The United States reserves the right to retaliate with military force against a cyber attack and is working to sharpen its ability to track down the source of any breach, the Pentagon said in a report made public yesterday.
The 12-page report to Congress, mandated by the 2011 Defense Authorization Act, was one of the clearest statements to date of U.S. cybersecurity policy and the role of the military in the event of a computer-borne attack.
“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country,” the report said. “We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”
Hostile acts, it said, could include “significant cyber attacks directed against the U.S. economy, government or military” and the response could use electronic means or more conventional military options.
Cyberspace is a particularly challenging domain for the Pentagon.
Defense Department employees operate more than 15,000 computer networks with 7 million computers at hundreds of locations around the world. Their networks are probed millions of times a day and penetrations have caused the loss of thousands of files.
Private companies also face relentless cyber attacks, including an increasing number linked to countries like China and Russia, and they have grown increasingly frustrated about the U.S. government’s lack of response.
“There is a massive amount of frustration on the part of the private sector,” Dmitri Alperovitch, the former vice president of threat research at McAfee, told an event hosted by the George C. Marshall Institute.
U.S. companies are losing billions of dollars to cyber theft each year, he said.
“Nothing is being done,” Alperovitch said. “Something has to be done from a policy perspective to address the threat … The fact that it is China, the fact that it is Russia. What are we going to do to face those countries and get them to stop?”
The report said the Defense Department was attempting to deter aggression in cyberspace by developing effective defenses that prevent adversaries from achieving their objectives and by finding ways to make attackers pay a price for their actions.
“Should the ‘deny objectives’ element of deterrence not prove adequate,” the report said, “DoD (Department of Defense) maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.”
Key to a military response is being able to quickly identify the source of an attack, particularly challenging due to the anonymous nature of the Internet, the report said.
In an effort to crack that problem, the Pentagon is supporting research focusing on tracing the physical source of an attack and using behavior-based algorithms to assess the likely identity of an attacker, the report said.
U.S. security agencies also are grooming a cadre of highly skilled cyber forensics experts and are working with international partners to share information in a timely manner about cyber threats, including malicious code and the people behind it, it said.
Attacks on U.S. computer networks have become more frequent and more damaging in recent years, costing U.S. companies an estimated $1 trillion in lost intellectual property, competitiveness and damage. One defense company lost some 24,000 files in an intrusion in March.
Lani Kass, who recently retired as a senior policy adviser to the chairman of the U.S. Joint Chiefs of Staff, said enemies of the United States were becoming more savvy every day.
“You have got to assume that what we do in cyberspace can be done to us quicker, cheaper and with fewer restrictions,” she told Reuters after the Marshall Institute event.
Before moving to offensive action, the United States would exhaust all other options, weigh the risk of action against the cost of inaction and “act in a way that reflects our values and strengthens our legitimacy, seeking broad international support wherever possible,” the report said.
“If directed by the president, DoD will conduct offensive cyber operations in a manner consistent with the policy principles and legal regimes that the department follows for kinetic capabilities, including the law of armed conflict,” the report said.
The report followed the release in mid-July of the Pentagon’s cybersecurity policy, which designated cyberspace as an “operational domain” like land, sea and air where U.S. forces would be trained to conduct offensive and defensive operations.