An eye for an eye, a tooth for a tooth, so the ancient dictum goes. But a cyber attack, according to Michael Rogers, the director of the United States' National Security Agency, does not necessarily equate to another cyber attack.
Things could get physical, he intimated at a cyber policy conference in Washington, D.C. on Monday.
"Because an opponent comes at us in the cyber domain doesn't mean we have to respond in the cyber domain," said Rogers, who also heads up the U.S. Cyber Command, speaking at the George Washington University forum. "We think it's important that potential adversaries out there know that this is part of our strategy. The whole goal is, you do not want to engage in escalatory behavior."
As the newswire Agence France-Presse reports, Rogers did not eliminate the possibility for real-world retaliation against a digital-based attack.
Asked whether conventional military weapons could be used to respond to attacks in cyberspace, Rogers said that many options are on the table.
"It's situational dependent," he said. "What you would recommend in one scenario is not what you would recommend in another."
In cyberspace, where the risk of getting caught is low and the rewards are potentially great, hackers are driven by simple economic forces to break into computer networks. And Rogers said wants to change that scenario by upping the consequences and penalties: making bad actors "pay the price" for their actions, which "will far outweigh the benefit." (After all, statecraft alone isn't doing the trick.)
The remarks seem to be in line with a cyber strategy document released last month by the Department of Defense. "During heightened tensions or outright hostilities, DoD must be able to provide the President with a wide range of options for managing conflict escalation," the report said. "To ensure unity of effort, DoD will enable combatant commands to plan and synchronize cyber operations with kinetic operations across all domains of military operations"
Rogers cited sanctions, a power the U.S. has already flexed in certain cases, as one possible response to a cyber attack. After Sony Pictures Entertainment, the film studio division of Japanese conglomerate Sony (sne) fell victim to an unprecedented cyber attack last year, the U.S. responded by naming and shaming North Korea, which it pinned the attack on, and by imposing economic sanctions on 10 individuals and three organizations from the so-called hermit kingdom.
Rogers said a "red line" had been crossed when the cyber vandals took on Sony. "If we don't publicly acknowledge it, if we don't attribute it, and if we don't talk about what we're going to do in response to the activity," he said, "I don't want anyone watching thinking we have not tripped a red line, that this is in the realm of the acceptable."
What exactly is on the other side of that red line in terms of consequences? That's still a work in progress.