Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 214
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 6 Decision Making and Oversight This chapter describes decision making about and oversight of cyberattack as an instrument of U.S. national policy, focusing on issues usually associated with the Department of Defense and intelligence communities. 6.1 EXECUTIVE BRANCH The discussion below—addressing declaratory policy, acquisition policy, and employment policy—draws from discussions of nuclear history and policy,1 not because cyberweapons and nuclear weapons are similar (they are not), but because such discussions have highlighted the importance of several issues discussed below. That is, the committee found that nuclear history and policy are useful points of departure—framing notions and metaphorical checklists—for understanding policy regarding cyberattack but not that the conclusions that emerge from nuclear policy and history are directly applicable. 1 Robert S. Norris, “The Difficult Discipline of Nuclear History: A Perspective,” a presentation at the Carnegie Conference on Non-Proliferation, November 7, 2005, available at http://www.carnegieendowment.org/static/npp/2005conference/presentations/Norris_Nuclear_History_Slides.pdf, and David M. Kunsman and Douglas B. Lawson, A Primer on U.S. Strategic Nuclear Policy, Sandia National Laboratories, Albuquerque, N.Mex., January 2001, available at http://www.nti.org/e_research/official_docs/labs/prim_us_nuc_pol.pdf.
OCR for page 215
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 6.1.1 Declaratory Policy 126.96.36.199 The Need for Declaratory Policy Declaratory policy states, in very general terms, why a nation acquires certain kinds of weapons and how those weapons might be used. For example, the declaratory policy of the United States regarding nuclear weapons is stated in The National Military Strategy, last published in 2004:2 Nuclear capabilities [of the United States] continue to play an important role in deterrence by providing military options to deter a range of threats, including the use of WMD/E and large-scale conventional forces. Additionally, the extension of a credible nuclear deterrent to allies has been an important nonproliferation tool that has removed incentives for allies to develop and deploy nuclear forces. By contrast, the declaratory policy of Israel regarding nuclear weapons is that it will not be the first nation to introduce nuclear weapons in the Middle East. The declaratory policy of China regarding nuclear weapons is that it will not be the first to use nuclear weapons under any circumstances. The Soviet Union once had a similar “no first use of nuclear weapons” declaratory policy, but Russia has since explicitly revoked that policy. U.S. declaratory policy has also evolved since 1945—“massive retaliation,” “flexible response,” and “escalation dominance” are some of the terms that have characterized different versions of U.S declaratory policy regarding nuclear weapons in that period. Declaratory policy is not necessarily linked only to the use of nuclear weapons. In 1969, the United States renounced first use of lethal or incapacitating chemical agents and weapons and unconditionally renounced all methods of biological warfare.3 In 1997, the United States ratified the Chemical Weapons Convention, which prohibits the signatories from using lethal chemical weapons under any circumstances. Declaratory policy is directed toward adversaries as much as it is to the declaring nation itself. A declaratory policy is intended, in part, to signal to an adversary what the declaring nation’s responses might be under various circumstances. On the other hand, a declaratory policy may also be couched deliberately in somewhat ambiguous terms, leaving somewhat vague and uncertain the circumstances under which the declaring nation would use nuclear weapons. Such vagueness and uncertainty have historically been regarded by the United States as a strength rather than 2 Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf. 3 See http://www.state.gov/t/ac/trt/4718.htm.
OCR for page 216
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities a weakness of such policies, on the grounds that uncertainty about a U.S. response is an essential part of deterring other nations from taking hostile action against its interests. By contrast, a declaratory policy that is highly explicit may be perceived as limiting a nation’s options in a crisis and telegraphing its intent to some extent, thus simplifying an adversary’s planning process. Yet another related issue is whether another nation should believe a nation’s declaratory policy. For example, the Soviet Union formally adopted an explicit “no-first-use” policy regarding nuclear weapons in 1982, but many military analysts gave little credence to that statement. On one hand, no immutable law mandates consistency between prior declaratory policy and subsequent action, and declaratory policy need not constrain actual practice. On the other hand, declaratory policy may influence a nation’s armed forces’ training and doctrine. If, for example, the declaratory policy states that a nation will not use weapon X, and its armed forces do not train to use weapon X, and its military doctrine does not contemplate the use of weapon X, that nation may well be ill-prepared to use weapon X in practice even if its leaders decide to act in violation of the stated declaratory policy. 188.8.131.52 Present Status For the use of cyberweapons, the United States has no declaratory policy, although the DOD Information Operations Roadmap of 2003 stated that “the USG should have a declaratory policy on the use of cyberspace for offensive cyber operations.” The 2006 National Military Strategy for Cyberspace Operations indicates that “as a war-fighting domain … cyberspace favors the offense … an opportunity to gain and maintain the initiative.”4 This statement is the beginning of a declaratory policy, but it is incomplete. A declaratory policy would have to answer several questions. For what purposes does the United States maintain a capability for cyberattack? Do cyberattack capabilities exist to fight wars and to engage in covert intelligence or military activity if necessary, or do they exist primarily to deter others from launching cyberattacks on the United States? If they exist to fight wars, are they to be used in a limited fashion? On the basis of what is known publicly, it is possible to formulate what might be called an implied declaratory policy of the United States on cyberwarfare. (Of course, the notion of an implied declaratory policy 4 See http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf.
OCR for page 217
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities is itself an oxymoron—a declaratory policy that is not explicitly stated is hardly declaratory. Rather, what follows below is an example of a declaratory policy that would be consistent with what is known publicly.) The United States acquires cyberattack capabilities as part of its overall deterrent posture, which is based on full spectrum dominance—the ability to control any situation or defeat any adversary across the range of military operations. Cyberattack capabilities provide the U.S. military and intelligence communities with additional options for action and use, and are thus intended for use just as any other weapons could be used in support of U.S. military or intelligence objectives. Cyberattack capabilities are to be fully integrated into U.S. military operations when appropriate, and distinctions between cyberattack and kinetic force are not meaningful except in an operational context. Cyberattack capabilities may be particularly useful to the United States in many conflict scenarios short of all-out war. In addition, two other questions are often included under the rubric of declaratory policy: How is cyberconflict to be stopped? To the extent that cyberattack is part of the U.S. deterrent posture, how can its use be established as a credible threat? In the nuclear domain, concerns have always been raised about nuclear strikes against an adversary’s strategic command and control system. The issue has been that such strikes could seriously impair war termination efforts by disconnecting the political leadership of a nation from the nuclear-armed forces under its control, leaving the question of how nuclear hostilities might be terminated. The use of large-scale cyberattacks against the communications infrastructure of an adversary might well lead to similar concerns. Such attacks could result in the effective disconnection of forces in the field from the adversary’s national command authority, or sow doubt and uncertainty in an adversary’s military forces about the reliability of instructions received over their communications infrastructure. Again, under such circumstances, termination of hostilities might prove problematic (and if the adversary were a nuclear-armed nation, sowing such doubt might seriously run counter to U.S. interests). Regarding the credibility of nuclear use, the United States does much through its declaratory (and acquisition) policy to encourage the perception that there are circumstances under which the United States might use nuclear weapons, and it conducts large-scale military exercises involving nuclear forces in part to demonstrate to the world that it is capable
OCR for page 218
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities of mustering nuclear forces that could be brought to bear in any given situation. The situation is entirely reversed with respect to cyberwarfare. U.S. policy regarding the use of cyberweapons is shrouded in secrecy, and the lack of public discussion regarding U.S. policy in this domain almost by definition does not contribute to deterrence. Finally, the National Military Strategy of the United States of America of 2004 also states:5 The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical “weapons.” They may rely more on disruptive impact than destructive kinetic effects. For example, cyber attacks on US commercial information systems or attacks against transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent. Coupled with the declaratory policy on nuclear weapons described earlier, this statement implies that the United States will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattack (namely, cyberattacks with devastating impacts) may be possible. It also sets the relevant scale—a cyberattack that has an impact larger than that associated with a relatively small release of a lethal agent is regarded with the same or greater seriousness. 184.108.40.206 Alternative Declaratory Policies Simply as illustration (and not as endorsement), the following discussion incorporates and addresses hypothetical declaratory policies (or elements thereof) regarding cyberattack. No large-scale cyberattacks. Although weapons for cyberattack are valid and legitimate military weapons to be deployed and used in support of U.S. interests, the United States will unilaterally refrain from conducting against nations cyberattacks that would have the potential for causing widespread societal devastation and chaos. Accordingly, the United States will refrain from conducting cyberattacks against a nation’s electric power grids and financial 5 Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf.
OCR for page 219
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities systems if such attacks would have a significant potential for affecting national economies. Such a policy would seek to delegitimize the use of large-scale cyberattacks as an instrument of national policy by any nation in much the same way that the unilateral U.S. renunciation of biological weapons contributed to stigmatizing use of such weapons by any nation. The benefit to the United States if such stigmatization occurred would be a lower likelihood that it would experience such an attack. No first use of large-scale cyberattacks. Although weapons for cyberattack are valid and legitimate military weapons to be deployed and used in support of U.S. interests, the United States will not be the first nation in a conflict to conduct against nations cyberattacks that would have the potential of causing widespread societal devastation and chaos. Nevertheless, the United States reserves the right to conduct such attacks should it be subject to such attacks itself. Such a policy would seek to discourage the use of large-scale cyberattacks as an instrument of national policy by any nation. However, the U.S. stance on the use of large-scale cyberattacks would be based primarily on threatening in-kind retaliation rather than setting an example. As in the previous case, the benefit to the United States if such stigmatization occurred would be a lower likelihood that it would experience such an attack. No first use of cyberattacks through the Internet and other public networks. The U.S. government will refrain from using the Internet and other public networks to conduct damaging or destructive acts, and will seek to prevent individuals and organizations within its authority from doing so, as long as other nations do the same. Such a policy would seek to discourage the use of cyberattacks through the Internet as an instrument of national policy by any nation, presumably based on a rationale that sees the Internet as a global public utility whose benefits to the world’s nations are outweighed by any temporary military advantage that might be gained through Internet-based cyberattacks. Again, the U.S. stance on the use of such cyberattacks would be based primarily on threatening in-kind retaliation rather than example-setting. The benefit to the United States would be that it (and especially its civilian sector) would be more likely to continue to enjoy the benefits of Internet connectivity.
OCR for page 220
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities National responsibility for cyberattacks. Nations are responsible for cyberattacks that emanate from their soil, whether or not their national governments have initiated such actions. If they have not, national governments are responsible for taking actions that lead or help lead to the cessation of such actions. The United States reserves the right to take unilateral action if a nation fails to take action to respond to cyberattacks emanating from its soil. Such a policy would codify for cyberattack a legal principle that is foundational to international law regarding neutrality, self-defense, and the laws of armed conflict (discussed further in Chapter 7)—that nations are responsible for military conduct emanating from their territories and affecting other nations. The benefit of such a policy would be to make explicit what is already U.S. policy regarding kinetic attacks. 220.127.116.11 The Relationship Between Declaratory Policy and International Agreements Declaratory policy might also be replaced or complemented by bilateral or multilateral agreements, much as nations have sometimes agreed to certain standards of behavior for their navies on the high seas when interacting with the navies of nations also party to those agreements. This point is addressed in more detail in Chapter 10. 6.1.2 Acquisition Policy The acquisition of capabilities is, in principle, driven by statements of need—that is, how the U.S. military (for instance) may effectively take advantage of a given capability. Much has been written about the drivers of military acquisition, and a key driver that emerges from these writings is the anticipation that an adversary has or will acquire a particular military capability to which the nation must respond quickly by itself acquiring a similar or countering capability.6 Acquisition policy addresses issues such as how much should be spent on weapons of various kinds, how many of what kind should be acquired on what timetable, and what the characteristics of these weapons should be. A statement of acquisition policy regarding nuclear weapons might say something like “the United States must deploy in the next 2 decades 500 land-based new ICBMs with 10 nuclear warheads apiece, 6 See, for example, Stephen Rosen, Chapter 7, “What Is the Enemy Building?” in Winning the Next War: Innovation and the Modern Military, Cornell University Press, Ithaca, N.Y., 1991.
OCR for page 221
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities each with a kill probability (Pk) of 90 percent against targets hardened to withstand overpressures of 2000 pounds per square inch.” For a standoff munition, a statement of acquisition policy might say something like “the United States must acquire, at a rate of 1000 per year, a standoff ‘fire-and-forget’ munition carrying a 250-pound explosive warhead capable of being launched from a range of 30 kilometers with a Circular Error Probable of 1 meter against moving targets under all weather and battlefield conditions.” The acquisition process also requires that a weapon in acquisition be subject to an internal review prior to production to determine if use of the weapon would conflict with existing international obligations (e.g., arms control treaties or customary international standards of necessity, proportionality, and discrimination in the law of armed conflict). Not surprisingly, such review is undertaken using DOD interpretations of the law of armed conflict, which outside analysts sometimes criticize as being overly narrow. These reviews are generally not classified, but in general, they have not been made widely available. Finally, the acquisition process requires that certain weapons undergo operational testing and evaluation before large-scale production. Operational testing and evaluation (OT/E) involves field testing under realistic combat conditions for the purpose of determining the effectiveness and suitability of a weapon for use in combat by typical military users. However, only weapons procured through a major defense acquisition program are subject to this OT/E requirement, and in particular weapons procured through a highly sensitive classified program (as designated by the secretary of defense) are exempt from this requirement. In principle, this process also applies to the acquisition of cyberweapons, or more precisely, capabilities for cyberattack. (It would be rare that a “cyberweapon” takes the same form as a kinetic weapon, in the sense of a package that can be given to a military operator as a rifle or a fighter jet can be given. Rather, operators who launch cyberattacks are likely to have a variety of tools at their disposal for conducting an attack.) But acquiring capabilities (tools) for cyberattack differs in important ways from acquiring ordinary weapons, raising a number of issues for the acquisition process. For example, the rapid pace of information technology change places great stress on acquisition processes for cyberattack capabilities (and for cyberdefense as well). A second important point is that the acquisition cost of software-based cyberattack tools is almost entirely borne in research and development, since they can be duplicated at near-zero incremental cost. By contrast, procurement is a major portion of the acquisition cost for kinetic weapons. Thus, a testing and evaluation (T/E) regime timed to occur after R&D is unlikely to apply to cyberweapons. The absolute
OCR for page 222
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities acquisition cost of cyberweapons is also likely to be significantly smaller than those of kinetic weapons, thus exempting cyberweapons from T/E regimes linked to acquisition cost.7 A third point is that the acquisition process presumes that it is the only way to procure weapons. But cyberattack capabilities are so inexpensive to acquire that they could be acquired through operations and maintenance (O/M) funds (and may be legal as well). For example, under the rubric of upgrading the cybersecurity posture of an installation, a system administrator might well obtain tools designed to test its computer security (that is, to support a “red team” penetration test) and acquire these tools through O/M funds. But these very same tools could provide capabilities that could be used against adversary computers. A second way to acquire cyberattack capability is to purchase services that provide them. For example, botnets (discussed in Section 18.104.22.168.1) can be rented at relatively low cost—informed estimates vary, but are reported to be on the order of a few thousand dollars for a botnet consisting of tens of thousands of zombies for a few days. Renting a botnet may be a much more efficient method for acquiring the afforded capabilities than developing a botnet on one’s own, and indeed the Estonian minister of defense has asserted that the cyberattack on Estonia was conducted by botnets that were rented for that purpose.8 Of course, the rental of botnets contributes to the furtherance of a criminal enterprise, as the botnet owner/operator has broken U.S. law in assembling the botnet (presuming the owner/operator is subject to U.S. jurisdiction). An important policy question is whether it is appropriate for the United States to work with known criminals to pursue foreign policy objectives. More generally, the United States could “outsource” certain kinds of cyberattack to criminal hackers, especially if it wanted to leave no trace of such work, and incentivize such work by allowing the hackers to keep some or all of the financial resources they might encounter. Such cooperation has some precedent in U.S. history—for example, the Central Intelligence Agency sought to recruit the Mafia in 1960 to kill Fidel Castro9—though such instances have hardly been uncontroversial. Related is the fact that the computers of third parties, such as innocent 7 For example, a major defense acquisition program is defined by statute as one estimated to require an eventual total expenditure for research, development, testing, and evaluation of more than $300 million (in FY 1990 constant dollars) or an eventual total expenditure for procurement of more than $1.8 billion (in FY 1990 constant dollars). Programs for acquiring cyberattack capabilities and tools are likely to cost far less than these amounts. 8 William Jackson, “Cyberattacks in the Present Tense, Estonian Says,” Government Computing News, November 28, 2007, available at http://www.gcn.com/online/vol1_no1/45476-1.html. 9 Glenn Kessler, “Trying to Kill Fidel Castro,” Washington Post, June 27, 2007, p. A06.
OCR for page 223
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities civilians in a nation of choice, might also be compromised in order to support a cyberattack. These computers can be configured as “weapons for cyberattack” at will by the real attacker at essentially zero cost, even though they increase his attack capabilities by orders of magnitude, and because such scenarios were never envisioned by the traditional acquisition process, it is only a matter of policy that might inhibit the United States from doing so. Acquisition policy should also address the issue of the proper balance of resource allocation. The absolute budget sums involved in acquiring cyberattack capabilities are relatively small, as noted in Chapter 2. But serious defensive efforts are very expensive, not least for reasons of scale—the sheer volume of computer systems and networks that must be protected. Thus, acquisition policy necessarily affects the balance between conventional military assets and cyber military assets and procedures on the defensive side. Given the dependence of today’s military forces on information technologies, some analysts have argued that present-day acquisition policies do not pay sufficient attention to cybersecurity and defensive operations. The above discussion of acquisition policy relates primarily to the defense community. But the intelligence community must also acquire various capabilities to support its intelligence collection and covert action missions. Of particular significance for acquisition policy is that a tool to collect intelligence information from an adversary computer system or network can—at little additional cost—be modified to include certain attack capabilities, as described in Section 2.6. Indeed, the cost of doing so is likely to be so low that in the most usual cases, acquisition managers would probably equip a collection tool with such capabilities (or provide it with the ability to be modified on-the-fly in actual use to have such capabilities) as a matter of routine practice. 6.1.3 Employment Policy Employment policy specifies how weapons can be used, what goals would be served by such use, and who may give the orders to use them. Such policy has a major influence on how forces train (e.g., by driving the development and use of appropriate training scenarios). One key question of employment policy relates to the necessary command and control arrangements. For example, although U.S. doctrine once did not differentiate between nuclear and non-nuclear weapons,10 10 In 1954, President Eisenhower was asked at a press conference (March 16, 1954) whether small atomic weapons would be used if war broke out in the Far East. He said, “Yes, of course they would be used. In any combat where these things can be used on strictly mili
OCR for page 224
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities this is most surely not the case today. Nuclear weapons are universally regarded as worthy of special attention, policies, and procedures, and their use is tightly controlled and highly centralized—more so than any other weapon in the U.S. arsenal. Whether similar arrangements will be made for cyberweapons in the future remains to be seen, although the discussion in Chapter 3 suggests that the command and control arrangements of today are not as centralized. A second key question of employment policy is the targets of such weapons. Some targets are off-limits by virtue of the LOAC and other relevant international law. But the propriety of attacking other kinds of targets is often determined by doctrine and views of the adversary. For example, in the nuclear strategy of the Cold War, considerable debate arose about the propriety of targeting adversary nuclear forces. Advocates of prompt hard-target kill capabilities (that would use a ballistic missile against a hardened adversary missile silo) argued that the adversary (generally the leaders of the Soviet Union) placed great value on their instruments of national power, such as their nuclear forces, and that placing such instruments at risk would help to deter actions that worked against the interests of the United States. Opponents of such targeting argued that threatening to destroy such targets only increased the likelihood that the adversary would launch its missiles on warning of attack, thus making accidental launch more likely. Given that there are no cyber equivalents of hardened missile silos that constitute an adversary’s retaliatory forces, no credible threat of annihilation, and no equivalent of launch on warning for cyber forces, nuclear strategy does not provide guidance for cyber targeting. What targets might or might not be appropriate for cyberattack and under what circumstances would this be so? From what can be determined from public statements, the DOD believes that cyberattack has military utility, and thus the use of cyberattack is subject to constraints imposed by the law of armed conflict. At the same time and apart from the need to comply with the LOAC, good reasons may exist for eschewing certain kinds of cyberattack against certain kinds of target for reasons other than those related to operational efficacy. For example, cyberwarfare provides tools that can be focused directly on messaging and influencing the leadership of an adversary tary targets and for strictly military purposes, I see no reason why they shouldn’t be used just exactly as you would use a bullet or anything else.” (See Eisenhower National Historic Site, National Park Service, at http://www.nps.gov/archive/eise/quotes2.htm.) Indeed, in 1953, the U.S. National Security Council noted that “in the event of hostilities, the United States will consider nuclear weapons to be as available for use as other munitions.” (U.S. National Security Council (NSC), “Basic National Security Policy,” NSC Memorandum 162/2, October 30, 1953, available at http://www.fas.org/irp/offdocs/nsc-hst/nsc-162-2.pdf.)
OCR for page 226
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities respond promptly to various strategic contingencies. A number of important questions arise in this context—the large amount of intelligence information likely to be needed for such options, the timeliness of information collected to support preplanned options, and indeed the actual value of prompt cyber response under various circumstances. A third important issue is ensuring that cyberattack activities are sufficiently visible to higher authorities, including the political leadership. It is an unfortunate reality that during times of crisis, military actions that would normally be regarded as routine or “small” can lead to misperceptions of strategic significance. For example, routine air reconnaissance undertaken during times of crisis can be interpreted as a prelude to attack. In a cyberattack context, analogs could include the routine gathering of intelligence that is needed to support a cyberattack (e.g., port scans of Zendian systems) or the self-defense neutralization of an active cyberattack threat from a Zendian patriotic hacker under standing rules of engagement. The possibility is very real that Zendian authorities might perceive such activities as aggressive actions associated with a planned and deliberate cyberattack by the United States. Keeping the political leadership informed of such activities is a problem even when considering traditional military operations. But because the resources and assets needed to conduct cyberattacks are small by comparison and the potential impact still large, it may be more difficult for higher authorities to stay informed about activities related to cyberattack. Finally, the United States has a long-standing policy not to use cyberattack or cyberexploitation to obtain economic advantage for private companies (as noted in Section 4.1.2). However, the economic domain is one in which the operational policies of adversaries are markedly different from those of the United States. That is, adversaries of the United Staes are widely believed to conduct cyber-espionage for economic advantage—stealing trade secrets and other information that might help them to gain competitive advantage in the world marketplace and/or over U.S. firms. As noted in Section 2.6.2, the intelligence services of at least one major nation-state were explicitly tasked with gathering intelligence for its potential economic benefits. This asymmetry between U.S. and foreign policies regarding cyberexploitation is notable. The committee also observes that national policy makers frequently refer to a major and significant cyberthreat against the United States emanating from many actors, including major nation-states. The result in recent years has been an upsurge of concern about the disadvantaged position of the United States in the domain of cyberconflict, and is most recently reflected in the still largely classified Comprehensive National Cybersecurity Initiative resulting from the National Security Presiden-
OCR for page 227
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities tial Directive 54/Homeland Security Presidential Directive 23 of January 2008.11 On the other hand, the committee’s work has underscored many of the uncertainties that underlie any serious attempt by the United States to use cyberattack as an instrument of national policy. Moreover, military planners often engage in worst-case planning, which assumes that more things will go right for an adversary than for oneself. Thus, attack planners emphasize the uncertainties of an attack and assume that the defense will be maximally prepared and lucky. Defensive planners emphasize the uncertainties of defense and assume that the attacker will be maximally prepared and lucky. In short, the committee sees a marked asymmetry in the U.S. perception of cyberattack—“they” (the adversary) are using cyberattack means effectively against us (the United States), but it would be difficult (though not impossible) for us to use such means effectively against them. The question thus arises, What might be responsible for this perception? One factor is the conflation of cyberattack and cyberexploitation in the public discourse (see Box 1.4 in Chapter 1). As noted by General Kevin Chilton, commander of the U.S. Strategic Command, many of the incidents that are billed as cyberattacks are, more accurately, just old-fashioned espionage—people looking for information who don’t necessarily represent military threats.12 Thus, if the public discourse uses the term “cyberattack” (what this discussion calls cyberattack-AUIPD, for “cyberattack as used in public discourse,” to distinguish usages) to include cyberexploitation, then the balance is between adversary cyberattacks-AUIPD (which would include what this report terms “cyberattack” [note absence of a tag] and which are largely espionage conducted for economic benefit) and U.S. “cyberattacks-AUIPD” (which by policy do not involve either cyberattack or cyberexploitation conducted for economic benefit), and in such a balance, adversary cyberattacks-AUIPD will obviously seem to be much more effective than those of the United States. A third important factor contributing to this perception is the fact 11 Public reports indicate that this initiative has 12 components intended to reduce to 100 or fewer the number of connections from federal agencies to external computer networks, and to make other improvements in intrusion detection, intrusion prevention, research and development, situational awareness, cyber counterintelligence, classified network security, cyber education and training, implementation of information security technologies, deterrence strategies, global supply chain security, and public/private collaboration. The cost of this initiative has been estimated at $40 billion. See, for example, Jill R. Aitoro, “National Cyber Security Initiative Will Have a Dozen Parts,” Nextgov, August 1, 2008, available at http://www.nextgov.com/nextgov/ng_20080801_9053.php. 12 Wyatt Kash, “Cyber Chief Argues for New Approaches,” Government Computer News, August 22, 2008, available at http://gcn.com/articles/2008/08/22/cyber-chief-argues-for-new-approaches.aspx.
OCR for page 228
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities that as noted in earlier chapters, the United States provides only limited assistance to the private sector when it comes under cyberattack and restricts the ability of the private sector to engage in self-help activities (as discussed in Section 5.2), and it refrains from sharing intelligence information that would benefit individual private sector companies (as discussed in Section 4.1). Some other nations do not practice such restraint. The committee speculates that this asymmetry in policy may account for at least some of the perception of asymmetric advantage derived by others. If these observations are accurate, what—if anything—can be done about it? Regarding the conflation of cyberattack and cyberexploitation in public discourse, there is no remedy except to insist that a user of the term “cyberattack” make clear what is included under the rubric of the term he or she is using. If the many foreign cyberexploitation efforts were not described as “cyberattack,” the level of tension over cyberattack would be knocked down to a considerable degree. The case for the current U.S. policy regarding eschewing the use of U.S. intelligence agencies for the benefit of private firms is largely based on the desire of the United States to uphold a robust legal regime for the protection of intellectual property and for a level playing field to enable competitors from different countries to make their best business cases on their merits. If this policy position is to be revised, it seems that two of the most prominent possibilities are that (1) intelligence gathering for economic purposes ceases for all nations, or (2) the United States uses its intelligence-gathering capabilities (including cyberexploitation) for economic purposes. Under traditional international law, espionage—for whatever purpose—is not banned, and thus the first possibility suggests a need to revise the current international legal regime with respect to the propriety of state-sponsored economic espionage. The second possibility raises the prospect that current restraints on U.S. policy regarding intelligence collection for the benefit of private firms might be relaxed. Both of these possibilities would be controversial, and the committee takes no stand on them, except to note some of the problems associated with each of them. The first—a change in the international legal regime to prohibit espionage—would require a consensus among the major nations of the world, and such a consensus is not likely. The second—a unilateral change in U.S. policy—does not require an international consensus, but has many other difficulties. For example, the U.S. government would have to decide which private firms should benefit from the government’s activities, and even what entities should count as a “U.S. firm.” U.S. government at the state and local level might well find that the prospect of U.S. intelligence agencies being used to help private firms would not sit well with foreign companies that they were trying to persuade to relocate
OCR for page 229
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities to the United States. And it might well undercut the basis on which the United States could object to other nations conducting such activities for the benefit of their own domestic industries and lead to a “Wild West” environment in which anything goes. After all is said and done, it may turn out that the most desirable (least undesirable) option for the United States is to learn to live with the current asymmetry. But if that is indeed the case, it should reflect a deliberate and considered assessment of the pros and cons of various options that in the committee’s view has not yet been engaged. 6.1.4 Operational Oversight Operations translate employment policy into reality. In practice, the U.S. armed forces operate on a worldwide basis and have many ongoing operations at any given time. For example, they constantly gather intelligence and reconnaissance information. Some of those operations are sensitive, in that they might be seen as provocative or otherwise inappropriate. Thus, the U.S. government has established a variety of mechanisms intended to ensure that such operations are properly overseen. For example, the U.S. government sometimes specifies criteria in advance that define certain sensitive military missions, and then requires that all such missions be brought to the attention of senior decision makers (e.g., the National Security Council staff). In rare cases, a mission must be approved individually; more typically, generic authority is granted for a set of missions that might be carried out over a period of many months (for example). The findings and notification process for covert action is another mechanism for keeping the executive and legislative branches properly informed. From time to time these mechanisms are unsuccessful in informing senior decision makers, and it is often because the individual ordering the execution of that mission did not believe that such an order required consultation with higher authority. In a cyberattack context, oversight issues arise at two stages—at the actual launch of a cyberattack and in activities designed for intelligence preparation of the battlefield to support a cyberattack. 22.214.171.124 Launching a Cyberattack Another important operational issue involves delegation of authority to launch a cyberattack as part of an active defense of U.S. computer systems and networks. As noted in Chapter 3, the U.S. Strategic Command has authority to conduct such attacks for active defense under a limited set of circumstances. But it is not known how far down the chain of command such authority has been delegated.
OCR for page 230
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities The most extreme form of delegation would call for an entirely automated active defense—and indeed the U.S. Air Force has issued a call for proposals to develop a “cyber control system” that “will enable active defense operations [involving] automated responses (based on predefined Rules of Engagement) …, in response to network intrusions/attacks.”13 Automated responses are regarded as being militarily necessary when there is insufficient time for humans to make decisions about the nature of a response and any given situation may present insufficient time because of the fleeting nature of the opportunity to strike back or because of the harm that rapidly accrues if the attack is not stopped (though consideration of other factors such as appropriate rules of engagement may prevent such weapons from being deployed in any given situation). Both of these factors could characterize certain kinds of cyberattacks on certain targets in the United States. On the other hand, the risks of error or inadvertent escalation are generally regarded as greatest when humans are not in the decision-making loop. Despite periodic calls for the nuclear command and control system to be automated so as to ensure that retaliation would take place in the event of a Soviet nuclear attack, the United States has always relied on humans (the President and the National Command Authority) to make the ultimate decision to release U.S. strategic forces. (Even so, many have criticized these arrangements as pro forma, arguing that in practice they are not much better than an automated launch decision, because they give the NCA too little time to evaluate the information available about the alleged incoming attack.) An assessment of the wisdom of an automated response to a cyberattack depends on several factors, including the likelihood that adequate and correct information will be available in a short period of time to develop an access path back to the attacker, the likely consequences of a cyberattack response, and the possible consequences of a misdirected or inappropriately launched counterattack. In the case of nuclear command and control, these factors—primarily the last—indicate that an automated response would be foolish and foolhardy. 126.96.36.199 Conducting Intelligence Preparation of the Battlefield to Support a Cyberattack In principle, conducting intelligence preparation of the battlefield (IPB) to support a cyberattack is not different from conducting other non-destructive cyberexploitation missions. For example, U.S. electronic 13 United Press International, “Air Force Seeks Automated Cyber-response,” Jan. 2, 2008, at 4:55 p.m.
OCR for page 231
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities reconnaissance airplanes often fly missions near the border of another nation in order to “light up” that nation’s air defense radars. By monitoring those radar emissions, they collect information on the waveforms and positions of a potential adversary’s radar systems; such information could be useful in the event that an air strike might be launched against that nation. On the other hand, that nation might well regard those reconnaissance flights as provocative. The airplane it is monitoring just outside its airspace could be armed, and the plane’s presence there could indicate hostile intent. The essential problem is that the boundaries of its national airspace provide almost no time for its air defense forces to react should the airplane turn out to have immediate hostile intent. Even if it is known to be unarmed, it is most likely to be a reconnaissance airplane collecting information that could be useful in the event that an air strike was launched against that nation. If these reconnaissance flights were taking place during a period of peacetime tension with the United States, it is easy to see how they might further exacerbate those tensions. Missions of this kind fall squarely into the category of those that must be reported to senior policy makers. The IPB mission for a destructive cyberattack falls into the same category. In order to gather the necessary intelligence, an adversary’s network must be mapped to establish topology (which nodes are connected to which other nodes). Ports are “pinged” to determine what services are (perhaps inadvertently) left open to an outside intruder, physical access points are located and mapped, operating system and application vulnerabilities are identified, sympathizers with important access privileges are cultivated, and so on. However, there are at least three important differences between IPB for cyberattack and other kinds of intelligence collection. First, a U.S. government effort to conduct IPB for many kinds of cyberattack will be taking place against a background of other activities (e.g., probes and pings) that are not being conducted by the U.S. government. Second, network connectivity may be such that “limited” intelligence probes and other investigations of a potential adversary’s networks will inadvertently reach very sensitive areas. Third, the dividing line between a tool intended to collect information on an adversary’s systems and a weapon intended to destroy parts of those systems may be very unclear indeed. The first factor above may reduce the sensitivity of the nation being probed—and indeed, the U.S. IPB effort is likely to be undertaken in a way that does not reveal its origin. But the second two factors may increase sensitivity, and possibly lead to entirely unanticipated reactions on the part of the adversary.
OCR for page 232
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 6.2 LEGISLATIVE BRANCH The legislative branch has two basic roles regarding government operations—budget and oversight. In addition, the Constitution gives the legislative branch the sole authority to declare war. 6.2.1 Warmaking Powers Article I, Section 8 of the U.S. Constitution authorizes the Congress to “declare war” and gives Congress numerous powers over the military, including the powers to “raise and support armies,” to “provide and maintain a navy,” and to “make rules for the government and regulation of the land and naval forces.” Article II, Section 2 gives the President the “executive power” and provides that he “shall be commander in chief of the Army and Navy of the United States.” At the time the Constitution was written, the primary purpose of national armed forces was to fight wars, and these provisions were intended to give Congress primary responsibility for the decision to initiate war, and to give the President the primary responsibility for the conduct of war.14 Over time, as the international powers and responsibilities of the United States have grown, and as the standing U.S. armed forces have grown, the President has asserted more and more authority to initiate armed conflicts in the absence of authorization from Congress. Moreover, it has been argued that the notion of declaring war as a prelude to armed combat is simply irrelevant in the modern world. Self-defense is the least controversial basis for the president to direct the armed forces to engage in combat. Madison said at the Convention that the “declare war” clause left to the President the power to “repel sudden attacks” without congressional authorization.15 The Supreme Court upheld Lincoln’s authority to act against the confederacy in the absence of congressional authorization.16 President Clinton invoked self-defense in justifying the 1993 cruise missile strikes on Iraq in response to the attempted assassination of President George H.W. Bush.17 For some of the instances not involving self-defense in which U.S. armed forces have been deployed and used, presidents have sought and 14 See, e.g., Abraham D. Sofaer, War, Foreign Affairs and Constitutional Power: The Origins, Ballinger Publishing, Cambridge, Mass., 1976. 15 The Records of the Federal Convention of 1787, at 318 (1911), Max Farrand, ed., rev. edition, 1966. 16 See Prize Cases, 67 U.S. 635 (1863) (“If a war be made by invasion of a foreign nation, the President is not only authorized but bound to resist force by force”). 17 See “Letter to Congressional Leaders on the Strike on Iraqi Intelligence Headquarters,” Pub. Papers of William J. Clinton 940, 1993.
OCR for page 233
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities received explicit congressional authorization, although they have always claimed that their authority as commanders-in-chief was sufficient to take such actions and that in essence seeking congressional authorization was a courtesy extended to the legislative body. But matters are more complicated and controversial when the President acts without invoking self-defense and also without congressional authorization. The President has acted in such a manner in many circumstances in U.S. history, most notably in Korea and Kosovo, but also in dozens of other smaller-scale conflicts. Presidents have asserted this authority, Congress often complains and opposes it, and the Supreme Court has not squarely addressed it. To address such cases, Congress passed the War Powers Resolution (WPR) in 1973 (PL 93-148). Passed over then-President Nixon’s veto, the WPR requires the President to report to Congress in 48 hours “in any case in which United States Armed Forces are introduced (1) into hostilities or into situations where imminent involvement in hostilities is clearly indicated by the circumstances; (2) into the territory, airspace or waters of a foreign nation, while equipped for combat, except for deployments which relate solely to supply, replacement, repair, or training of such forces; or (3) in numbers which substantially enlarge United States Armed Forces equipped for combat [who are] already located in a foreign nation,” and requires the President to “terminate any such use of armed forces” within 60 days (subject to a one-time 30-day extension). The tensions between the executive and legislative branches of government over war-making authority are palpable. Many analysts believe that the intent of the Founding Fathers was to grant the Congress a substantial decision-making role in the use of U.S. armed forces, and if modern conflict has rendered obsolete the notion of a “declaration of war,” mechanisms must still be found to ensure that Congress continues to play a meaningful role in this regard. Others acknowledge the obsolete nature of declarations of war, but conclude that executive branch authority can and should fill the resulting lacunae. This report does not seek to resolve this controversy, but observes that notions of cyberconflict and cyberattack will inevitably cause more confusion and result in less clarity. Consider, for example, the meaning of the term “hostilities” in the War Powers Resolution. At the time the resolution was crafted, cyberattack was not a concept that had entered the vocabulary of most military analysts. In the context of the resolution, hostilities refer to U.S. land, air, and naval units engaging in combat. The resolution also refers to the foreign deployments of combat-equipped U.S. forces. To the extent that the War Powers Resolution was intended to be a reassertion of congressional authority in warmaking, it is very poorly suited to U.S. forces that engage in cyber combat or launch cyberattacks.
OCR for page 234
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities What conditions would define “hostilities” when military cyberattacks can be launched against adversary computers or networks? What counts as “deployments” of forces capable of cyberattack into foreign territory? It is thus an open question whether a cyberattack launched by the United States would constitute the introduction of armed forces in another country within the meaning of the resolution. When it comes to sorting out normative and practical issues concerning congressional and presidential prerogatives, cyberwarfare poses issues even more difficult for interpreting the War Powers Resolution than the already-difficult issues associated with traditional kinetic conflict. 6.2.2 Budget In the preceding section, the relative invisibility of cyberattack activities is mentioned as a problem for higher authority. Cyberattack capabilities are also not particularly visible to the legislative branch. In part, the veil of secrecy around cyberattack makes it more invisible than if the subject were not classified. But just as important is the fact that the funding for the development and deployment of cyberattack capabilities is both minuscule and deliberately obscured in unclassified budget justifications. For example, in the FY 2008 DOD budget request, one request for the “demonstration of offensive cyber operations technologies allowing attack and exploitation of adversary information systems” by the Air Force is contained in a program element component of $8.012 million; the program element is entitled “Advanced Technology Development,” and the component “Battlespace Information Exchange.”18 A second request for developing cyber operations technologies is contained in a program element of $11.85 million for FY 2008; this program element is entitled “Applied Research on Command, Control, and Communications.”19 A reasonable observation is that development and demonstration of cyberattack capabilities are distributed over multiple program elements, 18 See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0603789F.pdf. 19 In FY 2008, one component of this program element (“communications technology”) called for activities to “initiate development of access techniques allowing “cyber paths” to protected adversary information systems through a multiplicity of attack vectors; initiate development of stealth and persistence technologies enabling continued operation within the adversary information network; initiate programs to provide the capability to exfiltrate any and all types of information from compromised information systems enabling cyber intelligence gathering to achieve cyber awareness and understanding; initiate technology programs to deliver D5 (deny, degrade, destroy, disrupt, and deceive) effects to the adversary information systems enabling integrated and synchronized cyber and traditional kinetic operations.” See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0602702F.pdf.
OCR for page 235
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities each of which is relatively small in financial terms. Budget oversight is thus difficult to execute, even though it is intimately related to acquisition policy. In addition, the ability to increase certain attack capabilities “for free” (e.g., through the use of botnets and automated production functions) negates to a considerable extent the ability of the legislative branch to use budget totals for restraining or limiting U.S. military capabilities. A low budget profile supports low visibility. Proponents of a given capability would prefer low visibility for programs supporting that capability, especially if the capability were controversial in nature. (Low visibility can also be achieved in other ways, such as by designating a program as “special access.”) 6.2.3 Oversight (and Notification) In addition to budgetary oversight, the legislative branch also provides operational oversight of government programs. For example, the executive branch is required by law (50 U.S.C. 413(a)(1)) to keep the congressional intelligence committees “fully and currently informed” of all U.S. intelligence activities, including any “significant anticipated intelligence activity.”20 Both intelligence gathering and covert action are included under this rubric, and thus cyberexploitation and covert action cyberattacks would have to be reported to these committees. These reporting requirements are subject to a number of exceptions pertaining to sensitivity and possible compromise of intelligence sources and methods, or to the execution of an operation under extraordinary circumstances. Certain DOD operations have also been subject to a notification requirement. Section 1208 of the FY 2005 Defense Authorization Act gave the secretary of defense the authority to expend up to $25 million in any fiscal year to “provide support to foreign forces, irregular forces, groups, or individuals engaged in supporting or facilitating ongoing military operations by United States special operations forces to combat terrorism.” In the event that these funds were used, the secretary of defense was required to notify the congressional defense committees expeditiously and in writing, and in any event in not less than 48 hours, of the use of such authority with respect to that operation. Yet another precedent for notification in support of oversight is the requirement for the attorney general to report annually to Congress and the Administrative Office of the United States Courts indicating the total 20 A discussion of this requirement can be found in Alfred Cumming, Statutory Procedures Under Which Congress Is to Be Informed of U.S. Intelligence Activities, Including Covert Actions, Congressional Research Service memo, January 18, 2006, available at http://www.fas.org/sgp/crs/intel/m011806.pdf.
OCR for page 236
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities number of applications made for orders and extensions of orders approving electronic surveillance under the Foreign Intelligence Surveillance Act, and the total number of such orders and extensions either granted, modified, or denied. To the best of the committee’s knowledge, no information on the scope, nature, or frequency of cyberattacks conducted by the United States has been made regularly or systematically available to the U.S. Congress on either a classified or an unclassified basis.