Cyberattacks on U.S. infrastructure or networks could be met with a conventional military response, the chairman of the Joint Chiefs of Staff said today.
"There is an assumption out there ... that a cyberattack that had destructive effects would be met by a cyber response that had destructive effects," Army Gen. Martin E. Dempsey said to an audience at a Brookings Institution forum. "That's not necessarily the case. I think that what [President Barack Obama] would insist upon, actually, is that he had the options and the freedom of movement to decide what kind of response we would employ."
The impact of a cyberattack is a key question for elected officials to answer when considering the level of response, Dempsey said. "When does cyber theft become a hostile act?" the chairman asked. "Or when does cyber theft, added to distributed denial of services, become a hostile act? Or is a hostile act simply defined as something that literally is destructive in nature?"
Cyber has many features in common with other domains, and shouldn't be thought of as a wholly exceptional realm, Dempsey said. Although it can sometimes feel abstract, he explained, cyber is a physical domain in the sense that it is operated by men and women over routers and servers, and cyberattacks can result in real, physical damage.
"I think that to the extent that we can always think about it in the way that we've always organized our thinking about the other domains, it might illuminate the challenge a little better," the chairman said. "I do think that there are capabilities out there that are so destructive in nature and potential that it would be very difficult not to see them as acts of war."
But, he noted, "the decision to declare something a hostile act -- an act of war -- is certainly one that resides in the responsibility of our elected leaders."