The military and intelligence communities have known for at least two decades that "cyberwar" is war. Everyday experience has confirmed that the digital fight is very real, as cyber-attackers probe and occasionally crack the digital communications and data storage systems of military organizations, intelligence agencies, financial institutions and, frankly, just about everyone with a networked digital device.
Now the definition of warfare and military doctrine -- theory, principles and policies that guide the use of military force -- are catching up with reality.
According to a Wall Street Journal report this week, the Pentagon's new doctrinal term is "equivalence." If a cyberspace based attack inflicts damage comparable (equivalent) to a conventional attack using bombs, gunfire or beam weapons, then the cyber-attacker can expect the U.S. to retaliate with a range of weaponry, not just anti-viral software or a cyberspace-only counterattack.
Essentially, the U.S. military will no longer treat cyberspace as a semi-mystical gray zone somehow detached from the physical world. In 21st century Information Age societies that rely on digital devices for an array of critical safety, economic and security services, cyberspace provides fundamental connectivity. Fundamental reliance creates fundamental vulnerabilities. Vulnerabilities require protection.
Determining equivalence relies on judgment, and very likely a judgment made in the midst of a crisis. The odds are, however, like pornography, you and the Joint Chiefs of Staff will know it when you see it -- for example, when every computer screen in Washington freezes, geosynchronous military communications satellites suddenly fritz and die, and the entire East Coast's electrical grid stalls then quits.
Yet simply suggesting a notional Doctrine of Equivalence serves a valuable purpose: deterrence. The U.S. is indicating that it will not limit its response to a digital attack to cyberspace. A nation, transnational terror organization, gang or even an individual engaging in a cyber-attack on U.S. digital assets and capabilities risks physical counterattack -- a fancy way of saying they risk death for wreaking large-scale digital havoc.
For the last decade, defense and intelligence agencies have been slowly creeping toward a Doctrine of Equivalence between cyber-attack and kinetic attack. The rub in cyberspace has been twofold: deniability and lethality. Cyberspace is a vast, global jungle providing camouflage for clever snipers, crooks and armies. Determining where the cybershot came from can be difficult. Attackers can blame other organizations for the assault.
Estonia's cyberbattle with Russia illustrates the problem of deniability. In April and May 2007, Estonia suffered a sophisticated, sustained and coordinated "hack" of the country's digital systems. Estonia claimed that the attacks originated at the Internet addresses of "state agencies in Russia." Russia denied the charge, attributing the attacks to criminal organizations. Were the criminals proxies? Estonia lacked absolute proof of Russian culpability.
As for lethality, a digital attack doesn't leave shell craters or bleeding human casualties -- at least, not in the same overt sense of an assault with artillery and bombs. But the contingent lethality of a cyber-attack is real; a sustained digital attack erodes defense capabilities. Destroying spy and communications satellites in order to blind and disrupt U.S. command capabilities is a rough equivalent.
Moreover, the economic costs of a digital attack can be much larger than a classic barrage or bombing campaign.
The international agreements, customs and understandings that attempt to give warfare a legal framework will also adapt to these 21st century conditions. Treaties don't bind rogues and fanatics, but perception of a common threat and common vulnerabilities can bridge differences between rational antagonists and competitors.
The Wall Street Journal reported that the U.S. is attempting to reach a consensus position with American allies on how to respond to cyber-attacks, though the U.S. leans toward the position that holding countries which create cyberweapons responsible for their use serves a deterrent function.
As a member of NATO and cyber-attack victim, Estonia will no doubt forcefully contribute to that discussion.