U.S. lays out cyber attack guidelines

WASHINGTON - President Obama has signed executive orders that lay out how far military commanders around the globe can go in using cyber attacks and other computer operations against enemies and as part of routine espionage in other countries.

The orders detail when the military must seek presidential approval for a cyber assault on an enemy and weave cyber capabilities into U.S. war-fighting strategy, defense officials and cyber security experts said.

Signed more than a month ago, the orders cap a two-year Pentagon effort to draft U.S. rules for cyber warfare. The United States also is beginning to work with allies on global ground rules.

The U.S. guidelines are much like those that govern other weapons of war, from nuclear bombs to surveillance, the officials said.

In a broad new strategy document, the Pentagon lays out some of the cyber capabilities the military may use during peacetime and conflict. They range from planting a computer virus to using cyber attacks to bring down an enemy's electrical grid or defense network.

"You don't have to bomb them anymore. That's the new world," said James Lewis, cybersecurity expert at the Center for Strategic and International Studies.

The Pentagon strategy, he said, lays out cyber as a new warfare domain and stresses the need to fortify network defenses, protect critical infrastructure, and work with allies and corporate partners.

The entire strategy has not been released, but several U.S. officials described it on condition of anonymity. Many aspects of it have been made public by U.S. officials, including Deputy Defense Secretary William Lynn, in speeches over the last several months.

The Pentagon is expected to announce the entire strategy soon.

As an example, the White House guidelines would allow the military to transmit computer code to another country's network to test the route and make sure connections work - much like using satellites to take pictures of a location to scout missile sites or other military capabilities.

The digital code would be passive and could not include a virus or worm that could do harm later. But if the United States ever got involved in a conflict with that country, the code would have mapped out a path for any cyber attack if approved by the president.

The guidelines also make clear that when under attack, the United States can defend itself by blocking cyber intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the United States has the right to pursue attackers across national boundaries - even if those are virtual network lines.

Lynn and others also say the Pentagon must more aggressively protect the networks of defense contractors that possess valuable information about military systems and weapons designs. In a pilot program, the Defense Department has begun sharing classified threat intelligence with a handful of companies to help them identify and block malicious cyber activity on their networks.

Over time, Lynn said, the program could be a model for the Homeland Security Department as it works with companies that run critical infrastructure such as power plants and financial systems.