In its first formal cyber strategy, the Pentagon has concluded that computer sabotage by another country could constitute an act of war, administration and military sources told NBC News on Tuesday, confirming a report in the Wall Street Journal.
The officials emphasize, however, that not every attack would lead to retaliation. Such a cyber attack would have to be so serious it would threaten American lives, commerce, infrastructure or worse, and there would have to be indisputable evidence leading to the nation state involved, NBC Pentagon correspondent Jim Miklaszewski said.
Unclassified parts of the 30-page strategy are expected to become public in June, the Wall Street Journal reported, attributing the disclosure to three defense sources who had read the report.
A military source described the strategy to the Journal this way: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."
Pentagon officials and others in Washington are still debating what would constitute an act of war, the Journal stated, though one idea gaining traction is that of "equivalence" — military retaliation would be triggered by a cyber attack that causes the kind of death, damage or high-level disruption that a traditional military attack would cause.
Recent attacks
The news comes after Lockheed Martin admitted it was the recent target of a "significant and tenacious" cyber attack, although the defense contractor and the Department of Homeland Security insist the hack was thwarted before any critical data was stolen.
Lockheed Martin said in a statement Saturday that it detected the May 21 attack "almost immediately" and took countermeasures.
"Our systems remain secure; no customer, program or employee personal data has been compromised," the company said. Neither Lockheed Martin nor federal agencies would reveal specifics of the attack, or its origins.
This isn't the first time Lockheed Martin has been targeted. Nearly four years ago, officials revealed that hackers had breached Lockheed's high-tech Joint Strike Fighter program. Officials said that no classified information about the military program was compromised, but heightened protections were added.
Analysts said the latest attack would likely spur rival defensive contractors to take additional steps to safeguard their systems.
"I guarantee you every major defense contractor is on double alert this weekend, watching what's going on and making sure they're not the next to fall victim," said Josh Shaul, chief technology officer at Application Security, a New York-based company that is one of the largest database security software makers.
Over the past several years, the U.S. government has become more aggressive in its efforts to tackle cybercrime, developing strategies to beef up government computer systems, expand cooperation with other countries and improve coordination with the private sector.
Cybersecurity was declared a top priority by President Barack Obama shortly after he took office in 2009, setting off several government-wide reviews to develop strategies to frame how the U.S. will better secure government, business and public online activity.
The Pentagon last May set up a new Cyber Command, based alongside the National Security Agency at Fort Meade, Md., in recognition of the expanding threat against the Defense Department and the need to better coordinate the nation's offensive and defensive cyber operations.
The Department of Homeland Security is also slowly employing an automated system — known as Einstein 2 and Einstein 3 — to protect government agencies' computer systems.
Still, the attacks have continued. William Lynn III, the deputy defense secretary, said in January that more than 100 foreign intelligence agencies have tried to breach U.S. defense computer networks, largely to steal military plans and weapons systems designs.
'How the world works'
Rich Mogull, analyst and CEO of Phoenix-based security research firm Securosis, noted that governments and defense agencies have been spying on each other throughout history. Computers have just made it easier to do so electronically.
"This is just what countries do," he said. "It's the unfortunate reality of how the world works."
NBC's sources pointed out that the Obama administration’s National Security Strategy, released May 1, essentially covers the option of military retaliation by putting all appropriate actions on the table in defense of U.S. security — including military force.
Ultimately it would be the president’s decision — not the Pentagon’s — to launch a conventional military attack no matter the offense or the target, Miklaszewski reported.