Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
6 Decision Making and Oversight This chapter describes decision making about and oversight of cyberattack as an instrument of U.S. national policy, focusing on issues usually associated with the Department of Defense and intelligence communities. 6.1â Executive Branch The discussion belowâaddressing declaratory policy, acquisition pol- icy, and employment policyâdraws from discussions of nuclear history and policy, not because cyberweapons and nuclear weapons are similar (they are not), but because such discussions have highlighted the impor- tance of several issues discussed below. That is, the committee found that nuclear history and policy are useful points of departureâframing notions and metaphorical checklistsâfor understanding policy regarding cyberattack but not that the conclusions that emerge from nuclear policy and history are directly applicable. Robert S. Norris, âThe Difficult Discipline of Nuclear History: A Perspective,â a presentation at the Carnegie Conference on Non-Proliferation, November 7, 2005, avail- able at http://www.carnegieendowment.org/static/npp/2005conference/presentations/Â Norris_Nuclear_History_Slides.pdf, and David M. Kunsman and Douglas B. Lawson, A Primer on U.S. Strategic Nuclear Policy, Sandia National Laboratories, Albuquerque, N.Mex., January 2001, available at http://www.nti.org/e_research/official_docs/labs/ prim_us_nuc_pol.pdf. 214
DECISION MAKING AND OVERSIGHT 215 6.1.1â Declaratory Policy 22.214.171.124â The Need for Declaratory Policy Declaratory policy states, in very general terms, why a nation acquires certain kinds of weapons and how those weapons might be used. For example, the declaratory policy of the United States regarding nuclear weapons is stated in The National Military Strategy, last published in 2004: Nuclear capabilities [of the United States] continue to play an impor- tant role in deterrence by providing military options to deter a range of threats, including the use of WMD/E and large-scale conventional forces. Additionally, the extension of a credible nuclear deterrent to allies has been an important nonproliferation tool that has removed incentives for allies to develop and deploy nuclear forces. By contrast, the declaratory policy of Israel regarding nuclear weap- ons is that it will not be the first nation to introduce nuclear weapons in the Middle East. The declaratory policy of China regarding nuclear weap- ons is that it will not be the first to use nuclear weapons under any cir- cumstances. The Soviet Union once had a similar âno first use of nuclear weaponsâ declaratory policy, but Russia has since explicitly revoked that policy. U.S. declaratory policy has also evolved since 1945ââmassive retaliation,â âflexible response,â and âescalation dominanceâ are some of the terms that have characterized different versions of U.S declaratory policy regarding nuclear weapons in that period. Declaratory policy is not necessarily linked only to the use of nuclear weapons. In 1969, the United States renounced first use of lethal or inca- pacitating chemical agents and weapons and unconditionally renounced all methods of biological warfare. In 1997, the United States ratified the Chemical Weapons Convention, which prohibits the signatories from using lethal chemical weapons under any circumstances. Declaratory policy is directed toward adversaries as much as it is to the declaring nation itself. A declaratory policy is intended, in part, to sig- nal to an adversary what the declaring nationâs responses might be under various circumstances. On the other hand, a declaratory policy may also be couched deliberately in somewhat ambiguous terms, leaving some- what vague and uncertain the circumstances under which the declaring nation would use nuclear weapons. Such vagueness and uncertainty have historically been regarded by the United States as a strength rather than Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf. See http://www.state.gov/t/ac/trt/4718.htm.
216 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES a weakness of such policies, on the grounds that uncertainty about a U.S. response is an essential part of deterring other nations from taking hostile action against its interests. By contrast, a declaratory policy that is highly explicit may be perceived as limiting a nationâs options in a crisis and telegraphing its intent to some extent, thus simplifying an adversaryâs planning process. Yet another related issue is whether another nation should believe a nationâs declaratory policy. For example, the Soviet Union formally adopted an explicit âno-first-useâ policy regarding nuclear weapons in 1982, but many military analysts gave little credence to that statement. On one hand, no immutable law mandates consistency between prior declaratory policy and subsequent action, and declaratory policy need not constrain actual practice. On the other hand, declaratory policy may influence a nationâs armed forcesâ training and doctrine. If, for example, the declaratory policy states that a nation will not use weapon X, and its armed forces do not train to use weapon X, and its military doctrine does not contemplate the use of weapon X, that nation may well be ill-prepared to use weapon X in practice even if its leaders decide to act in violation of the stated declaratory policy. 126.96.36.199â Present Status For the use of cyberweapons, the United States has no declaratory policy, although the DOD Information Operations Roadmap of 2003 stated that âthe USG should have a declaratory policy on the use of cyberspace for offensive cyber operations.â The 2006 National Military Strategy for Cyberspace Operations indicates that âas a war-fighting domain . . . cyberspace favors the offense . . . an opportunity to gain and maintain the initiative.â This statement is the beginning of a declaratory policy, but it is incomplete. A declaratory policy would have to answer several questions. â¢ For what purposes does the United States maintain a capability for cyberattack? â¢ Do cyberattack capabilities exist to fight wars and to engage in covert intelligence or military activity if necessary, or do they exist primar- ily to deter others from launching cyberattacks on the United States? â¢ If they exist to fight wars, are they to be used in a limited fashion? On the basis of what is known publicly, it is possible to formulate what might be called an implied declaratory policy of the United States on cyberwarfare. (Of course, the notion of an implied declaratory policy See http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf.
DECISION MAKING AND OVERSIGHT 217 is itself an oxymoronâa declaratory policy that is not explicitly stated is hardly declaratory. Rather, what follows below is an example of a declara- tory policy that would be consistent with what is known publicly.) The United States acquires cyberattack capabilities as part of its overall deterrent posture, which is based on full spectrum dominanceâthe abil- ity to control any situation or defeat any adversary across the range of military operations. Cyberattack capabilities provide the U.S. military and intelligence communities with additional options for action and use, and are thus intended for use just as any other weapons could be used in support of U.S. military or intelligence objectives. Cyberattack capabilities are to be fully integrated into U.S. military operations when appropriate, and distinctions between cyberattack and kinetic force are not meaningful except in an operational context. Cyberattack capabilities may be particularly useful to the United States in many conflict scenarios short of all-out war. In addition, two other questions are often included under the rubric of declaratory policy: â¢ How is cyberconflict to be stopped? â¢ To the extent that cyberattack is part of the U.S. deterrent posture, how can its use be established as a credible threat? In the nuclear domain, concerns have always been raised about nuclear strikes against an adversaryâs strategic command and control system. The issue has been that such strikes could seriously impair war termination efforts by disconnecting the political leadership of a nation from the nuclear-armed forces under its control, leaving the question of how nuclear hostilities might be terminated. The use of large-scale cyberattacks against the communications infra- structure of an adversary might well lead to similar concerns. Such attacks could result in the effective disconnection of forces in the field from the adversaryâs national command authority, or sow doubt and uncertainty in an adversaryâs military forces about the reliability of instructions received over their communications infrastructure. Again, under such circum- stances, termination of hostilities might prove problematic (and if the adversary were a nuclear-armed nation, sowing such doubt might seri- ously run counter to U.S. interests). Regarding the credibility of nuclear use, the United States does much through its declaratory (and acquisition) policy to encourage the percep- tion that there are circumstances under which the United States might use nuclear weapons, and it conducts large-scale military exercises involv- ing nuclear forces in part to demonstrate to the world that it is capable
218 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES of mustering nuclear forces that could be brought to bear in any given situation. The situation is entirely reversed with respect to cyberwarfare. U.S. policy regarding the use of cyberweapons is shrouded in secrecy, and the lack of public discussion regarding U.S. policy in this domain almost by definition does not contribute to deterrence. Finally, the National Military Strategy of the United States of America of 2004 also states: The term WMD/E relates to a broad range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other, more asymmetrical âweapons.â They may rely more on disruptive impact than destructive kinetic effects. For example, cyber attacks on US commercial information systems or attacks against trans- portation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent. Coupled with the declaratory policy on nuclear weapons described earlier, this statement implies that the United States will regard certain kinds of cyberattacks against the United States as being in the same category as nuclear, biological, and chemical weapons, and thus that a nuclear response to certain kinds of cyberattack (namely, cyberattacks with devastating impacts) may be possible. It also sets the relevant scaleâ a cyberattack that has an impact larger than that associated with a rela- tively small release of a lethal agent is regarded with the same or greater seriousness. 188.8.131.52â Alternative Declaratory Policies Simply as illustration (and not as endorsement), the following dis- cussion incorporates and addresses hypothetical declaratory policies (or elements thereof) regarding cyberattack. â¢ large-scale cyberattacks. Although weapons for cyberattack are No valid and legitimate military weapons to be deployed and used in support of U.S. interests, the United States will unilaterally refrain from conducting against nations cyberattacks that would have the potential for causing widespread societal devastation and chaos. Accordingly, the United States will refrain from conducting cyberattacks against a nationâs electric power grids and financial Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf.
DECISION MAKING AND OVERSIGHT 219 systems if such attacks would have a significant potential for affect- ing national economies. Such a policy would seek to delegitimize the use of large-scale cyber- attacks as an instrument of national policy by any nation in much the same way that the unilateral U.S. renunciation of biological weapons contributed to stigmatizing use of such weapons by any nation. The ben- efit to the United States if such stigmatization occurred would be a lower likelihood that it would experience such an attack. â¢ first use of large-scale cyberattacks. Although weapons for cyberat- No tack are valid and legitimate military weapons to be deployed and used in support of U.S. interests, the United States will not be the first nation in a conflict to conduct against nations cyberattacks that would have the potential of causing widespread societal devasta- tion and chaos. Nevertheless, the United States reserves the right to conduct such attacks should it be subject to such attacks itself. Such a policy would seek to discourage the use of large-scale cyberat- tacks as an instrument of national policy by any nation. However, the U.S. stance on the use of large-scale cyberattacks would be based primarily on threatening in-kind retaliation rather than setting an example. As in the previous case, the benefit to the United States if such stigmatization occurred would be a lower likelihood that it would experience such an attack. â¢ first use of cyberattacks through the Internet and other public net- No works. The U.S. government will refrain from using the Internet and other public networks to conduct damaging or destructive acts, and will seek to prevent individuals and organizations within its authority from doing so, as long as other nations do the same. Such a policy would seek to discourage the use of cyberattacks through the Internet as an instrument of national policy by any nation, presumably based on a rationale that sees the Internet as a global public utility whose benefits to the worldâs nations are outweighed by any tem- porary military advantage that might be gained through Internet-based cyberattacks. Again, the U.S. stance on the use of such cyberattacks would be based primarily on threatening in-kind retaliation rather than example- setting. The benefit to the United States would be that it (and especially its civilian sector) would be more likely to continue to enjoy the benefits of Internet connectivity.
220 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES National responsibility for cyberattacks. Nations are responsible for â¢ cyberattacks that emanate from their soil, whether or not their national governments have initiated such actions. If they have not, national governments are responsible for taking actions that lead or help lead to the cessation of such actions. The United States reserves the right to take unilateral action if a nation fails to take action to respond to cyberattacks emanating from its soil. Such a policy would codify for cyberattack a legal principle that is foundational to international law regarding neutrality, self-defense, and the laws of armed conflict (discussed further in Chapter 7)âthat nations are responsible for military conduct emanating from their territories and affecting other nations. The benefit of such a policy would be to make explicit what is already U.S. policy regarding kinetic attacks. 184.108.40.206â The Relationship Between Declaratory Policy and International Agreements Declaratory policy might also be replaced or complemented by bilat- eral or multilateral agreements, much as nations have sometimes agreed to certain standards of behavior for their navies on the high seas when interacting with the navies of nations also party to those agreements. This point is addressed in more detail in Chapter 10. 6.1.2â Acquisition Policy The acquisition of capabilities is, in principle, driven by statements of needâthat is, how the U.S. military (for instance) may effectively take advantage of a given capability. Much has been written about the drivers of military acquisition, and a key driver that emerges from these writ- ings is the anticipation that an adversary has or will acquire a particular military capability to which the nation must respond quickly by itself acquiring a similar or countering capability. Acquisition policy addresses issues such as how much should be spent on weapons of various kinds, how many of what kind should be acquired on what timetable, and what the characteristics of these weapons should be. A statement of acquisition policy regarding nuclear weapons might say something like âthe United States must deploy in the next 2 decades 500 land-based new ICBMs with 10 nuclear warheads apiece, See, for example, Stephen Rosen, Chapter 7, âWhat Is the Enemy Building?â in Win- ning the Next War: Innovation and the Modern Military, Cornell University Press, Ithaca, N.Y., 1991.
DECISION MAKING AND OVERSIGHT 221 each with a kill probability (Pk) of 90 percent against targets hardened to withstand overpressures of 2000 pounds per square inch.â For a standoff munition, a statement of acquisition policy might say something like âthe United States must acquire, at a rate of 1000 per year, a standoff âfire-and- forgetâ munition carrying a 250-pound explosive warhead capable of being launched from a range of 30 kilometers with a Circular Error Prob- able of 1 meter against moving targets under all weather and battlefield conditions.â The acquisition process also requires that a weapon in acquisition be subject to an internal review prior to production to determine if use of the weapon would conflict with existing international obligations (e.g., arms control treaties or customary international standards of necessity, proportionality, and discrimination in the law of armed conflict). Not surprisingly, such review is undertaken using DOD interpretations of the law of armed conflict, which outside analysts sometimes criticize as being overly narrow. These reviews are generally not classified, but in general, they have not been made widely available. Finally, the acquisition process requires that certain weapons undergo operational testing and evaluation before large-scale production. Opera- tional testing and evaluation (OT/E) involves field testing under realis- tic combat conditions for the purpose of determining the effectiveness and suitability of a weapon for use in combat by typical military users. However, only weapons procured through a major defense acquisition program are subject to this OT/E requirement, and in particular weapons procured through a highly sensitive classified program (as designated by the secretary of defense) are exempt from this requirement. In principle, this process also applies to the acquisition of cyberweap- ons, or more precisely, capabilities for cyberattack. (It would be rare that a âcyberweaponâ takes the same form as a kinetic weapon, in the sense of a package that can be given to a military operator as a rifle or a fighter jet can be given. Rather, operators who launch cyberattacks are likely to have a variety of tools at their disposal for conducting an attack.) But acquiring capabilities (tools) for cyberattack differs in important ways from acquiring ordinary weapons, raising a number of issues for the acquisition process. For example, the rapid pace of information technology change places great stress on acquisition processes for cyberattack capabilities (and for cyberdefense as well). A second important point is that the acquisition cost of software-based cyberattack tools is almost entirely borne in research and development, since they can be duplicated at near-zero incremental cost. By contrast, procurement is a major portion of the acquisition cost for kinetic weapons. Thus, a testing and evaluation (T/E) regime timed to occur after R&D is unlikely to apply to cyberweapons. The absolute
222 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES acquisition cost of cyberweapons is also likely to be significantly smaller than those of kinetic weapons, thus exempting cyberweapons from T/E regimes linked to acquisition cost. A third point is that the acquisition process presumes that it is the only way to procure weapons. But cyberattack capabilities are so inex- pensive to acquire that they could be acquired through operations and maintenance (O/M) funds (and may be legal as well). For example, under the rubric of upgrading the cybersecurity posture of an installation, a sys- tem administrator might well obtain tools designed to test its computer security (that is, to support a âred teamâ penetration test) and acquire these tools through O/M funds. But these very same tools could provide capabilities that could be used against adversary computers. A second way to acquire cyberattack capability is to purchase services that provide them. For example, botnets (discussed in Section 220.127.116.11.1) can be rented at relatively low costâinformed estimates vary, but are reported to be on the order of a few thousand dollars for a botnet consist- ing of tens of thousands of zombies for a few days. Renting a botnet may be a much more efficient method for acquiring the afforded capabilities than developing a botnet on oneâs own, and indeed the Estonian minister of defense has asserted that the cyberattack on Estonia was conducted by botnets that were rented for that purpose. Of course, the rental of botnets contributes to the furtherance of a criminal enterprise, as the botnet owner/operator has broken U.S. law in assembling the botnet (presuming the owner/operator is subject to U.S. jurisdiction). An important policy question is whether it is appropriate for the United States to work with known criminals to pursue foreign policy objectives. More generally, the United States could âoutsourceâ certain kinds of cyberattack to criminal hackers, especially if it wanted to leave no trace of such work, and incentivize such work by allowing the hackers to keep some or all of the financial resources they might encounter. Such cooperation has some precedent in U.S. historyâfor example, the Cen- tral Intelligence Agency sought to recruit the Mafia in 1960 to kill Fidel Castroâthough such instances have hardly been uncontroversial. Related is the fact that the computers of third parties, such as innocent For example, a major defense acquisition program is defined by statute as one esti- mated to require an eventual total expenditure for research, development, testing, and evalu- ation of more than $300 million (in FY 1990 constant dollars) or an eventual total expenditure for procurement of more than $1.8 billion (in FY 1990 constant dollars). Programs for acquir- ing cyberattack capabilities and tools are likely to cost far less than these amounts. William Jackson, âCyberattacks in the Present Tense, Estonian Says,â Govern- ment Computing News, November 28, 2007, available at http://www.gcn.com/online/ vol1_no1/45476-1.html. Glenn Kessler, âTrying to Kill Fidel Castro,â Washington Post, June 27, 2007, p. A06.
DECISION MAKING AND OVERSIGHT 223 civilians in a nation of choice, might also be compromised in order to support a cyberattack. These computers can be configured as âweapons for cyberattackâ at will by the real attacker at essentially zero cost, even though they increase his attack capabilities by orders of magnitude, and because such scenarios were never envisioned by the traditional acquisi- tion process, it is only a matter of policy that might inhibit the United States from doing so. Acquisition policy should also address the issue of the proper balance of resource allocation. The absolute budget sums involved in acquir- ing cyberattack capabilities are relatively small, as noted in Chapter 2. But serious defensive efforts are very expensive, not least for reasons of scaleâthe sheer volume of computer systems and networks that must be protected. Thus, acquisition policy necessarily affects the balance between conventional military assets and cyber military assets and procedures on the defensive side. Given the dependence of todayâs military forces on information technologies, some analysts have argued that present-day acquisition policies do not pay sufficient attention to cybersecurity and defensive operations. The above discussion of acquisition policy relates primarily to the defense community. But the intelligence community must also acquire various capabilities to support its intelligence collection and covert action missions. Of particular significance for acquisition policy is that a tool to collect intelligence information from an adversary computer system or network canâat little additional costâbe modified to include certain attack capabilities, as described in Section 2.6. Indeed, the cost of doing so is likely to be so low that in the most usual cases, acquisition managers would probably equip a collection tool with such capabilities (or provide it with the ability to be modified on-the-fly in actual use to have such capabilities) as a matter of routine practice. 6.1.3â Employment Policy Employment policy specifies how weapons can be used, what goals would be served by such use, and who may give the orders to use them. Such policy has a major influence on how forces train (e.g., by driving the development and use of appropriate training scenarios). One key question of employment policy relates to the necessary com- mand and control arrangements. For example, although U.S. doctrine once did not differentiate between nuclear and non-nuclear weapons,10 10 In 1954, President Eisenhower was asked at a press conference (March 16, 1954) whether small atomic weapons would be used if war broke out in the Far East. He said, âYes, of course they would be used. In any combat where these things can be used on strictly mili-
224 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES this is most surely not the case today. Nuclear weapons are universally regarded as worthy of special attention, policies, and procedures, and their use is tightly controlled and highly centralizedâmore so than any other weapon in the U.S. arsenal. Whether similar arrangements will be made for cyberweapons in the future remains to be seen, although the discussion in Chapter 3 suggests that the command and control arrange- ments of today are not as centralized. A second key question of employment policy is the targets of such weapons. Some targets are off-limits by virtue of the LOAC and other relevant international law. But the propriety of attacking other kinds of targets is often determined by doctrine and views of the adversary. For example, in the nuclear strategy of the Cold War, considerable debate arose about the propriety of targeting adversary nuclear forces. Advocates of prompt hard-target kill capabilities (that would use a bal- listic missile against a hardened adversary missile silo) argued that the adversary (generally the leaders of the Soviet Union) placed great value on their instruments of national power, such as their nuclear forces, and that placing such instruments at risk would help to deter actions that worked against the interests of the United States. Opponents of such targeting argued that threatening to destroy such targets only increased the likelihood that the adversary would launch its missiles on warning of attack, thus making accidental launch more likely. Given that there are no cyber equivalents of hardened missile silos that constitute an adversaryâs retaliatory forces, no credible threat of annihilation, and no equivalent of launch on warning for cyber forces, nuclear strategy does not provide guidance for cyber targeting. What targets might or might not be appropriate for cyberattack and under what circumstances would this be so? From what can be determined from public statements, the DOD believes that cyberattack has military utility, and thus the use of cyberattack is subject to constraints imposed by the law of armed conflict. At the same time and apart from the need to comply with the LOAC, good reasons may exist for eschewing certain kinds of cyberattack against certain kinds of target for reasons other than those related to operational efficacy. For example, cyberwarfare provides tools that can be focused directly on messaging and influencing the leadership of an adversary tary targets and for strictly military purposes, I see no reason why they shouldnât be used just exactly as you would use a bullet or anything else.â (See Eisenhower National Historic Site, National Park Service, at http://www.nps.gov/archive/eise/quotes2.htm.) Indeed, in 1953, the U.S. National Security Council noted that âin the event of hostilities, the United States will consider nuclear weapons to be as available for use as other munitions.â (U.S. Na- tional Security Council (NSC), âBasic National Security Policy,â NSC Memorandum 162/2, October 30, 1953, available at http://www.fas.org/irp/offdocs/nsc-hst/nsc-162-2.pdf.)
DECISION MAKING AND OVERSIGHT 225 state. Message-based influence might help to persuade the leadership to make decisions helpful to U.S. national interests, such as terminating hostilities or refraining from using weapons of mass destruction. But at the same time, it may be undesirable to conduct destructive or disruptive attacks on the command and control systems that connect the adversaryâs national command authority to forces in the field. Disconnecting an adversaryâs forces from their leadership may result in serious dysfunction, uncoordinated action, and psychological impact on the adversary such as fear and poor morale. Such positive effects must be balanced against possible negative effects, such as the inability of the adversaryâs leadership to direct its forces to surrender or to stand down. In addition, if forces in the field lose confidence in the authoritativeness of commands from their national command authority, they may resort to fol- lowing standing orders issued before the conflict beganâand such orders may well instruct these forces to act in more destructive ways than they otherwise would. These considerations are particularly important if the adversary has nuclear weapons and if the cyberattack cannot differentiate between command and control systems for the adversaryâs conventional and nuclear forces. Other possible targets to be avoided may include those that could have significantly damaging effects on large numbers of non-combat- ants. Entirely apart from the moral and ethical issues raised by such attacks, conducting such attacks against a nation with a declared policy of responding to such attacks with nuclear weapons arguably increases the likelihood that such weapons would be used. Targets in this category might include national financial systems and electric power grids. Cyberattacks may be a preferred method for targeting infrastruc- ture under some circumstances. The United States may wish to conduct operations related to war recovery and stabilization in the aftermath of a conflict, and thus wish to preserve infrastructure as an important element in war recoveryâthe U.S. intent in Operation Iraqi Freedom (the Second Gulf War) in 2003 was to occupy Baghdad for some period of time there- after and to enable Iraq to function as a sovereign nation. In its targeting of Iraqi infrastructure, the United States had to consider the possibility that destroying parts of it (e.g., the electric power grid) might impede war recovery efforts after the conflict. If cyberattacks made it possible to attack infrastructure in such a way that it was rendered non-functional for the duration of a conflict but could be easily restored to normal operation after the conflict was terminated, attack planners would have consider- able incentives to prefer such attacks over more destructive ones. A second issue relates to options for strategic use. As with nuclear weapons, the availability of preplanned options for cyberattack varying in scale, scope, and timing would increase flexibility and the ability to
226 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES respond promptly to various strategic contingencies. A number of impor- tant questions arise in this contextâthe large amount of intelligence infor- mation likely to be needed for such options, the timeliness of information collected to support preplanned options, and indeed the actual value of prompt cyber response under various circumstances. A third important issue is ensuring that cyberattack activities are suf- ficiently visible to higher authorities, including the political leadership. It is an unfortunate reality that during times of crisis, military actions that would normally be regarded as routine or âsmallâ can lead to mispercep- tions of strategic significance. For example, routine air reconnaissance undertaken during times of crisis can be interpreted as a prelude to attack. In a cyberattack context, analogs could include the routine gathering of intelligence that is needed to support a cyberattack (e.g., port scans of Zendian systems) or the self-defense neutralization of an active cyber- attack threat from a Zendian patriotic hacker under standing rules of engagement. The possibility is very real that Zendian authorities might perceive such activities as aggressive actions associated with a planned and deliberate cyberattack by the United States. Keeping the political leadership informed of such activities is a prob- lem even when considering traditional military operations. But because the resources and assets needed to conduct cyberattacks are small by comparison and the potential impact still large, it may be more diffi- cult for higher authorities to stay informed about activities related to cyberattack. Finally, the United States has a long-standing policy not to use cyber- attack or cyberexploitation to obtain economic advantage for private com- panies (as noted in Section 4.1.2). However, the economic domain is one in which the operational policies of adversaries are markedly different from those of the United States. That is, adversaries of the United Staes are widely believed to conduct cyber-espionage for economic advan- tageâstealing trade secrets and other information that might help them to gain competitive advantage in the world marketplace and/or over U.S. firms. As noted in Section 2.6.2, the intelligence services of at least one major nation-state were explicitly tasked with gathering intelligence for its potential economic benefits. This asymmetry between U.S. and foreign policies regarding cyberexploitation is notable. The committee also observes that national policy makers frequently refer to a major and significant cyberthreat against the United States emanating from many actors, including major nation-states. The result in recent years has been an upsurge of concern about the disadvantaged position of the United States in the domain of cyberconflict, and is most recently reflected in the still largely classified Comprehensive National Cybersecurity Initiative resulting from the National Security Presiden-
DECISION MAKING AND OVERSIGHT 227 tial Directive 54/Homeland Security Presidential Directive 23 of January 2008.11 On the other hand, the committeeâs work has underscored many of the uncertainties that underlie any serious attempt by the United States to use cyberattack as an instrument of national policy. Moreover, military planners often engage in worst-case planning, which assumes that more things will go right for an adversary than for oneself. Thus, attack plan- ners emphasize the uncertainties of an attack and assume that the defense will be maximally prepared and lucky. Defensive planners emphasize the uncertainties of defense and assume that the attacker will be maximally prepared and lucky. In short, the committee sees a marked asymmetry in the U.S. percep- tion of cyberattackââtheyâ (the adversary) are using cyberattack means effectively against us (the United States), but it would be difficult (though not impossible) for us to use such means effectively against them. The question thus arises, What might be responsible for this percep- tion? One factor is the conflation of cyberattack and cyberexploitation in the public discourse (see Box 1.4 in Chapter 1). As noted by General Kevin Chilton, commander of the U.S. Strategic Command, many of the incidents that are billed as cyberattacks are, more accurately, just old-fash- ioned espionageâpeople looking for information who donât necessarily represent military threats.12 Thus, if the public discourse uses the term âcyberattackâ (what this discussion calls cyberattack-AUIPD, for âcyber- attack as used in public discourse,â to distinguish usages) to include cyberexploitation, then the balance is between adversary cyberattacks- AUIPD (which would include what this report terms âcyberattackâ [note absence of a tag] and which are largely espionage conducted for economic benefit) and U.S. âcyberattacks-AUIPDâ (which by policy do not involve either cyberattack or cyberexploitation conducted for economic benefit), and in such a balance, adversary cyberattacks-AUIPD will obviously seem to be much more effective than those of the United States. A third important factor contributing to this perception is the fact 11 Public reports indicate that this initiative has 12 components intended to reduce to 100 or fewer the number of connections from federal agencies to external computer networks, and to make other improvements in intrusion detection, intrusion prevention, research and development, situational awareness, cyber counterintelligence, classified network security, cyber education and training, implementation of information security technologies, deter- rence strategies, global supply chain security, and public/private collaboration. The cost of this initiative has been estimated at $40 billion. See, for example, Jill R. Aitoro, âNational Cyber Security Initiative Will Have a Dozen Parts,â Nextgov, August 1, 2008, available at http://www.nextgov.com/nextgov/ng_20080801_9053.php. 12 Wyatt Kash, âCyber Chief Argues for New Approaches,â Government Computer News, August 22, 2008, available at http://gcn.com/articles/2008/08/22/cyber-chief-argues-for- new-approaches.aspx.
228 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES that as noted in earlier chapters, the United States provides only limited assistance to the private sector when it comes under cyberattack and restricts the ability of the private sector to engage in self-help activities (as discussed in Section 5.2), and it refrains from sharing intelligence informa- tion that would benefit individual private sector companies (as discussed in Section 4.1). Some other nations do not practice such restraint. The com- mittee speculates that this asymmetry in policy may account for at least some of the perception of asymmetric advantage derived by others. If these observations are accurate, whatâif anythingâcan be doneÂ about it? Regarding the conflation of cyberattack and cyberexploitation in pub- lic discourse, there is no remedy except to insist that a user of the term âcyberattackâ make clear what is included under the rubric of the term he or she is using. If the many foreign cyberexploitation efforts were not described as âcyberattack,â the level of tension over cyberattack would be knocked down to a considerable degree. The case for the current U.S. policy regarding eschewing the use of U.S. intelligence agencies for the benefit of private firms is largely based on the desire of the United States to uphold a robust legal regime for the protection of intellectual property and for a level playing field to enable competitors from different countries to make their best business cases on their merits. If this policy position is to be revised, it seems that two of the most prominent possibilities are that (1) intelligence gathering for economic purposes ceases for all nations, or (2) the United States uses its intelligence-gathering capabilities (including cyberexploitation) for economic purposes. Under traditional international law, espionageâfor whatever purposeâis not banned, and thus the first possibility suggests a need to revise the current international legal regime with respect to the propriety of state-sponsored economic espionage. The second possibility raises the prospect that current restraints on U.S. policy regarding intel- ligence collection for the benefit of private firms might be relaxed. Both of these possibilitiesÂ would be controversial, and the commit- teeÂ takesÂ no stand on them, except to note some of the problems associated with each of them. The firstâa change in the international legal regime to prohibit espionageâwould require a consensus among the major nations of the world, and such a consensus is not likely. The secondâa unilateral change in U.S. policyâdoes not require an international consensus, but has many other difficulties. For example, the U.S. government would have to decide which private firms should benefit from the governmentâs activities, and even what entities should count as a âU.S. firm.â U.S. gov- ernment at the state and local level might well find that the prospect of U.S. intelligence agencies being used to help private firms would not sit well with foreign companies that they were trying to persuade to relocate
DECISION MAKING AND OVERSIGHT 229 to the United States. And it might well undercut the basis on which the United States could object to other nations conducting such activities for the benefit of their own domestic industries and lead to a âWild Westâ environment in which anything goes. After all is said and done, it may turn out that the most desirable (least undesirable) option for the United States is to learn to live with the current asymmetry. But if that is indeed the case, it should reflect a delib- erate and considered assessment of the pros and cons of various options that in the committeeâs view has not yet been engaged. 6.1.4â Operational Oversight Operations translate employment policy into reality. In practice, the U.S. armed forces operate on a worldwide basis and have many ongoing operations at any given time. For example, they constantly gather intelli- gence and reconnaissance information. Some of those operations are sensi- tive, in that they might be seen as provocative or otherwise inappropriate. Thus, the U.S. government has established a variety of mechanisms intended to ensure that such operations are properly overseen. For example, the U.S. government sometimes specifies criteria in advance that define certain sensitive military missions, and then requires that all such missions be brought to the attention of senior decision makers (e.g., the National Security Council staff). In rare cases, a mission must be approved individually; more typically, generic authority is granted for a set of missions that might be carried out over a period of many months (for example). The findings and notification process for covert action is another mechanism for keeping the executive and legislative branches properly informed. From time to time these mechanisms are unsuccessful in informing senior decision makers, and it is often because the individual ordering the execution of that mission did not believe that such an order required consultation with higher authority. In a cyberattack context, oversight issues arise at two stagesâat the actual launch of a cyberattack and in activities designed for intelligence preparation of the battlefield to support a cyberattack. 18.104.22.168â Launching a Cyberattack Another important operational issue involves delegation of authority to launch a cyberattack as part of an active defense of U.S. computer sys- tems and networks. As noted in Chapter 3, the U.S. Strategic Command has authority to conduct such attacks for active defense under a limited set of circumstances. But it is not known how far down the chain of com- mand such authority has been delegated.
230 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES The most extreme form of delegation would call for an entirely auto- mated active defenseâand indeed the U.S. Air Force has issued a call for proposals to develop a âcyber control systemâ that âwill enable active defense operations [involving] automated responses (based on predefined Rules of Engagement) . . . , in response to network intrusions/attacks.â 13 Automated responses are regarded as being militarily necessary when there is insufficient time for humans to make decisions about the nature of a response and any given situation may present insufficient time because of the fleeting nature of the opportunity to strike back or because of the harm that rapidly accrues if the attack is not stopped (though consider- ation of other factors such as appropriate rules of engagement may pre- vent such weapons from being deployed in any given situation). Both of these factors could characterize certain kinds of cyberattacks on certain targets in the United States. On the other hand, the risks of error or inadvertent escalation are gen- erally regarded as greatest when humans are not in the decision-making loop. Despite periodic calls for the nuclear command and control system to be automated so as to ensure that retaliation would take place in the event of a Soviet nuclear attack, the United States has always relied on humans (the President and the National Command Authority) to make the ultimate decision to release U.S. strategic forces. (Even so, many have criticized these arrangements as pro forma, arguing that in practice they are not much better than an automated launch decision, because they give the NCA too little time to evaluate the information available about the alleged incoming attack.) An assessment of the wisdom of an automated response to a cyberat- tack depends on several factors, including the likelihood that adequate and correct information will be available in a short period of time to develop an access path back to the attacker, the likely consequences of a cyberattack response, and the possible consequences of a misdirected or inappropriately launched counterattack. In the case of nuclear command and control, these factorsâprimarily the lastâindicate that an automated response would be foolish and foolhardy. 22.214.171.124â Conducting Intelligence Preparation of the Battlefield to Support a Cyberattack In principle, conducting intelligence preparation of the battlefield (IPB) to support a cyberattack is not different from conducting other non-destructive cyberexploitation missions. For example, U.S. electronic 13 United Press International, âAir Force Seeks Automated Cyber-response,â Jan. 2, 2008, at 4:55 p.m.
DECISION MAKING AND OVERSIGHT 231 reconnaissance airplanes often fly missions near the border of another nation in order to âlight upâ that nationâs air defense radars. By moni- toring those radar emissions, they collect information on the waveforms and positions of a potential adversaryâs radar systems; such information could be useful in the event that an air strike might be launched against that nation. On the other hand, that nation might well regard those reconnais- sance flights as provocative. The airplane it is monitoring just outside its airspace could be armed, and the planeâs presence there could indicate hostile intent. The essential problem is that the boundaries of its national airspace provide almost no time for its air defense forces to react should the airplane turn out to have immediate hostile intent. Even if it is known to be unarmed, it is most likely to be a reconnaissance airplane collect- ing information that could be useful in the event that an air strike was launched against that nation. If these reconnaissance flights were taking place during a period of peacetime tension with the United States, it is easy to see how they might further exacerbate those tensions. Missions of this kind fall squarely into the category of those that must be reported to senior policy makers. The IPB mission for a destructive cyberattack falls into the same category. In order to gather the necessary intelligence, an adversaryâs network must be mapped to establish topol- ogy (which nodes are connected to which other nodes). Ports are âpingedâ to determine what services are (perhaps inadvertently) left open to an outside intruder, physical access points are located and mapped, operat- ing system and application vulnerabilities are identified, sympathizers with important access privileges are cultivated, and so on. However, there are at least three important differences between IPB for cyberattack and other kinds of intelligence collection. First, a U.S. gov- ernment effort to conduct IPB for many kinds of cyberattack will be taking place against a background of other activities (e.g., probes and pings) that are not being conducted by the U.S. government. Second, network con- nectivity may be such that âlimitedâ intelligence probes and other inves- tigations of a potential adversaryâs networks will inadvertently reach very sensitive areas. Third, the dividing line between a tool intended to collect information on an adversaryâs systems and a weapon intended to destroy parts of those systems may be very unclear indeed. The first factor above may reduce the sensitivity of the nation being probedâand indeed, the U.S. IPB effort is likely to be undertaken in a way that does not reveal its origin. But the second two factors may increase sensitivity, and possibly lead to entirely unanticipated reactions on the part of the adversary.
232 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 6.2â Legislative Branch The legislative branch has two basic roles regarding government operationsâbudget and oversight. In addition, the Constitution gives the legislative branch the sole authority to declare war. 6.2.1â Warmaking Powers Article I, Section 8 of the U.S. Constitution authorizes the Congress to âdeclare warâ and gives Congress numerous powers over the military, including the powers to âraise and support armies,â to âprovide and maintain a navy,â and to âmake rules for the government and regulation of the land and naval forces.â Article II, Section 2 gives the President the âexecutive powerâ and provides that he âshall be commander in chief of the Army and Navy of the United States.â At the time the Constitution was written, the primary purpose of national armed forces was to fight wars, and these provisions were intended to give Congress primary responsibility for the decision to ini- tiate war, and to give the President the primary responsibility for the conduct of war.14 Over time, as the international powers and responsi- bilities of the United States have grown, and as the standing U.S. armed forces have grown, the President has asserted more and more authority to initiate armed conflicts in the absence of authorization from Congress. Moreover, it has been argued that the notion of declaring war as a prelude to armed combat is simply irrelevant in the modern world. Self-defense is the least controversial basis for the president to direct the armed forces to engage in combat. Madison said at the Convention that the âdeclare warâ clause left to the President the power to ârepel sud- den attacksâ without congressional authorization.15 The Supreme Court upheld Lincolnâs authority to act against the confederacy in the absence of congressional authorization.16 President Clinton invoked self-defense in justifying the 1993 cruise missile strikes on Iraq in response to the attempted assassination of President George H.W. Bush.17 For some of the instances not involving self-defense in which U.S. armed forces have been deployed and used, presidents have sought and 14 See, e.g., Abraham D. Sofaer, War, Foreign Affairs and Constitutional Power: The Origins, Ballinger Publishing, Cambridge, Mass., 1976. 15 The Records of the Federal Convention of 1787, at 318 (1911), Max Farrand, ed., rev. edition, 1966. 16 See Prize Cases, 67 U.S. 635 (1863) (âIf a war be made by invasion of a foreign nation, the President is not only authorized but bound to resist force by forceâ). 17 See âLetter to Congressional Leaders on the Strike on Iraqi Intelligence Headquar- ters,â Pub. Papers of William J. Clinton 940, 1993.
DECISION MAKING AND OVERSIGHT 233 received explicit congressional authorization, although they have always claimed that their authority as commanders-in-chief was sufficient to take such actions and that in essence seeking congressional authorization was a courtesy extended to the legislative body. But matters are more complicated and controversial when the President acts without invoking self-defense and also without congressional authorization. The President has acted in such a manner in many circumstances in U.S. history, most notably in Korea and Kosovo, but also in dozens of other smaller-scale conflicts. Presidents have asserted this authority, Congress often complains and opposes it, and the Supreme Court has not squarely addressed it. To address such cases, Congress passed the War Powers Resolution (WPR) in 1973 (PL 93-148). Passed over then-President Nixonâs veto, the WPR requires the President to report to Congress in 48 hours âin any case in which United States Armed Forces are introduced (1) into hostilities or into situations where imminent involvement in hostilities is clearly indi- cated by the circumstances; (2) into the territory, airspace or waters of a foreign nation, while equipped for combat, except for deployments which relate solely to supply, replacement, repair, or training of such forces; or (3) in numbers which substantially enlarge United States Armed Forces equipped for combat [who are] already located in a foreign nation,â and requires the President to âterminate any such use of armed forcesâ within 60 days (subject to a one-time 30-day extension). The tensions between the executive and legislative branches of gov- ernment over war-making authority are palpable. Many analysts believe that the intent of the Founding Fathers was to grant the Congress a sub- stantial decision-making role in the use of U.S. armed forces, and if mod- ern conflict has rendered obsolete the notion of a âdeclaration of war,â mechanisms must still be found to ensure that Congress continues to play a meaningful role in this regard. Others acknowledge the obsolete nature of declarations of war, but conclude that executive branch authority can and should fill the resulting lacunae. This report does not seek to resolve this controversy, but observes that notions of cyberconflict and cyberattack will inevitably cause more confu- sion and result in less clarity. Consider, for example, the meaning of the term âhostilitiesâ in the War Powers Resolution. At the time the resolution was crafted, cyberattack was not a concept that had entered the vocabu- lary of most military analysts. In the context of the resolution, hostilities refer to U.S. land, air, and naval units engaging in combat. The resolution also refers to the foreign deployments of combat-equipped U.S. forces. To the extent that the War Powers Resolution was intended to be a reassertion of congressional authority in warmaking, it is very poorly suited to U.S. forces that engage in cyber combat or launch cyberattacks.
234 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES What conditions would define âhostilitiesâ when military cyberattacks can be launched against adversary computers or networks? What counts as âdeploymentsâ of forces capable of cyberattack into foreign territory? It is thus an open question whether a cyberattack launched by the United States would constitute the introduction of armed forces in another coun- try within the meaning of the resolution. When it comes to sorting out normative and practical issues con- cerning congressional and presidential prerogatives, cyberwarfare poses issuesÂ even more difficult for interpreting the War Powers Resolution than the already-difficult issues associated with traditional kinetic conflict. 6.2.2â Budget In the preceding section, the relative invisibility of cyberattack activi- ties is mentioned as a problem for higher authority. Cyberattack capa- bilities are also not particularly visible to the legislative branch. In part, the veil of secrecy around cyberattack makes it more invisible than if the subject were not classified. But just as important is the fact that the funding for the development and deployment of cyberattack capabili- ties is both minuscule and deliberately obscured in unclassified budget justifications. For example, in the FY 2008 DOD budget request, one request for the âdemonstration of offensive cyber operations technologies allowing attack and exploitation of adversary information systemsâ by the Air Force is contained in a program element component of $8.012 million; the program element is entitled âAdvanced Technology Development,â and the component âBattlespace Information Exchange.â18 A second request for developing cyber operations technologies is contained in a program element of $11.85 million for FY 2008; this program element is entitled âApplied Research on Command, Control, and Communications.â19 A reasonable observation is that development and demonstration of cyberattack capabilities are distributed over multiple program elements, 18 See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0603789F.pdf. 19 In FY 2008, one component of this program element (âcommunications technologyâ) called for activities to âinitiate development of access techniques allowing âcyber pathsâ to protected adversary information systems through a multiplicity of attack vectors; initiate development of stealth and persistence technologies enabling continued operation within the adversary information network; initiate programs to provide the capability to exfiltrate any and all types of information from compromised information systems enabling cyber intelligence gathering to achieve cyber awareness and understanding; initiate technology programs to deliver D5 (deny, degrade, destroy, disrupt, and deceive) effects to the adver- sary information systems enabling integrated and synchronized cyber and traditional kinetic operations.â See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0602702F.pdf.
DECISION MAKING AND OVERSIGHT 235 each of which is relatively small in financial terms. Budget oversight is thus difficult to execute, even though it is intimately related to acquisition policy. In addition, the ability to increase certain attack capabilities âfor freeâ (e.g., through the use of botnets and automated production func- tions) negates to a considerable extent the ability of the legislative branch to use budget totals for restraining or limiting U.S. military capabilities. A low budget profile supports low visibility. Proponents of a given capability would prefer low visibility for programs supporting that capa- bility, especially if the capability were controversial in nature. (Low vis- ibility can also be achieved in other ways, such as by designating a pro- gram as âspecial access.â) 6.2.3â Oversight (and Notification) In addition to budgetary oversight, the legislative branch also pro- vides operational oversight of government programs. For example, the executive branch is required by law (50 U.S.C. 413(a)(1)) to keep the congressional intelligence committees âfully and currently informedâ of all U.S. intelligence activities, including any âsignificant anticipated intelligence activity.â20 Both intelligence gathering and covert action are included under this rubric, and thus cyberexploitation and covert action cyberattacks would have to be reported to these committees. These report- ing requirements are subject to a number of exceptions pertaining to sen- sitivity and possible compromise of intelligence sources and methods, or to the execution of an operation under extraordinary circumstances. Certain DOD operations have also been subject to a notification requirement. Section 1208 of the FY 2005 Defense Authorization Act gave the secretary of defense the authority to expend up to $25 million in any fiscal year to âprovide support to foreign forces, irregular forces, groups, or individuals engaged in supporting or facilitating ongoing military operations by United States special operations forces to combat terror- ism.â In the event that these funds were used, the secretary of defense was required to notify the congressional defense committees expeditiously and in writing, and in any event in not less than 48 hours, of the use of such authority with respect to that operation. Yet another precedent for notification in support of oversight is the requirement for the attorney general to report annually to Congress and the Administrative Office of the United States Courts indicating the total 20 A discussion of this requirement can be found in Alfred Cumming, Statutory Pro- cedures Under Which Congress Is to Be Informed of U.S. Intelligence Activities, Including Covert Actions, Congressional Research Service memo, January 18, 2006, available at http://www. fas.org/sgp/crs/intel/m011806.pdf.
236 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES number of applications made for orders and extensions of orders approv- ing electronic surveillance under the Foreign Intelligence Surveillance Act, and the total number of such orders and extensions either granted, modified, or denied. To the best of the committeeâs knowledge, no information on the scope, nature, or frequency of cyberattacks conducted by the United States has been made regularly or systematically available to the U.S. Congress on either a classified or an unclassified basis.