The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities
the first studies to address the strategic implications of cyberattack was published by the RAND Corporation in 1996 (Strategic Information Warfare:A New Face of War).6 A later study covering the same topic in much more detail was published as Strategic Warfare in Cyberspace.7 A flurry of writing began to appear in the professional military literature in the late 1990s and early 2000s, but little or nothing can be found in this body of literature since around 2002 or 2003.
THIS STUDY—FOCUS, APPROACH, AND PURPOSE
Most of the writing to date has not brought together information technology experts who are knowledgeable in detail about what can and cannot be done from a technical standpoint with senior individuals who have policy experience, nor has it addressed the topic in an interdisciplinary manner that integrates expertise from the disciplines and fields that are relevant to the subject. The National Research Council undertook the present study (Box P.1) believing in the value of an integrated treatment that would help shed much-needed light on various important dimensions of cyberattack (and secondarily on the topic of cyberexploitation, a term that refers to the penetration of adversary computers and networks to obtain information for intelligence purposes). Such a treatment would provide a point of departure for others so that a broad variety of independent intellectual perspectives can be brought to bear on it.
The Committee on Offensive Information Warfare first met in July 2006 and five times subsequently. Its earlier meetings were devoted primarily to briefings on a variety of topics related to cyberattack, and later meetings were devoted primarily to committee deliberations.
The authoring committee did not receive classified information in the course of this study. What is sensitive about cyberattack is generally the fact of U.S. interest in a specific technology for cyberattack (rather than the nature of that technology itself); fragile and sensitive operational details that are not specific to the technologies themselves (e.g., the existence of a covert operative in a specific foreign country or a particular vulnerability); or capabilities and intentions of specific adversaries. None of these specific areas are particularly relevant to a study that focuses on the articulation of an intellectual framework for thinking about cyberattack.
It is important to delineate the scope of what this report does and