The Pentagon has developed a list of cyber-weapons and cyber-tools, including viruses, that can sabotage an adversary’s critical networks, to streamline how the United States engages in computer warfare, a senior military official said to the Washington Post.
The classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA, and it forms part of the Pentagon’s set of approved weapons or “fires” that can be employed against an enemy.
The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later. The military does not need such approval, however, to penetrate foreign networks for a variety of other activities. These include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate. Military cyber-warriors can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses, the official said.
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
In general, under the framework, the use of any cyber-weapon outside an area of hostility or when the United States is not at war is called “direct action” and requires presidential approval, the senior military official said. But in a war zone, where quick capabilities are needed, sometimes presidential approval can be granted in advance so that the commander has permission to select from a set of tools on demand, the officials said.
The new framework comes as the Pentagon prepares to release a cyber-strategy that focuses largely on defense, the official said. It does not make a declaratory statement about what constitutes an act of war or use of force in cyberspace. Instead, it seeks to clarify, among other things, that the United States need not respond to a cyber-attack in kind but may use traditional force instead as long as it is proportional.