June 06, 2011, 12:28 AM — A formal Pentagon cyber strategy may define which acts of digital sabotage constitute acts war that warrant conventional military retaliation, but cases clear-cut enough to justify such retaliation may be few and far between, experts say.
The problem is attribution - identifying that an attack comes from the government of another sovereign state so its assets can be attacked, they say.
"The U.S. military is setting itself up for failure because attribution is difficult, and it's easy to spoof your identity thereby falsely implicating the wrong government or group," says Jay Bavisi, president of EC-Council, an international cyber security education body. "A military attack could be misplaced, as a result, but at the same time not responding will now be seen as a sign of weakness."
BACKGROUND: Is cyberwar lawful?
The pending publication of a cyber war strategy from the Pentagon next month was reported by the Wall Street Journal, and drew interest because it promises to justify bombs and troops as appropriate responses to data theft and worms.
A string of similar recent announcements from other countries has raised the volume about if and when it's appropriate to answer a cyber attack with a physical response, or what would amount to a more traditional act of war.
But conclusively determining the source of attacks is difficult. An attack might be traced to computers in a given country, but that doesn't mean the government of that country is behind it, Bavisi says. It might be launched by zombie machines in that country that are controlled by someone else.
Still, clearly stating what the consequences would be might be an effective deterrent. "If we can source an attack, we could take appropriate action," says John Pironti, president of IP Architects security consulting. "This would set a framework for the level of activity we might take. What a measured response would look like might be a bomb."
A few highly visible actions against countries that do make these attacks might make others think twice before inviting dire consequences, says Andy Purdy, chief cyber security strategist for Computer Sciences Corporation (CSC) and former director of the national cyber security division of the Department of Homeland Security
"This preparation is appropriate and positive," he says. "It's clear we need greater clarity between cyber attacks and the laws of armed conflict."