Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Synopsis This synopsis is intended to provide the reader with a sense of what the report contains. However, it is necessarily incomplete, and it omits any mention of many significant topics contained in the main body of the report. UNDERSTANDING CYBERATTACK What Is Cyberattack? Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks. The U.S. armed forces are actively preparing to engage in cyberattacks, perhaps in concert with other information warfare means and/or with kinetic attacks, and may have done so in the past. Domestic law enforcement agencies also engage in cyberattack when they jam cell phone networks in order to prevent the detonation of improvised explosive devices. Such matters pose some very important issues that relate to technology, policy, law, and ethics. This report provides an intellectual framework for thinking about cyberattack and understanding these issues. A first point is that cyberattack must be clearly distinguished from cyberexploitation, which is an intelligence-gathering activity rather than a destructive activity. Although much of the technology underlying cyberexploitation is similar to that of cyberattack, cyberattack and cyber-
OCR for page 2
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities exploitation are conducted for entirely different purposes. (This contrast is relevant to much of the public debate using the term “cyberattack,” which in common usage often lumps both attack and exploitation under the “attack” label.) Second, weapons for cyberattack have a number of characteristics that differentiate them from traditional kinetic weapons. Compared to kinetic weapons, many weapons for cyberattack: Are easy to use with high degrees of anonymity and with plausible deniability, making them well suited for covert operations and for instigating conflict between other parties; Are more uncertain in the outcomes they produce, making it difficult to estimate deliberate and collateral damage; and Involve a much larger range of options and possible outcomes, and may operate on time scales ranging from tenths of a second to years, and at spatial scales anywhere from “concentrated in a facility next door” to globally dispersed. Third, cyberattack as a mode of conflict raises many operational issues. For example, given that any large nation experiences cyberattacks continuously, how will the United States know it is the subject of a cyberattack deliberately launched by an adversary government? There is also a further tension between a policy need for rapid response and the technical reality that attribution is a time-consuming task. Shortening the time for investigation may well increase the likelihood of errors being made in a response (e.g., responding against the wrong machine or launching a response that has large unintended effects). Illustrative Applications of Cyberattack Cyberattack can support military operations. For example, a cyberattack could disrupt adversary command, control, and communications; suppress air defenses; degrade smart munitions and platforms; or attack warfighting or warmaking infrastructure (the defense industrial base). Cyberattack might be used to augment or to enable some other kinetic attack to succeed, or to defend a friendly computer system or network by neutralizing the source of a cyberattack conducted against it. Cyberattack can also support covert action, which is designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. government. The range of possible cyberattack options is very large, and so cyberattack-based covert action might be used, for example, to
OCR for page 3
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money. Illustrative Applications of Cyberexploitation For intelligence gathering, cyberexploitation of an adversary’s computer systems might yield valuable information. For example, U.S. intelligence agencies might learn useful information about an adversary’s intentions and capabilities from a penetration of its classified government networks. Alternatively, they might obtain useful economic information from penetrating the computer systems of a competing nation’s major industrial firms. The Legal Framework Governing Cyberattack In the committee’s view, the essential framework for the legal analysis of cyberattack is based on the principle that notions related to “use of force” and “armed attack” (terms of special relevance to the Charter of the United Nations) should be judged primarily by the effects of an action rather than its modality. That is, the fact that an attack is carried out through the use of cyberweapons rather than kinetic weapons is far less significant than the effects that result from such use, where “effects” are understood to include both direct and indirect effects. Furthermore, the committee believes that the principles of the law of armed conflict (LOAC) and the Charter of the United Nations—including both law governing the legality of going to war (jus ad bellum) and law governing behavior during war (jus in bello)—do apply to cyberattack, although new analytical work may be needed to understand how these principles do or should apply to cyberweapons. That is, some types of cyberattack are difficult to analyze within the traditional LOAC structure. Among the more problematic cases are the following: The presumption of nation-to-nation conflict between national military forces, The exception for espionage, and The emphasis on notions of territorial integrity. The Dynamics of Cyberconflict The escalatory dynamics of armed conflict are thought to be understood as the result of many years of thinking about the subject, but the dynamics of cyberconflict are poorly understood. This report speculates on some of the factors that might influence the evolution of a cyberconflict.
OCR for page 4
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities For major nation-states with significant capabilities for kinetic attack and cyberattack at their disposal, among the important issues regarding the dynamics of cyberconflict are the following: Crisis stability (preventing a serious cyberconflict from breaking out), Preventing a cyberconflict from escalating to physical space, and Knowing when a cyberconflict has been terminated. Matters can be further complicated by the presence of non-state actors, such as cyberterrorists, patriotic hackers, and criminal groups. Perhaps the most important complication relates to identification of the appropriate party against which action might be taken and the related availability of cyber and/or kinetic targets whose destruction might cause pain or meaningful damage to the terrorist or criminal group. FINDINGS Cyberattack is an important capability for the United States to maintain, but at the same time the acquisition and use of such capabilities raise many questions and issues, as described below. Overarching Findings The policy and organizational issues raised by U.S. acquisition and use of cyberattack are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversaries capable of employing weapons of mass destruction. The availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers of other nations. Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain. Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack. The consequences of a cyberattack may be both direct and indirect, and in some cases of interest, the indirect consequences of a cyberattack can far outweigh the direct consequences.
OCR for page 5
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Legal and Ethical Findings The conceptual framework that underpins the UN Charter on the use of force and armed attack and today’s law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack. However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks. In today’s security environment, private parties have few useful alternatives for responding to a severe cyberattack that arrives over a network such as the Internet. Cyberattack poses challenges to existing ethical and human rights regimes. Policy Findings Enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States. The United States has much to lose from unrestrained cyberattack capabilities that are proliferated worldwide. Deterrence of cyberattacks by the threat of in-kind response has limited applicability. Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks. Technical and Operational Findings For many kinds of information technology infrastructure targets, the ease of cyberattack is increasing rather than decreasing. Although the actual cyberattack capabilities of the United States are highly classified, they are at least as powerful as those demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful. As is true for air, sea, land, and space operations, the defensive or offensive intent motivating cyber operations in any given instance may be difficult to infer. Certain cyberattacks undertaken by the United States are likely to have significant operational implications for the U.S. private sector. If and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question.
OCR for page 6
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities The outcomes of many kinds of cyberattack are likely to be more uncertain than outcomes for other kinds of attack. Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and so a greater degree of operational oversight for cyberattack may be needed compared to that for the use of other options. Developing appropriate rules of engagement for the use of cyberweapons is very difficult. Organizational Findings Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today. The U.S. Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons. RECOMMENDATIONS Fostering a National Debate on Cyberattack The United States should establish a public national policy regarding cyberattack for all sectors of government, including but not necessarily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforcement. The senior leadership of these organizations should be involved in formulating this national policy. The U.S. government should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties—particularly Congress, the professional military, and the intelligence agencies—are involved in discussions and are familiar with the issues. The U.S. government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building.
OCR for page 7
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Organizing the Decision-Making Apparatus of the U.S. Government for Cyberattack The U.S. government should have a clear, transparent, and inclusive decision-making structure in place to decide how, when, and why a cyberattack will be conducted. The U.S. government should provide a periodic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such a periodic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees. Supporting Cyberattack Capabilities and Policy U.S. policy makers should judge the policy, legal, and ethical significance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects. U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict. The United States should maintain and acquire effective cyberattack capabilities. Advances in capabilities should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be available to appropriate decision makers in the executive and legislative branches. The U.S. government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues. The U.S. government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack. Developing New Knowledge and Insight into a New Domain of Conflict The U.S. government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict.
OCR for page 8
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Foundations and government research funders should support academic and think-tank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons.