Letter Report for the Committee on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:
Letter Report
Letter Report
Pages 1-32
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 1... ...
, T echnology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (William Owens, Kenneth Dam, Herbert Lin, editors)
|
From page 2... ...
This project was established to address cyberattacks, which refer to the deliberate use of cyber operations -- perhaps over an extended period of time -- to alter , disrupt, deceive, degrade, usurp, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks.4 Cyberattack is NRC, T oward a Safer and More Secure Cyberspace (Seymour Goodman and Herbert Lin, editors) , The National Academies Press, Washington, D.C., 2007.
|
From page 3... ...
The range of possibilities for cyberintrusion is quite broad.5 A cyberattack might result in the destruction of relatively unimportant data or the loss of availability of a secondary computer system for a short period of time -- or it might alter top-secret military plans or degrade the operation of a system critical to the nation, such as an air traffic control system, a power grid, or a military command and control system. Cyber exploitations might target the personal information of individual consumers or critical trade secrets of a business, military war plans, or design specifications for new weapons.
|
From page 4... ...
, much attention has been devoted to passive defense -- measures taken unilaterally to increase the resistance of an information technology system or network to attack. These measures include hardening systems against attack, facilitating recovery in the event of a successful attack, making security more usable and ubiquitous, and educating users to behave properly in a threat environment.6 Passive defenses for cybersecurity are deployed to increase the difficulty of conducting the attack and reduce the likelihood that a successful attack will have significant negative consequences.
|
From page 5... ...
Policy makers understandably aspire to a goal of preventing cyberattacks (and cyber exploitations as well) , but most importantly to a goal of preventing serious cyberattacks -- cyberattacks that have a disabling or a crippling effect on critical societal functions on a national scale (e.g., military mission readiness, air traffic control, financial services, provision of electric power)
|
From page 6... ...
These approaches -- and indeed an approach based on passive defense -- are by no means mutually exclusive. For example, some combination of strengthened passive defenses, deterrence, law enforcement, and negotiated behavioral restraint may be able to reduce the likelihood that highly destructive cyberattacks would be attempted and to minimize the consequences if cyberattacks do occur .
|
From page 7... ...
, they differ in many other key characteristics, and the section below discusses cyberdeterrence and when appropriate contrasts cyberdeterrence to Cold War nuclear deterrence. What the discussion below will suggest is that nuclear deterrence and cyberdeterrence do raise many of the same questions, but indeed that the answers to these questions are quite different in the cyber context than in the nuclear context.
|
From page 8... ...
That infrastructure was sufficiently visible that an intelligence effort directed at potential adversaries could keep 11 See NRC, T echnology, Policy, Law, and Ethics Regarding Acquisition and Use of U.S. Cyberattack Capabilities, 2009, page 142.
|
From page 9... ...
Identification of the distinctive radiological signatures of potential adversaries' nuclear weapons is also believed to have taken place. The nuclear deterrence paradigm also presumes unitary actors, nominally governments of nation-states -- that is, it presumes that the nuclear forces of a nation are under the control of the relevant government, and that they would be used only in accordance with the decisions of national leaders.
|
From page 10... ...
The United States maintains a global network of satellites that are capable of detecting and locating nuclear explosions in the air and on the ground, and a network of seismic sensors that provide additional information to localize nuclear explosions. Most importantly, a nuclear explosion would occur against the very quiet background of zero nuclear explosions happening over time.
|
From page 11... ...
By contrast, major corporations are subject to cyberattacks and cyber exploitations on a daily basis. This difference raises the question of whether deterrence of such intrusions on individual private sector entities (especially those that are regarded as a part of U.S.
|
From page 12... ...
capabilities? A credible deterrent threat need not be limited to a response in kind -- the United States has a wide variety of options for responding to any given cyberattack, depending on its scope and character; these options include a mix of changes in defense postures, law enforcement actions, diplomacy, economic actions, cyberattacks, and kinetic attacks.14 Another dimension of making a threat credible is to communicate the threat to potential adversaries.
|
From page 13... ...
Passive defenses can be strengthened in a number of ways, such as reducing the number of vulnerabilities present in vital systems, reducing the number of ways to access these systems, configuring these systems to minimize their exposed security vulnerabilities, dropping traffic selectively, and so on. Properties such as rapid recoverability or reconstitution from a successful attack can be emphasized.
|
From page 14... ...
In practice, active defense is possible only for certain kinds of cyberattack (e.g., denial-of-service attacks) and even then only when the necessary intelligence information on the appropriate targets to hit is available to support a responsive operation.
|
From page 15... ...
If responsibility can be attributed to a known actor , the range of possibilities for response becomes much larger . For example, if a nation-state can be identified as being responsible, anything of value to that state can be attacked, using any available means.17 Indeed, options for responding to cyberattacks span a broad range and include a mix of changes in defensive postures, law enforcement actions, diplomacy, economic actions, and kinetic attacks, as well as cyberattacks.18 Further , if individual/personal responsibility can be ascertained (or narrowed to a sufficiently small group of individuals)
|
From page 16... ...
, and such a structure is believed to be an important element of deterring nuclear attack against the United States. By contrast, the relationship between the pace at which responses are made and the deterrent effect of such responses in a cyber context is not well understood.
|
From page 17... ...
But when cyber conflict is involved, recognizing a cessation of hostilities is quite problematic. For example, given that there exists a background level of ongoing cyberattacks affecting the United States, how would the United States recognize that an adversary had ceased its cyberattacks?
|
From page 18... ...
Options for responding to cyberattacks on the United States span a broad range and include a mix of changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks, and there is no reason that a retaliatory cyberattack would necessarily be favored over a retaliatory kinetic attack. There is also a broad range of conflict scenarios to which cyberdeterrence may be applicable.
|
From page 19... ...
An answer in the affirmative will raise the question of whether granting private sector entities the right to engage in active defense as a response to cyberattacks directed at them would enhance or detract from cyberdeterrence. 2.3 INTERNATIONAL REGIMES THAT LIMIT OR REQUIRE CERTAIN BEHAVIORS The preceding discussion suggests that at the very least, classical deterrence theory (as construed for deterring nuclear attacks on the United States)
|
From page 20... ...
To achieve these objectives, arms control regimes often seek to limit capabilities of the signatories or to constrain the use of such capabilities. Thus, in the nuclear domain, agreements have (for example)
|
From page 21... ...
On the other hand, U.S. policy makers and analysts have not seriously explored the utility and feasibility of international regimes that deny the legitimacy of cyberattacks on critical infrastructure assets, such as power grids, financial markets, and air traffic control systems.20 How useful would such a regime be, especially applied in concert with a significantly improved cyberdefensive posture for these assets?
|
From page 22... ...
They might also require signatories to pass national laws that criminalize certain kinds of cyber behavior undertaken by individuals and to cooperate with other nations in prosecuting such behavior , much as the Convention on Cyber Crime has done.21 There are a number of major complications associated with arms control regimes for cyberattack. These include: • The functional similarity between cyber exploitation and cyberattack.
|
From page 23... ...
, an opt-in array of interoperable identity management systems to build trust for online transactions. " White House, Cyberspace Policy Review, 2009, available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.
|
From page 24... ...
23 Chapter 10, NRC, T echnology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009.
|
From page 25... ...
It is an open question whether such an approach might enhance cybersecurity internationally, whether or not it excludes any direct application or restriction on the national security activities of signatories. 2.4 DOMESTIC REGIMES TO PROMOTE CYBERSECURITY Law enforcement regimes to prosecute cyber criminals are not the only ones possible to help promote cybersecurity.
|
From page 26... ...
What should be the content of a declaratory policy regarding cyberintrusions (that is, cyberattacks and cyberintrusions) conducted against the United States?
|
From page 27... ...
12. T o the extent that a declaratory policy states what the United States will not do, what offensive operational capabilities should the United States be willing to give up in order to secure international cooperation?
|
From page 28... ...
24. How might cyber operations and capabilities contribute to national military operations at the strategic and tactical levels, particularly in conjunction with other capabilities (e.g., cyberattacks aimed at disabling an opponent's defensive systems might be part of a larger operation)
|
From page 29... ...
strategies for cyber conflict? How can a "cyberattack taboo" be developed (perhaps analogous to taboos against the use of biological or nuclear weapons)
|
From page 30... ...
provide a model or a foundation for reaching further international agreements that would help to establish cyberdeterrence? 37.How might international and national law best address the issue of patriotic hackers or cyber patriots (or even private sector entities that would like to respond to cyberattacks with cyber exploitations and/or cyberattacks of their own)
|
From page 31... ...
with significant cyberintrusion capabilities affect any government policy regarding cyberdeterrence? Private entities acting outside government control and private entities acting with at least tacit government approval or support should both be considered.
|
From page 32... ...
, actor capacities and resources, and which targets require protection beyond that afforded by passive defenses and law enforcement (e.g., military and intelligence assets, critical infrastructure, and so on)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.