But President Obama’s decision to publicly name North Korea’s leaders for ordering the largest destructive attack on an American target, the announcement of new sanctions against state-sponsored and criminal hackers, and the indictment of five members of the People’s Liberation Army for attacking American corporate targets all reflect a sea change in administration policy.
American officials have fumed for years that cyberattacks were largely cost-free. Now, much as Presidents Truman and Eisenhower struggled to define circumstances that could prompt a nuclear response from the United States, Mr. Obama and his aides are beginning to lay out conditions under which the nation would employ cyberattacks — either in retaliation for a strike, as an offensive weapon for conflict or in covert action. They have made no mention of the central role the United States played in the large cyberstrike against Iran’s nuclear program.
In his speech at Stanford, Mr. Carter revealed that — like the White House and the State Department — the Pentagon found itself the victim of a cyberintrusion months ago.
“The sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” he said, saying the attack exploited “an old vulnerability in one of our legacy networks that hadn’t been patched.” He said that a “crack team of incident responders” had “quickly kicked them off the network.”
“As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyberrisk to the U.S. homeland or U.S. interests before conducting a cyberspace operation,” the strategy says.
But it adds that “there may be times when the president or the secretary of defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations. For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests.” That last phrase seemed to leave open the door for pre-emptive cyber attacks.