exploitation are conducted for entirely different purposes. (This contrast is relevant to much of the public debate using the term “cyberattack,” which in common usage often lumps both attack and exploitation under the “attack” label.)

Second, weapons for cyberattack have a number of characteristics that differentiate them from traditional kinetic weapons. Compared to kinetic weapons, many weapons for cyberattack:

  • Are easy to use with high degrees of anonymity and with plausible deniability, making them well suited for covert operations and for instigating conflict between other parties;

  • Are more uncertain in the outcomes they produce, making it difficult to estimate deliberate and collateral damage; and

  • Involve a much larger range of options and possible outcomes, and may operate on time scales ranging from tenths of a second to years, and at spatial scales anywhere from “concentrated in a facility next door” to globally dispersed.

Third, cyberattack as a mode of conflict raises many operational issues. For example, given that any large nation experiences cyberattacks continuously, how will the United States know it is the subject of a cyberattack deliberately launched by an adversary government? There is also a further tension between a policy need for rapid response and the technical reality that attribution is a time-consuming task. Shortening the time for investigation may well increase the likelihood of errors being made in a response (e.g., responding against the wrong machine or launching a response that has large unintended effects).

Illustrative Applications of Cyberattack

Cyberattack can support military operations. For example, a cyberattack could disrupt adversary command, control, and communications; suppress air defenses; degrade smart munitions and platforms; or attack warfighting or warmaking infrastructure (the defense industrial base). Cyberattack might be used to augment or to enable some other kinetic attack to succeed, or to defend a friendly computer system or network by neutralizing the source of a cyberattack conducted against it.

Cyberattack can also support covert action, which is designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. government. The range of possible cyberattack options is very large, and so cyberattack-based covert action might be used, for example, to

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement