fighter jets, tanks, and so on. Thus, if any of these weapons are used, there is a presumption that actions involving them have been sanctioned by the controlling government—and inferences can often be drawn regarding that government’s intent in ordering those actions.
But when other weapons are not controlled exclusively by governments, inferring intent from action is much more problematic. This is especially so if communication cannot be established with the controlling party—as will often be the case with cyberattack. Attribution of a cyberattack (discussed above) helps, but if the party identified as being responsible is not a national government or another party with declared intentions toward the United States, it will be virtually impossible to determine intent with high confidence.
Determinations of intent and attribution of the source are often complicated—and inappropriately biased—by a lack of information. Ultimately, such determinations are made by human beings, who seek to integrate all available information in order to render a judgment. (Such integration may be automated, but human beings program the rules for integration.) When inexperienced human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they will often make worst-case assessments. In the words of a former Justice Department official involved with critical infrastructure protection, “I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.”
To suggest how the elements above might fit together operationally, consider how a specific active defense scenario might unfold. In this scenario, active defense means offensive actions (a cyber counterattack) taken to neutralize an immediate cyberthreat—that is, with an operational goal—rather than retaliation with a strategic goal. The hostile cyberattack serves the offensive purposes of Zendia. The cyber counterattack in question is for defensive purposes.
The scenario begins with a number of important U.S. computer systems coming under cyberattack. For definiteness, assume that these computer systems are SCADA and energy management systems controlling elements of the power grid, and that the attacker is using unauthorized connections between these systems and the Internet-connected business systems of a