

Hack us, and we'll bomb you - stcredzero
http://arstechnica.com/tech-policy/news/2011/05/us-warns-of-military-response-to-severe-cyberattacks.ars

======
GHFigs
Excerpt from actual US policy: "When warranted, the United States will respond
to hostile acts in cyberspace as we would to any other threat to our country.
All states possess an inherent right to self-defense, and we recognize that
certain hostile acts conducted through cyberspace could compel actions under
the commitments we have with our military treaty partners. We reserve the
right to use all necessary means—diplomatic, informational, military, and
economic—as appropriate and consistent with applicable international law, in
order to defend our Nation, our allies, our partners, and our interests. In so
doing, we will exhaust all options before military force whenever we can; will
carefully weigh the costs and risks of action against the costs of inaction;
and will act in a way that reflects our values and strengthens our legitimacy,
seeking broad international support whenever possible." (pp.18)

Ars Headline: "US warns: hack us, and we might bomb you"

Submission title: "Hack us, and we'll bomb you"

~~~
stcredzero
_Submission title: "Hack us, and we'll bomb you"_

There wasn't an intention to add editorial spin the headline, but it seems my
sloppy transcription betrays my feelings on reading it.

------
sp_
I was kinda surprised when I heard about this. I always assumed this would
have been US policy already. Russia, for example, has already stated in 1996
that it will consider nuclear retaliation for cyber attacks on their country.

Source:
[http://www.airpower.au.af.mil/airchronicles/apj/apj96/spec96...](http://www.airpower.au.af.mil/airchronicles/apj/apj96/spec96/thomas.pdf)

------
dotBen
This whole policy assumes that attacks would only occur at a national level -
ie government initiated/sponsored attack towards US assets.

Aside from the issue of it being hard it is to be able to successfully
geographically locate the source of an attack, what if a bunch of hackers in
China, operating privately, decide to hack the US. Is US going to bomb China
if the level of the attack is severe enough? Diplomatic efforts will fail
pretty quickly if it genuinely isn't anything conducted by the Chinese
government.

But hey, let's swap out the contentious example of China for Australia or
France - is America going to bomb either of those countries because private
citizens in those locations are pursuing a national cyber-security warfare-
level attack?

If Al Quedia et al have taught us anything it is that we cannot assume
national security attacks (and our defense strategies) to be state-sponsored
any more.

~~~
dkarl
Think of how outraged we'd be if Iran responded to Stuxnet by attacking the
U.S. or Israel militarily. In general, hacking (aka "cyberwarfare") poses an
intelligence challenge to determine whether an attacker is affiliated with or
acting on behalf of a state. If United States infrastructure were attacked by
a group of highly skilled individuals inside Iran or China, like you
suggested, who had no apparent government connections, it would be very hard
to determine whether they had been surreptitiously aided or manipulated by a
government intelligence agency, perhaps by anonymously sharing technical
information to aid their attack or by infiltrating the group with an agent who
pushed them to action and steered them toward particular targets.

------
jxcole
Laughable.

On 26 March 2010 the North Korean military launched a torpedo sinking a US
ally's warship, killing 46 of it's 108 crew during a time of peace. The
Cheonan represented a significant loss to the South Korean people, and though
economic relations between the two nations broke down, no real military action
was taken by either the US or South Korea.

And now you're telling me we'll go to war if someone takes out the internet?

~~~
stcredzero
_And now you're telling me we'll go to war if someone takes out the internet?_

Interesting. I never thought about someone "taking out" the internet. An
internet kill switch would be useful to a government wanting to start a war.
Simply kill the internet, then blame it on the country of your choice.

~~~
lamnk
Jeez, if the government want to start a war, evidences and reasons will be
fabricated to support it. The Iraq war (alleged weapons of mass destruction)
and the Vietnam war (Gulf of Tonkin incident) are two obvious examples.

~~~
stcredzero
Yes, but by using the kill switch, a govt might think they'd silence internet
dissent. (But good luck with that.)

------
stcredzero
Quite a stupid policy, IMO. It's much too easy to make it look like country X
is doing the hacking. It would be an exceedingly cheap way for a 3rd party to
marshall US resources on their behalf.

~~~
Hrundi
Depending on country X's relation with the US, they could actively try to
prove the attack came from somewhere else.

Yes, you can live in country 'A' and route all traffic through a country you
hate, 'X', making that country get all the heat. Country 'X' would then
attempt to prove that the attackers came from another country.

This is a lost battle... while a country points the blame to other country,
that country would forward the blame to yet another country.

There is an insane amount of vulnerability scanning/port scanning coming from
China. You can bet that one of those remote attackers is bound to hit an
improperly protected box in the US. It may not even be an attacker, it could
be a home PC from a botnet, mindlessly port-scanning IP ranges. Does that mean
the US would bomb China?

I mean, an attack can come from a single source but be routed behind so many
countries, even from the US itself!

~~~
karamazov
The US is not going to send missiles in response to some port scanning. But
massive attacks, such as the large-scale attack on Google or stealing data
from NASA or other government agencies, will now presumably trigger a strong
response.

------
dustingetz
PR. when Japan sends a fleet to Pearl Harbor and bombs us, we know who it was,
the crowds ('people') get mad, and we bomb them back. When Chinese hackers
target american corporations, there is not nearly so much transparency as to
who is behind it (govt sponsored? independent parties? terrorists?
businesses?), and the crowds aren't that mad. You can't go starting real-life
wars, with killing people and such and the economic consequences thereof,
without support of the crowds.

Of course if Chinese hackers shut down our utilities/communications, that's
certainly a real-life attack, and it will be easier to convince the crowds
that we know a enemy government is responsible.

------
evo_9
Maybe I'm naive but couldn't this be used to trick the US into attacking a
target that had nothing to do with the cyber attack to begin with? Seems like
a huge opportunity for 'bad-guys' to engage the US army to do their bidding,
but maybe it's harder to truly conceal or spoof your true origans than I've
been led to believe.

------
cmars
I remember reading that Kevin Mitnick wasn't even allowed payphone access for
fears he could start World War III.

I always thought this was rather silly overreacting. Now US policy makes it
possible for a hacker to start a war.

~~~
VladRussian
Have you read the Mitnick's book? Sounds like not.

------
xiaoma
As a US citizen living in China, this policy scares the shit out of me.

------
code_duck
This makes sense to me. Computer attacks can cause real damage.

If my neighbor were to be constantly trying to break into my computers at home
with the intent of destroying them, and there was no chance to appeal to law
enforcement, I could certainly see going and knocking on their door with the
desire to stop them from doing that.

However, the US has a history of finding reasons to go to war in unexpected
places, since 1960 at least. Any excuse to expand the reasons they can pick is
worthy of scrutiny.

------
VladRussian
1\. the IDS system identifies the IPs of the attackers

2\. the IPs are geo-located

3\. the Reapers on duty flying closest to the locations receive the targeting
info and deliver the Hellfires.

Everything in completely automated mode, no humans involvement needed.

------
Vivtek
Good God. Let's just _advertise_ a conveniently spoofable military attack
system, shall we?

~~~
biot
Time to attack 127.0.0.1 again?

------
neutronicus
I think this is more of a "we reserve the right" kind of thing than a
statement of intent.

------
SideSwipe
So to instigate a war all you'd have to do is be part of a group like
Anonymous, throw out some subtle misinformation that made it seem you were
acting on behalf of a government entity, then wallah, war.

------
xster
I think the US will bomb you regardless of the need for a casus belli. It's
pretty skilled of engineering one for the past dozen of invasions.

------
imasr
I guess they haven't seen War Games (the movie).

