United States reserves the right to retaliate with military force against a cyberattack and is working to sharpen its ability to track down the source of any attack, the Pentagon said in a report made public Tuesday.
The 12-page report to Congress, which was mandated by the 2011 Defense Authorization Act, was one of the clearest statements to date of U.S. cybersecurity policy and the role of the military in the event of an attack on U.S. assets through cyberspace.
“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country,” the report said. “We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”
Cyberspace is a particularly challenging domain for the Pentagon. Defense Department employees operate more than 15,000 computer networks with 7 million computers at hundreds of locations around the world. Their networks are probed millions of times a day and penetrations have caused the loss of thousands of files.
The report said the Defense Department was attempting to deter aggression in cyberspace by developing effective defenses that prevent adversaries from achieving their objectives and by finding ways to make attackers pay a price for their actions.
“Should the ‘deny objectives’ element of deterrence not prove adequate,” the report said, “DoD (Department of Defense) maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.”
FINDING THE ATTACKERS
Key to a military response is being able to quickly identify the source of an attack, particularly challenging due to the anonymous nature of the Internet, the report said.
In an effort to crack that problem, the Pentagon is supporting research focusing on tracing the physical source of an attack and using behavior-based algorithms to assess the likely identity of an attacker, the report said.
U.S. security agencies also are developing a cadre of highly skilled cyber forensics experts and are working with international partners to share information in a timely manner about cyber threats, including malicious code and the people behind it, it said.
Attacks on U.S. computer networks have become relentless in recent years and have cost defense industries an estimated $1 trillion in lost intellectual property, competitiveness and damage. One defense company lost some 24,000 files in an intrusion in March.
Before moving to offensive action, the United States would exhaust all other options, weigh the risk of action against the cost of inaction and “act in a way that reflects our values and strengthens our legitimacy, seeking broad international support wherever possible,” the report said.
“If directed by the president, DoD will conduct offensive cyber operations in a manner consistent with the policy principles and legal regimes that the department follows for kinetic capabilities, including the law of armed conflict,” the report said.
The report followed the release in mid-July of the Pentagon’s cybersecurity policy, which designated cyberspace as an “operational domain” like land, sea and air where U.S. forces would be trained to conduct offensive and defensive operations.