previous NRC panel (the NRC Committee on Offensive Information Warfare), which issued a report entitled Technology, Policy, Law, and Ethics Regarding Acquisition and Use of U.S. Cyberattack Capabilities in April 2009, and extracts without specific attribution sections from Chapters 2, 9, and 10 of that report. In addition and as requested by the Office of the Director of National Intelligence (ODNI), the committee reviewed the ODNI-provided compendiums on three summer workshops conducted by the ODNI,2 and incorporated insights and issues from them into this report as appropriate.

This report consists of three main sections. Section 1 describes a broad context for cybersecurity, establishing its importance and characterizing the threat. Section 2 sketches a range of possible approaches for how the nation might respond to cybersecurity threats, emphasizing how little is known about how such approaches might be effective in an operational role. Section 3 describes a research agenda intended to develop more knowledge and insight into these various approaches.

As for the second phase of this project, a workshop will be held in June 2010 to discuss a number of papers that have been commissioned by the committee and possibly additional papers received through the NRC’s call for papers. This call for papers is at the heart of a competition sponsored by the NRC to solicit excellent papers on the subject of cyberdeterrence. The call for papers can be found at

The Broad Context for Cybersecurity3

Today, it is broadly accepted that the U.S. military and economic power is ever more dependent on information and information technology. Accordingly, maintaining the security of important information and information technology systems against hostile action (a topic generally referred to as “cybersecurity”) is a problem of increasing importance to policy makers.

Accordingly, an important policy goal of the United States is to prevent, discourage, and inhibit hostile activity against these systems and networks. This project was established to address cyberattacks, which refer to the deliberate use of cyber operations—perhaps over an extended period of time—to alter, disrupt, deceive, degrade, usurp, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks.4 Cyberattack is

NRC, Toward a Safer and More Secure Cyberspace (Seymour Goodman and Herbert Lin, editors), The National Academies Press, Washington, D.C., 2007.


These workshops addressed the role of the private sector, deterrence, and attribution.


The discussion in this section is based on Chapter 1, NRC, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009; and Chapter 2, NRC, Toward a Safer and More Secure Cyberspace, 2007.


This report does not consider the use of electromagnetic pulse (EMP) attacks. EMP attacks typically refer to nonselective attacks using nuclear weapons to generate an intense electromagnetic pulse that can destroy all unprotected electronics and electrical components within a large area, although a tactical EMP weapon intended to

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement