NRC Studies Cyberattacks

The National Research Council of the National Academies has just about finalized a lengthy report on cyberattacks–Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.  William A. Owens, Kenneth W. Dam, and Herbert S. Lin edited the study on behalf of a 14 member committee and a 5 member staff.  It should be available in hard copy in a few weeks, but for those who can’t wait, you can download a copy here or read it on line for free (I’m reliably informed that this version is essentially final, subject to a few more editorial corrections).  The 350-page report’s basic thrust is that we need to pay as much attention to questions about offensive uses of information technology as we have to defensive questions of cybersecurity: 

The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks–actions intended to damage [sic.] or adversary computer systems or networks–can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues . . . It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights.

The Report details and supports an extensive list of Findings and Recommendations.  Among the most interesting of the 21 Findings are:

2. The availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers of other nations.
3. Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain.
6. The conceptual framework that underpins the UN Charter on the use of force and armed attack and today’s law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack. However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks.
11. Deterrence of cyberattacks by the threat of in-kind response has limited applicability.
12. Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks.
17. If and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question.
21. Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today.

The NRC Report also lists 12 Recommendations, including:

2. The U.S. government should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties—particularly Congress, the professional military, and the intelligence agencies—are involved in discussions and are familiar with the issues.
3. The U.S. government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building.
4. The U.S. government should have a clear, transparent, and inclusive decisionmaking structure in place to decide how, when, and why a cyberattack will be conducted.
5. The U.S. government should provide a periodic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such a periodic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees.
7. U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict.
12. Foundations and government research funders should support academic and thinktank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons.

I really like the idea of a more public discussion of the issues associated with using information technologies offensively.  It’s also useful (to me at least) to see that I’m not the only one who thinks that even as international law regulates conflicts in cyberspace, its current form is not terribly well suited for that task.  Personally though, I liked the last recommendation the best.  Someone just needs to tell me where I can sign up for some funding.  I’m planning on doing more thinking and writing about cyberwar in the future, and, frankly, I hope I’m one of many doing so because these issues need all the attention they can get.