The United States is warning that a cyber attack -- presumably if it is devastating enough -- could result in real-world military retaliation.

Easier said than done.

In the wake of a significant new hacking attempt against Lockheed Martin Corp, experts say it could be extremely difficult to know fast enough with any certainty where an attack came from. Sophisticated hackers can mask their tracks and make it look like a cyber strike came from somewhere else.

There are also hard questions about the legality of such reprisals and the fact that other responses, like financial sanctions or cyber countermeasures, may be more appropriate than military action, analysts say.

There are a lot of challenges to retaliating to a cyber attack, said Kristin Lord, author of a new report on U.S. cyber strategy at the Center for a New American Security, a Washington-based think tank.

It is extremely difficult to establish attribution, to link a specific attack to a specific actor, like a foreign government.

The White House stated plainly in a report last month that Washington would respond to hostile acts in cyberspace as we would to any other threat to our country -- a position articulated in the past by U.S. officials.

The Pentagon, which is finalizing its own report, due out in June, on the Obama administration's emerging strategy to deal with the cyber threat, acknowledged that possibility on Tuesday.

A response to a cyber incident or attack on the U.S. would not necessarily be a cyber response ... all appropriate options would be on the table, Colonel Dave Lapan, a Pentagon spokesman, said.

The sophistication of hackers and frequency of the attacks came back into focus after a May 21 attack on Lockheed Martin, the Pentagon's top arms supplier.

Lockheed said the tenacious cyber attack on its network was part of a pattern of attacks on it from around the world. The U.S. Defense Department estimates that over 100 foreign intelligence organizations have attempted to break into U.S. networks.

Every year, hackers steal enough data from U.S. government agencies, businesses and universities to fill the U.S. Library of Congress many times over, officials say.


Several current and former national security officials said U.S. intelligence agencies did not appear particularly concerned about the Lockheed attack. One official said that similar cyber attacks directed at defense contractors and government agencies occurred all the time.

Some critics say the Obama administration is not moving fast enough to keep up with the cyber threat or to develop a strategy that fully addresses concerns about privacy and oversight in the cyber domain.

The United States, in general, is well behind the curve, said Sami Saydjari, president of the privately held Cyber Defense Agency, pointing to significant strategic advances out of countries like China and Russia.

China has generally emerged as a prime suspect when it comes to keyboard-launched espionage against U.S. interests, but proving Beijing is behind any future plot would be difficult because of hackers' ability to misdirect, analysts say. China has denied any connection to cyber attacks.

The Pentagon's upcoming report is not expected to address different doomsday scenarios, or offer what Washington's response would be if, say, hackers wiped out Wall Street financial data, plunged the U.S. Northeast into darkness or hacked U.S. warships' computers.

We're not going to necessarily lay out -- 'if this happens, we will do this.' Because again the point is if we are attacked, we reserve the right to do any number of things in response, Lapan said.

(Additional reporting by Mark Hosenball and Jim Wolf; Editing by Warren Strobel and Peter Cooney)