US deterrents to cyber attacks could include a range of responses, including conventional force and economic sanctions, the chief of US Cyber Command said Monday.
Navy Adm. Michael Rogers, who also heads the National Security Agency, spoke in support of the US' economic sanctions against North Korea in response to the hack on Sony Pictures. It was important for the US to acknowledge a "red line" had been crossed, he said.
"The whole world was aware that Sony Corporation had suffered an offensive act that destroyed data as well as destroyed hardware," Rogers said in a cybersecurity forum at George Washington University.
"What concerned me was, given the fact that this is a matter of public record, if we don't publicly acknowledge it, if we don't attribute it and if we don't talk about what we're going to do in response to the activity ... I don't want anyone watching thinking we have not tripped a red line, that this is in the realm of the acceptable."
Rogers said the primary ways to deter an adversary are either to convince them they will be unsuccessful or that they will "pay a price" for success that "will far outweigh the benefit." That price may not entirely be in the cyber domain.
"Because an opponent comes at us in the cyber domain doesn't mean we have to respond in the cyber domain," Rogers said. "We think it`s important that potential adversaries out there know that this is part of our strategy. The whole goal is, you do not want to engage in escalatory behavior."
After naming North Korea responsible for the attack against Sony last year, the US announced sanctions against 10 individuals and three entities in North Korea.
Asked whether conventional military weapons could be used to respond to attacks in cyberspace, Rogers said that many options are on the table.
"It's situational," he said. "What you would recommend in one scenario is not what you would recommend in another."
Complicating matters, hackers may have different intentions and varying levels of ability. Some may be criminals, stealing information for identity theft, or nation states, stealing intellectual property to generate an economic advantage.
Rogers said deterrence hinges on a wide recognition of what is acceptable and unacceptable. The US cannot go it alone and must work to establish International norms.
"If we try to create something that is US-only will be problematic in the long run," Rogers said. "Cyber doesn't really recognize geography."