Does the US risk being seen as a dog with a loud bark but no bite here? If you're going to make pronouncements that hacking will be considered an act of war (1), don't you kinda paint yourself into a corner when you get hacked?
OK, so the link you provided is a gross simplification of current thinking. Government officials have been quite clear that CNE[1] is NOT generally considered an act of war, rather, it's part of the usual intelligence operations expected during peacetime.
It's CNA (e.g. operations designed specifically to disrupt or destroy civilian or military targets) which is "on the table" for act-of-war status, particularly if there is kinetic effect. An example would be if something like Stuxnet were deployed against the U.S. power grid.
The idea is that it doesn't matter whether a power plant was disabled via a bomb or a backdoor. Both the intent and the outcome are the same. So the declaration of policy you linked to is really a clarification rather than a "change of course".
The lines are blurry when it comes to CNE and critical infrastructure. The problem you have is that if, say, 3 competing agencies are all vying for control of the same powerplant for CNE reasons (e.g. not trying to cause damage), the plant might nonetheless get taken out by accident. I'm not sure anyone is clear on what to do in that kind of a situation.
[1] We can divide "cyber" operations into the following categories (straight from wikipedia):
* Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
* Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks. Joint Pub 6.0 further outlines Computer Network Defense as an aspect of NetOps
* Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.
Any irrationality on our part can and will be exploited using false flag attacks. A third party who is not a friend of either US or China would benefit perhaps from hacking Chinese infrastructure then use it to launch an attack on US infrastructure -- a false flag attack.
Same applies to lower level stuff. If there is say a hypothetical an irrational policy for mandatory arrest of anyone suspected of terrorism, one shouldn't be surprised that neighbors will start reporting each other over the color of fence or wrong type of shutters installed.
Thanks for the explanation. Hopefully we can agree that it still puts the US in a precarious public spotlight...not sure that the public will make as detailed a distinction as appears to be required.
May be, not will be. Even the article you linked to is clear on that. The point is that attacks on US infrastructure using computers will not automatically be treated as less severe than dropping bombs simply by virtue of how they were carried out. That doesn't come anywhere near "all hacking == war".
I don't know why they (Obama and his advisers) ever thought that was a good idea. Whoever was planning to hack US never took that seriously anyway, and now that they've seen they won't actually do it, they can take them even less seriously.
I guess they couldn't just say "you hack us, we hack you back". Or more realistically: "We hack you first in secret. Then you hack us back in secret. And then we have an excuse to go public to get the public's support to hack you back, and get more funding and bills passed for whatever other secret operations we want to do next". Case in point: Iran.
It's CNA (e.g. operations designed specifically to disrupt or destroy civilian or military targets) which is "on the table" for act-of-war status, particularly if there is kinetic effect. An example would be if something like Stuxnet were deployed against the U.S. power grid.
The idea is that it doesn't matter whether a power plant was disabled via a bomb or a backdoor. Both the intent and the outcome are the same. So the declaration of policy you linked to is really a clarification rather than a "change of course".
The lines are blurry when it comes to CNE and critical infrastructure. The problem you have is that if, say, 3 competing agencies are all vying for control of the same powerplant for CNE reasons (e.g. not trying to cause damage), the plant might nonetheless get taken out by accident. I'm not sure anyone is clear on what to do in that kind of a situation.
[1] We can divide "cyber" operations into the following categories (straight from wikipedia):
* Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.
* Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks. Joint Pub 6.0 further outlines Computer Network Defense as an aspect of NetOps
* Computer Network Exploitation (CNE): Includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.