In a move with no publicity and reportedly little input from the White House, the Pentagon has allegedly approved the U.S. Cyber Command to perform offensive cyberattacks.
The Pentagon approved the use of daily and constant offensive cyberattacks in the spring of this year, according to the original report by The New York Times. The offensive cyberattacks would aim to take pre-emptive action against malicious actors before damage could be done to the U.S.
The planned actions would fall "short of war," although experts have previously argued there may not be a consensus definition of what constitutes an act of cyberwar. In 2016, the Senate introduced a bill to have then-President Barack Obama clarify the definition of an act of cyberwar, but that bill never passed.
According to The New York Times, the decision to approve offensive cyberattacks was not formally debated inside the White House, and it is unclear what concessions may have been made to address the potential risks, which include the possible need to invade an ally's network or how to handle escalation in counterattacks.
The mission statement of the U.S. Cyber Command had been to take a more defensive role and protect the Department of Defense networks. There was leeway in that mission to perform offensive cyberattacks, but only in the effort of preventing harm to the U.S. or its allies.
Leo Taddeo, CISO at Cyxtera Technologies, based in Coral Gables, Fla., and former special agent in charge of cyberops for the FBI's New York office, said enterprises are likely to take collateral damage as a result of this change.
Leo TaddeoCISO at Cyxtera
"If the U.S. begins to conduct constant and disruptive activities in foreign computer networks, private enterprises here should expect to be on the receiving end of the return fire," Taddeo said via email. "This would not be a positive development for organizations that are already struggling to address the cyber threat."
Andrea Limbago, chief social scientist at Endgame, based in Arlington, Va., said the Cyber Command's action plan likely focuses on maneuvering between defense and using offensive cyberattacks as part of a deterrent strategy.
"The United States has largely done very little publicly in response to cyberattacks, generally avoiding discussing any kind of offensive capabilities or objectives for decades, and still has only publicly attributed a handful of cyberattacks to foreign governments," Limbago wrote via email. "It is essential to keep that point in mind, as the cyber domain is not siloed from other domains, and so we must move beyond a focus on cyber tit-for-tat when discussing offense and defense."
"Perhaps the greatest takeaway from this ongoing debate about offense and defense is that both are crucial components of any larger United States cybersecurity strategy, which still is lacking and desperately needed," she continued. "If and when that is released, we'll have a better gauge on concrete priorities in the cyber domain."