WASHINGTON – In the murky world of computer espionage, the United States faces hard choices on how to retaliate when government or privately owned networks come under cyber-attack, senior military and intelligence officials said Tuesday.
As the administration grapples with how best to defend its computer networks, debate is raging over how far the United States can go in pursuit of cybercriminals, and even what constitutes a digital act of war.
The most immediate challenge is to identify the hacker, terrorist or enemy nation that launched the attack in vast and anonymous cyberspace, officials said.
That hurdle is complicated by privacy debates over how deeply the government can wade into privately owned systems to investigate threats, and how it should handle attacks against a company, as opposed to a federal agency.
U.S. law allows "hot pursuit" of criminals, said former Air Force Secretary Michael Wynne, so computer users "may have to tolerate some hot pursuit" through their digital world so authorities can track and ultimately respond to cybercrimes.
Speaking to a crowd of corporate and government technology experts at a conference sponsored by Defense Daily, Wynne and others painted a grim picture of the country's cybersecurity.
"In the face of our almost universal reliance on untrusted systems, the United States currently is facing a grave national security challenge in the form of exploitation of our government and private-sector networks and information," said Steven Chabinsky, assistant deputy director of cyber-issues for the Obama administration's director of national intelligence. "This exploitation is occurring on an unprecedented scale by a growing array of state and nonstate actors."
Chabinsky said the United States needs to figure out what it is prepared to do in the face of a cyber-assault, such as an action that would take down the electrical grid. And since the grid is run privately, officials also must decide how any counterattack should be coordinated with the corporate world.
He added that while other powerful nations have the ability to take down critical U.S. computer systems, they probably do not have the intent, because it would amount to a declaration of war.
Terrorists, meanwhile, might want to do so, and while they may not have the skills, they probably could hire someone who would, he said. Equally significant threats, said Chabinsky, come from disgruntled employees.
Just last Friday, President Barack Obama announced he would appoint a chief cyberguardian to work out of the White House and coordinate U.S. cybersecurity. The country, he said, is not as prepared as it should be to take on cyberthreats.
As the nation tries to police a digital world with no geography and no boundaries, however, the United States also must balance security with the limits on intrusions set down in the U.S. Constitution, said Brig. Gen. Michelle Johnson, deputy director for cyber-issues for the Joint Staff.
She said that while cyberspace is the new war-fighting domain that must be defended, officials also must consider privacy questions and set legal boundaries.