Pentagon leaders are still working to determine when, exactly, a cyber-attack against the U.S. would constitute an act of war, and when, exactly, the Defense Department would respond to a cyber-attack on civilian infrastructure, a senior Defense Department official told lawmakers on Wednesday.
A cyber strike as an act of war "has not been defined," Acting Assistant Secretary of Defense for Homeland Defense and Global Security Thomas Atkin told the House Armed Services Committee. "We're still working toward that definition."
The White House and Pentagon let it be known in 2011 that acts such as shutting down the U.S. power grid via a cyber-attack could be seen as an act of war that would bring not only a cyber-response but perhaps"a missile down one of your smokestacks," a DoD official said at the time.
That bit of colorful language was not included inthe final, published strategy, which did state that: "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means -- diplomatic, informational, military, and economic -- as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."
In recent years, the U.S., including Pentagon and White House computer systems, have been hacked, reportedly by China and Russia.
Yet the U.S. has not -- at least publicly -- declared exactly what kinds of attacks and what level of damage would trip the threshold into an act of war. Three years ago, Joint Chiefs of Staff Chairman Gen. Martin Dempsey told reporters that Congress should ultimately make such a call.
"It's called the War Powers Act," Dempsey said. "And here's why that's important. There is an assumption out there, I think, and I would like to disabuse you of it, that a cyber-attack that had destructive effects would be met by a cyber response with destructive attacks. That's not necessarily the case."
'Act of Significant Consequence'
Also not clearly defined, Atkin told lawmakers, is when the military would defend or go on the offense against state or non-state actors launching a cyber-attack on a civilian U.S. target, which he referred to as an "act of significant consequence."
"As regards an act of significant consequence, we don't necessarily have a clear definition that says this will always meet [the requirement]," he said, "but we evaluate it based on loss of life, physical property, economic impact and our foreign policy."
Atkin said he could not answer a hypothetical posed by Rep. Tulsi Gabbard, D-Hawaii on whether loss of life resulting from an attack on the electrical grid cutting off power to hospitals would constitute an attack of significant consequence.
"What I would say is, regardless of whether the attack is of significant consequence or not, the Department of Homeland Security would respond, and if they needed assistance from the Department of Defense, they would ask for that … and we would respond [through DHS] to help that critical infrastructure," Atkin said.
He also said that Army National Guard cyber troops receive the same type of training as the active-duty force and could be activated under state authority.
"We recently completed coordination, train, advise and assist policy guidance within the department to allow National Guard troops to use Department of Defense resources to respond to a cyber event under state authority, and we're continuing to work other policies" toward the same end, he said.