UPDATED MAY 31, 3:32 P.M.
WASHINGTON — A damaging attack on the United States that comes via the Internet could be punished with missiles and bombs, the Pentagon confirmed Tuesday.
A Defense Department strategy for cybersecurity, to be released in June, points to “the idea that attacks in cyber would be viewed the same way that attacks in a kinetic form are now,” said Pentagon spokesman Col. David Lapan.
Unidentified military officials who spoke on background to The Wall Street Journal for a story in Tuesday’s editions were even more explicit.
“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” one official told the paper.
But clearly identifying an attacker is a big “if,” cybersecurity experts say. Attackers frequently cover their tracks by routing their actions through a maze of servers in uninvolved countries, or by writing destructive computer worms with few incriminating characteristics.
“A key thing you’ll need in all these scenarios is attribution — whodunit — because if you don’t have attribution you can’t respond in any way,” said Michael Swetnam, CEO and Chairman of the Potomac Institute for Policy Studies, a defense technology-oriented think tank in Arlington, Va.
Perhaps the most sophisticated and highly tailored cyber attack, the 2010 Stuxnet worm that destroyed components of the Iranian nuclear program, still has not been completely pinned down by forensics, said Peter Singer, who heads the 21st Century Defense Initiative at the Brookings Institution.
“No one has confirmed it yet to the level that you’re going to drop a JDAM (bomb) on someone’s power plant,” he said.
Lapan pointed out Monday that the prospect of a conventional military response to a cyberattack was raised in President Barack Obama’s International Strategy for Cyberspace, announced May 16.
The strategy doesn’t rule out conventional responses to online attacks.
“When warranted, the U.S. will respond to hostile attacks in cyberspace as we would to any other threat to our country,” it said.
Defense officials have previously voiced similar ideas publically.
“You don’t take any options off the table from an attack on the United States of America,” said General Kevin Chilton, who oversaw cyber defense for the Air Forces at the time, at a media event in May 2009. “Why would we constrain ourselves on how we would respond?”
But the most likely attackers aren’t “peer competitor” states, or any entity with clear bombing targets, Swetnam said. Small groups of terrorists are a more likely threat, he said.
“If you’ve got an Osama bin Laden who wants to do something cyber, he’ll buy a $1,000 computer and get a talented grad student from the university,” he said. “And if it’s a peer competitor, he won’t launch the attack from inside Russia or China. You won’t know where it’s coming from.”
Singer said it’s important for the Pentagon to signal that there are “red lines” other states shouldn’t cross. But such a Cold War-style approach has its limitations.
“The underlying assumption of deterrence is that I know who is thinking about doing a bad thing to me, and they know I know that, so I can threaten them and they won’t attack me,” he said. “The problem within cyber is much more complex than that.”