Congress

Bill would require White House policy on cyberwar

sphere of binary data

Two senators have introduced legislation that would require the president to determine when a cyberattack crosses a line to become an official act of war.

Sens. Angus King (I-Maine) and Mike Rounds (R-S.D.) say clear policy on the issue doesn't exist in spite of the increasing vulnerability of systems and personal information to cyberattacks.

"By requiring the administration to define what constitutes an act of war in the cyber domain, this legislation would help our government be better able to respond to cyberattacks and deter malicious actors from launching them in the first place," King said.

The Cyber Act of War Act of 2016, which is still in draft form, would require the White House to develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the U.S. That policy would be due within 180 days after the bill is enacted into law.

The issue of how the government should respond to growing, possibly state-sponsored cyberattacks has been brewing for some time as incidents such as the Sony hack and other large-scale breaches have spread and become more complex and consequential.

According to the bill, the policy must consider the equivalencies of the effects of a cyberattack with physical attacks that use conventional weapons with regard to physical destruction and casualties.

The policy must also consider intangible effects from the scope, duration and intensity of an electronic attack, and require the Defense Department to include the resulting policy definition in its Law of War Manual.

Cybersecurity experts, however, said the approach would be counterproductive and possibly even dangerous.

"I don't think it's needed," Dmitri Alperovitch, co-founder and CTO of CrowdStrike, told FCW. "A clear red-line definition would mean attackers could walk up to it and not cross it."

Instead, the consequences of an attack should dictate the response, he said, adding that "cyber is already a domain of war."

Jason Healey, a nonresident senior fellow at the Atlantic Council's Cyber Statecraft Initiative, said the bill "might be useful in some sense to help clarify what the administration considers their thresholds for responding to an attack with kinetic force," but he's not convinced such a bill is necessary.

Healey said the Obama administration "has already been sufficiently informative about this," and he cited a 2012 speech by then-Defense Secretary Leon Panetta that outlined a policy of military response to cyberattacks against the U.S.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.