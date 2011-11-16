* U.S. will respond to hostile attacks "when warranted"
* Cyberspace action would follow established legal policy
By David Alexander
WASHINGTON, Nov 15 The United States reserves
the right to retaliate with military force against a cyber
attack and is working to sharpen its ability to track down the
source of any breach, the Pentagon said in a report made public
on Tuesday.
The 12-page report to Congress, mandated by the 2011
Defense Authorization Act, was one of the clearest statements
to date of U.S. cybersecurity policy and the role of the
military in the event of a computer-borne attack.
"When warranted, we will respond to hostile attacks in
cyberspace as we would to any other threat to our country," the
report said. "We reserve the right to use all necessary means -
diplomatic, informational, military and economic - to defend
our nation, our allies, our partners and our interests."
Hostile acts, it said, could include "significant cyber
attacks directed against the U.S. economy, government or
military" and the response could use electronic means or more
conventional military options.
Cyberspace is a particularly challenging domain for the
Pentagon.
Defense Department employees operate more than 15,000
computer networks with 7 million computers at hundreds of
locations around the world. Their networks are probed millions
of times a day and penetrations have caused the loss of
thousands of files.
Private companies also face relentless cyber attacks,
including an increasing number linked to countries like China
and Russia, and they have grown increasingly frustrated about
the U.S. government's lack of response.
"There is a massive amount of frustration on the part of
the private sector," Dmitri Alperovitch, the former vice
president of threat research at McAfee, told an event hosted by
the George C. Marshall Institute.
U.S. companies are losing billions of dollars to cyber
theft each year, he said.
"Nothing is being done," Alperovitch said. "Something has
to be done from a policy perspective to address the threat ...
The fact that it is China, the fact that it is Russia. What are
we going to do to face those countries and get them to stop?"
The report said the Defense Department was attempting to
deter aggression in cyberspace by developing effective defenses
that prevent adversaries from achieving their objectives and by
finding ways to make attackers pay a price for their actions.
"Should the 'deny objectives' element of deterrence not
prove adequate," the report said, "DoD (Department of Defense)
maintains, and is further developing, the ability to respond
militarily in cyberspace and in other domains."
FINDING THE ATTACKERS
Key to a military response is being able to quickly
identify the source of an attack, particularly challenging due
to the anonymous nature of the Internet, the report said.
In an effort to crack that problem, the Pentagon is
supporting research focusing on tracing the physical source of
an attack and using behavior-based algorithms to assess the
likely identity of an attacker, the report said.
U.S. security agencies also are grooming a cadre of highly
skilled cyber forensics experts and are working with
international partners to share information in a timely manner
about cyber threats, including malicious code and the people
behind it, it said.
Attacks on U.S. computer networks have become more frequent
and more damaging in recent years, costing U.S. companies an
estimated $1 trillion in lost intellectual property,
competitiveness and damage. One defense company lost some
24,000 files in an intrusion in March.
Lani Kass, who recently retired as a senior policy adviser
to the chairman of the U.S. Joint Chiefs of Staff, said enemies
of the United States were becoming more savvy every day.
"You have got to assume that what we do in cyberspace can
be done to us quicker, cheaper and with fewer restrictions,"
she told Reuters after the Marshall Institute event.
Before moving to offensive action, the United States would
exhaust all other options, weigh the risk of action against the
cost of inaction and "act in a way that reflects our values and
strengthens our legitimacy, seeking broad international support
wherever possible," the report said.
"If directed by the president, DoD will conduct offensive
cyber operations in a manner consistent with the policy
principles and legal regimes that the department follows for
kinetic capabilities, including the law of armed conflict," the
report said.
The report followed the release in mid-July of the
Pentagon's cybersecurity policy, which designated cyberspace as
an "operational domain" like land, sea and air where U.S.
forces would be trained to conduct offensive and defensive
operations.
(Additional reporting by Andrea Shalal-Esa; Editing by Cynthia
Osterman)