By Dialogo November 17, 2011 The United States reserves the right to retaliate with military force against a cyber attack and is working to sharpen its ability to track down the source of any breach, the Pentagon said in a report made public on Tuesday, November 15. The 12-page report to Congress, mandated by the 2011 Defense Authorization Act, was one of the clearest statements to date of U.S. cybersecurity policy and the role of the military in the event of a computer-borne attack. “When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country,” the report said. “We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.” Hostile acts, it said, could include “significant cyber attacks directed against the U.S. economy, government or military” and the response could use electronic means or more conventional military options. Cyberspace is a particularly challenging domain for the Pentagon. Defense Department employees operate more than 15,000 computer networks with 7 million computers at hundreds of locations around the world. Their networks are probed millions of times a day and penetrations have caused the loss of thousands of files. The report said the Defense Department was attempting to deter aggression in cyberspace by developing effective defenses that prevent adversaries from achieving their objectives and by finding ways to make attackers pay a price for their actions. “Should the ‘deny objectives’ element of deterrence not prove adequate,” the report said, “DoD (Department of Defense) maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.” Key to a military response is being able to quickly identify the source of an attack, particularly challenging due to the anonymous nature of the Internet, the report said. In an effort to crack that problem, the Pentagon is supporting research focusing on tracing the physical source of an attack and using behavior-based algorithms to assess the likely identity of an attacker, the report said. U.S. security agencies also are grooming a cadre of highly skilled cyber forensics experts and are working with international partners to share information in a timely manner about cyber threats, including malicious code and the people behind it, it said. Before moving to offensive action, the United States would exhaust all other options, weigh the risk of action against the cost of inaction and “act in a way that reflects our values and strengthens our legitimacy, seeking broad international support wherever possible,” the report said.