Department of Defense officials informed a subcommittee of the House Armed Services Committee on Tuesday that the Pentagon is in the process of finalizing guidelines for military operations in the cyberspace theater.
The Office of Secretary of Defense is coordinating the effort with the Joint Chiefs of Staff in order to present a coherent cyberwarfare policy in the next two months, according to reports.
The National Security Agency chief and head of U.S. Cyber Command, General Keith Alexander, told members of the subcommittee that finalizing the strategy for rules of engagement in cyberspace are “at the top of the list of the cyberthings that we’re working on right now”.
“This issue will be what set of authorities will we be given and what are the conditions under which we could conduct those authorities? (This) still has to be determined and ironed out within the administration,” Alexander said.
Standardizing the military's rules of engagement where electronic and information-based offense and defense are concerned has been a priority for the DoD for several years, but the process has been stymied by the complicated nature of the digital realm of operations.
Nonetheless, Defense Department officials believe that the potential threats to national security from cyber-related vulnerabilities are quite significant.
“I think the capabilities are available in cyber to virtually cripple this nation, to bring down the power grid system, to impact on our governmental systems, to impact on Wall Street on our financial systems, and literally to paralyze this country,” Defense Secretary Leon Panetta said in statements issued in February.
In July of 2011, the Department of Defense released a document that provided an outline for proposed military-based cyber operations titled Strategy for Operating in Cyberspace (pdf).
"Potential U.S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on for its operations. DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected systems," the document noted.
In December 2011, Congress officially sanctioned the option for the military to use offensive measures in cyberspace should the tactics be deemed necessary. Section 954 of the the FY 2012 defense authorization act states that “Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests."
The measure of a cyber attack and the corresponding response would be determined by evaluating the level of "death, damage, destruction or high-level disruption" caused by an attack. Under this strategy, a sizable event could prompt a significant military response given the level of damage incurred
“We can back up the Department’s assertion that any actor threatening a crippling cyberattack against the United States would be taking a grave risk,” Alexander said.