Inquirer Editorial: Declaring war on hackers

By declaring that some cyber attacks could trigger a military response, the Pentagon may have taken a step that could further ensconce this nation in a seemingly perpetual state of war.

That's not what war-weary Americans want to hear. After a decade of seeing thousands of U.S. soldiers die in Iraq and Afghanistan, people are looking for pathways to peace, not new avenues to combat.

The Defense Department's new position, first revealed Tuesday in a Wall Street Journal article, says military retaliation would be appropriate if computer hackers caused or threatened the same death or destruction that would occur in a military attack.

But a military response requires knowledge of the hacker's whereabouts, which isn't always so easy to determine. The Pentagon believes the most sophisticated cyber attacks would require a government's resources, but which government?

The Pentagon still doesn't know who was responsible for a 2008 cyber attack on one of its computer systems. Some pointed fingers at Russia, but Russia denied involvement. Similarly, the hackers who used a Stuxnet computer virus to cripple Iran's nuclear program last year aren't known, although some believe Israel, with U.S. assistance, was the culprit.

Without clear evidence that a specific country sponsored a cyber attack, how can military retaliation be justified?

Perhaps the Pentagon hopes the mere threat of a military response will stop other nations from employing hackers. But threats haven't stopped countries from hosting terrorist groups.

That's not to say the Pentagon shouldn't try to prevent cyber attacks that would damage defense systems or otherwise endanger American lives and vital infrastructure by, for example, bringing down electrical grids or sabotaging transportation networks.

Hacking has become more sophisticated and more frequent. Just last week, Google Inc. accused unknown China-based hackers of targeting the e-mail accounts of senior U.S. government and military officials. But such episodes require better safeguards against computer attacks, not declarations of war against an unconfirmed enemy.

The Pentagon isn't trying to lave the president out. He and other civilian officials would weigh the gravity of a situation before deciding if a military response was appropriate. But by redefining what is an act of war, the Defense Department is setting the ground rules for any subsequent debate.

One can't help but be reminded of the post-9/11 arguments between those who thought the perpetrators should be pursued by law-enforcement agencies for committing a heinous crime and those who said the military must respond to an act of war. Thus began the "war on terror." Troops were sent to Afghanistan, and 10 years later it's uncertain when that war will end. Should the keystrokes of a hacker set off a similar military response?

Vigilance is crucial, and so is a proper response to any threat to American lives. But declaring war on entities with no clear ties to the state in which they may have committed their act could lead to more open-ended military operations that are ever more difficult to end once they have started.