Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.
"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.
Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.
Federal Cyber Security Outlook for 2010
Securing the Smart Grid
The three-star Army general laid out his views on Cyber Command and the military's role in protecting computer networks in a 32-page Senate questionnaire. He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command.
U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges.
Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.
It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.
In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.
But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."
Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.
The nation's ability to protect its networks and launch counterattacks, however, is shrouded in secrecy. Alexander gave the panel a separate classified attachment that provided more details on how and when the military would launch cyber attacks and under what legal and command authorities. Among the classified responses was his answer to whether the U.S. should first ask another government to deal with a cyber attack that came from within its borders.
He repeatedly stressed that any U.S. response to a cyber attack must be authorized by the president and must conform to international law and guiding military principles. Those guidelines require that the reaction be deemed militarily necessary and in proportion to the attack.
Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.
Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."
Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions. He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."
Alexander, 58, is a native of Syracuse, N.Y., and a graduate of the U.S. Military Academy.