Bill would require White House policy on cyberwar
Two senators have introduced legislation that would require the administration to create a policy for when a cyberattack crosses the boundary from a crime or nuisance to qualify as an act of war.
Two senators have introduced legislation that would require the president to determine when a cyberattack crosses a line to become an official act of war.
Sens. Angus King (I-Maine) and Mike Rounds (R-S.D.) say clear policy on the issue doesn't exist in spite of the increasing vulnerability of systems and personal information to cyberattacks.
"By requiring the administration to define what constitutes an act of war in the cyber domain, this legislation would help our government be better able to respond to cyberattacks and deter malicious actors from launching them in the first place," King said.
The Cyber Act of War Act of 2016, which is still in draft form, would require the White House to develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the U.S. That policy would be due within 180 days after the bill is enacted into law.
The issue of how the government should respond to growing, possibly state-sponsored cyberattacks has been brewing for some time as incidents such as the Sony hack and other large-scale breaches have spread and become more complex and consequential.
According to the bill, the policy must consider the equivalencies of the effects of a cyberattack with physical attacks that use conventional weapons with regard to physical destruction and casualties.
The policy must also consider intangible effects from the scope, duration and intensity of an electronic attack, and require the Defense Department to include the resulting policy definition in its Law of War Manual.
Cybersecurity experts, however, said the approach would be counterproductive and possibly even dangerous.
"I don't think it's needed," Dmitri Alperovitch, co-founder and CTO of CrowdStrike, told FCW. "A clear red-line definition would mean attackers could walk up to it and not cross it."
Instead, the consequences of an attack should dictate the response, he said, adding that "cyber is already a domain of war."
Jason Healey, a nonresident senior fellow at the Atlantic Council's Cyber Statecraft Initiative, said the bill "might be useful in some sense to help clarify what the administration considers their thresholds for responding to an attack with kinetic force," but he's not convinced such a bill is necessary.
Healey said the Obama administration "has already been sufficiently informative about this," and he cited a 2012 speech by then-Defense Secretary Leon Panetta that outlined a policy of military response to cyberattacks against the U.S.