cyberspace, saying the strategy’s “overriding emphasis is on denying the benefit of the attack.”

“If an attack will not have its intended effect, those who wish us harm will have less reason to target us in the first place,” Lynn said.

He added that the response to a cyberattack is “dictated by the effect” and “not by the location.” The president would “consider all the tools he has” if the attacks result in massive damage, including human losses and significant economic damage.

The bottom line is that the decision will be a judgment call, according to experts.

“At the end of the day, it’s the president who gets to decide if this is war or something else,” James Lewis, a senior fellow at the Center for Strategy and International Studies, told POLITICO. “The standard is ambiguous. Deciding when something is an act of war is not automatic. It’s always a judgment.”

The DOD cyberstrategy is made up of five initiatives. First, the Pentagon has recognized cyberspace as a new domain for warfare — just like land, sea, space and air. As such, the strategy calls for the department to equip and train itself to operate effectively in this new domain.

As part of this effort, the Pentagon is expected to use new tools — such as sensors, software and signatures — to detect and thwart potential attacks or malicious code before it affects U.S. networks or operations.

Secondly, the department will continue to implement new cyberpractices to defend its networks and systems, as well as take steps to prevent personnel disclosure of classified information through training and adopting new policies.

The DOD recognizes that it cannot secure networks on its own. The department is working to build more cooperation across agencies, particularly with the Department of Homeland Security, and with industry to beef up the nation’s cyberdefenses.

For example, the department will collaborate with industry to protect the intellectual property of defense technology and prevent counterfeits from finding their way into the military supply chain.

Lynn said the department has partnered with DHS to launch a pilot program with defense companies, called the Defense Industrial Base Cyber Pilot, to help boost the companies’ existing cyberdefenses. In the program, “classified threat intelligence is shared with defense contractors or their commercial Internet service providers along with the know-how to employ it in network defense,” he said.

Participation in the pilot program is voluntary, and Lynn said it has already stopped intrusions on some of the private partners.

In the same vein as the Obama administration’s global cybersecurity strategy, the department’s strategy encourages working with other countries to develop common cybersecurity standards and to share information about cyberthreats and criminals.

The final initiative calls on the department to recruit and build a pool of talented personnel to help protect its networks and services. Additionally, the department is committed to investing in technology and research and development to boost its defenses.

Some lawmakers on the Hill had hoped the defense department would define what acts of warfare in the digital age warrant a military response.

Prior to the release of the strategy, Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, told defense reporters that the Pentagon’s cyberstrategy would not include a declaration that the U.S. will respond to a cyberattack with military force, but he indicated that officials would consider that as part of future plans.

“We’re on the bad side of a convergent threat,” Cartwright said. “We’ve got to change that around, and part of that will be the deterrent construct.”

When responding to a question about how the act of war would be defined, Cartwright told reporters, “At the end of the day, it’s in the eyes of the beholder.”

Cyberassailants and foreign governments already have hit websites and computer systems across the defense world, Lynn warned.

Lynn called some of the data stolen in cyberattacks “mundane,” but added that “a great deal of it concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”

“In fact, our venue here today, the National Defense University, has been struck,” Lynn said. “The NDU website and its associated server were recently compromised by an intrusion that turned over system control to an unknown server.”

The long-awaited DOD cyberstrategy “hit everything they need to hit,” Lewis said. But some components may be more difficult than others to implement. The call for more of a public-private partnership is a great idea but “expanding to get these hip, West Coast companies is going to be hard,” he said.

Silicon Valley, he said, is “a little bashful of working with the DOD.”

Charles Hoskinson and David Saleh Rauf contributed to this report.