Pentagon Is Updating Conflict Rules in Cyberspace

WASHINGTON — The Pentagon is updating its classified rules for warfare in cyberspace for the first time in seven years, an acknowledgment of the growing threat posed by computer-network attacks — and the need for the United States to improve its defenses and increase the nimbleness of its response, the nation’s top military officer said Thursday.

The officer, Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, also said that, globally, new regulations were needed to govern actions by the world community in cyberspace. He said that the Chinese did not believe that hacking American systems violated any rules, since no rules existed.

Discussing efforts to improve the Pentagon’s tools for digital defense and offense, General Dempsey said the military must be “able to operate at network speed, rather than what I call swivel-chair speed.”

“Cyber has escalated from an issue of moderate concern to one of the most serious threats to our national security,” he said. “We now live in a world of weaponized bits and bytes, where an entire country can be disrupted by the click of mouse.”

Under a presidential directive, the Pentagon developed “emergency procedures to guide our response to imminent, significant cyberthreats,” and is “updating our rules of engagement — the first update for cyber in seven years,” he said. This effort has resulted in the creation of what General Dempsey called an interagency “playbook for cyber.”

During a speech at the Brookings Institution, a policy research center, General Dempsey said these new “standing rules of engagement” for military actions remained in draft form, and had not yet been approved.

In his first major address on the new, virtual domain of computer warfare, General Dempsey gave an outline of what a significant attack might look like, and how the United States might respond.

If the nation’s critical infrastructure came under attack from poisonous code over a computer network from overseas, the first effort would be gathering information on the malware and the systems under attack. Network defenses would be in place, as “our first instinct will be to pull up the drawbridge and prevent the attack, that is to say, block or defend,” he said.

If the attack could not be repulsed, the new playbook calls for “active defense,” which General Dempsey defined as a “proportional” effort “to go out and disable the particular botnet that was attacking us.” It is notable that, in this situation, the line between active defense and offense might be blurry.

“If it became something more widespread and we needed to do something beyond that, it would require interagency consultation and authorities at a higher level in order to do it,” he said. Although these plans are classified, his statement indicated that the rules for responding in an escalated manner in cyberspace, or with a conventional retaliation, would require decisions by the civilian leadership.

General Dempsey’s speech drew a clear distinction between the nation’s two major efforts in cyberspace. The military’s role is in defending computer networks and, if so ordered by the president, carrying out offensive attacks. That is related to, but separate from, the intelligence community’s efforts to gather intelligence in cyberspace. Several of those highly classified intelligence-gathering programs were exposed via leaks from a former contract worker for the National Security Agency.

Assessing adversaries in cyberspace, General Dempsey said that China, in particular, had chosen a niche in stealing intellectual property. “Their view is that there are no rules of the road in cyber,” General Dempsey noted. He said American and Chinese officials would meet over coming days to discuss ways to “to establish some rules of the road, so that we don’t have these friction points in our relationship.”

The military headquarters responsible for computer-network warfare, the United States Cyber Command, will grow by 4,000 personnel with an additional investment of $23 billion, General Dempsey said. (Cyber Command and the National Security Agency are led by the same officer, Gen. Keith B. Alexander.)

“We are doing all of this not to address run-of-the mill cyberintrusions, but to stop attacks of significant consequence — those that threaten life, limb and the country’s core economic functioning,” General Dempsey said.