The classified list of capabilities has been in use for several months and has been approved by other agencies, including the CIA, said military officials who spoke on the condition of anonymity to describe a sensitive program. The list forms part of the Pentagon’s set of approved weapons or “fires” that can be employed against an enemy.
The integration of cyber-technologies into a formal structure of approved capabilities is perhaps the most significant operational development in military cyber-doctrine in years, the senior military official said.
The framework clarifies, for instance, that the military needs presidential authorization to penetrate a foreign computer network and leave a cyber-virus that can be activated later. The military does not need such approval, however, to penetrate foreign networks for a variety of other activities. These include studying the cyber-capabilities of adversaries or examining how power plants or other networks operate. Military cyber-warriors can also, without presidential authorization, leave beacons to mark spots for later targeting by viruses, the official said.
One example of a cyber-weapon is the Stuxnet worm that disrupted operations at an Iranian nuclear facility last year. U.S. officials have not acknowledged creating the computer worm, but many experts say they believe they had a role.
Under the new framework, the use of a weapon such as Stuxnet could occur only if the president granted approval, even if it were used during a state of hostilities, military officials said. The use of any cyber-weapon would have to be proportional to the threat, not inflict undue collateral damage and avoid civilian casualties.
The new framework comes as the Pentagon prepares to release a cyber-strategy that focuses largely on defense, the official said. It does not make a declaratory statement about what constitutes an act of war or use of force in cyberspace. Instead, it seeks to clarify, among other things, that the United States need not respond to a cyber-attack in kind but may use traditional force instead as long as it is proportional.
Nonetheless, another U.S. official acknowledged that “the United States is actively developing and implementing” cyber-capabilities “to deter or deny a potential adversary the ability to use its computer systems” to attack the United States.
In general, under the framework, the use of any cyber-weapon outside an area of hostility or when the United States is not at war is called “direct action” and requires presidential approval, the senior military official said. But in a war zone, where quick capabilities are needed, sometimes presidential approval can be granted in advance so that the commander has permission to select from a set of tools on demand, the officials said.