"One of the [Defense] Department's key policy goals in cyberspace is to deter cyberattacks. Incidents described as 'cyberattacks' or 'computer network attacks' are not necessarily 'armed attacks' for the purposes of triggering a nation-state's inherent right of self-defense," Aaron Hughes, deputy assistant secretary for cyber policy at DoD wrote in prepared testimony for the Information Technology and National Security Subcommittees of the House Oversight and Government Reform Committee July 13. "In that vein, when determining whether a cyber incident constitutes an armed attack, the U.S. Government considers a number of factors including the nature and extent of injury or death to persons and the destruction of, or damage to, property. As such, cyber incidents are assessed on a case-by-case basis and, as the President has publicly stated, the U.S. Government's response to any particular cyber incident would come 'in a place and time and manner that we choose.'"
Hughes told the committee during oral testimony: "I think there's a number of factors from foreign policy implications and the like that we want to make a determination on response on a case by case basis."
On a broad and high-level policy approach, Painter described that the U.S. takes an effects-based test – just like it is in the physical world – to evaluating cyber attacks and responses. The president, as outlined in Presidential Policy Directive/PPD-20, a previously classified document outlining U.S. cyber operations policy leaked by former NSA contractor Edward Snowden, must sign off on all cyber operations. These include cyber collection, defensive cyber operations and offensive cyber operations.
In line with the whole of government approach and policy of responding "in a place and time and manner that we choose," the administration has maintained on several occasions that a cyber incident might not merit or ultimately be responded to in cyberspace. This has been evident in the indictments unsealed against members of China's People's Liberation Army, members of the Syrian Electronic Army and Iranian hackers, among others, as well as specific executive orders for cyber sanctions.
"In no way, shape or form would we want to limit ourselves to a merely cyber response … we would want to have all the tools there," Peter Singer, strategist and senior fellow at the New America Foundation, told the committee.
"Part of why you may chose to delay your response is not just the normative questions, it's to complicate the attacker's job. If you know that [an adversary is] inside your system, you can then observe them, steer them into areas where they can't cause harm," he added regarding responses to cyber incidents. "The bottom line here is that we're going to need a very creative and diverse strategy and the old kind of Cold War model of whacking back if they hack us just won't be successful, it won't deliver actual cybersecurity."
His comments parallel what others in the research and academic community have said to this topic. "Cyberspace is one domain. The United States military operates in many other domains," said, Isaac Porche, a senior engineer at the RAND Corporation, at a February House Homeland Security Committee hearing. "But what prevents nation-states from taking action are the fact that they would have to deal with the United States in other domains. And so it always has to include all domains not just cyber. Our response to a cyberattack may not be in cyber."
Singer added that he hopes it's not just the NSC and the president to making determinations on "cyber war." Congress, he said, has traditionally determined whether the U.S. is at war or not, a reference to Congress's constitutional authority to declare war.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.