Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Synopsis This synopsis is intended to provide the reader with a sense of what the report contains. However, it is necessarily incomplete, and it omits any mention of many significant topics contained in the main body of the report. UNDERSTANDING CYBERATTACK What Is Cyberattack? Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks. The U.S. armed forces are actively preparing to engage in cyberattacks, per- haps in concert with other information warfare means and/or with kinetic attacks, and may have done so in the past. Domestic law enforcement agencies also engage in cyberattack when they jam cell phone networks in order to prevent the detonation of improvised explosive devices. Such matters pose some very important issues that relate to technol- ogy, policy, law, and ethics. This report provides an intellectual framework for thinking about cyberattack and understanding these issues. A first point is that cyberattack must be clearly distinguished from cyberexploitation, which is an intelligence-gathering activity rather than a destructive activity. Although much of the technology underlying cyberexploitation is similar to that of cyberattack, cyberattack and cyber­  

 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES exploitation are conducted for entirely different purposes. (This contrast is relevant to much of the public debate using the term “cyberattack,” which in common usage often lumps both attack and exploitation under the “attack” label.) Second, weapons for cyberattack have a number of characteristics that differentiate them from traditional kinetic weapons. Compared to kinetic weapons, many weapons for cyberattack: • Are easy to use with high degrees of anonymity and with plausible deniability, making them well suited for covert operations and for insti- gating conflict between other parties; • Are more uncertain in the outcomes they produce, making it dif- ficult to estimate deliberate and collateral damage; and • Involve a much larger range of options and possible outcomes, and may operate on time scales ranging from tenths of a second to years, and at spatial scales anywhere from “concentrated in a facility next door” to globally dispersed. Third, cyberattack as a mode of conflict raises many operational issues. For example, given that any large nation experiences cyberattacks continuously, how will the United States know it is the subject of a cyber- attack deliberately launched by an adversary government? There is also a further tension between a policy need for rapid response and the techni- cal reality that attribution is a time-consuming task. Shortening the time for investigation may well increase the likelihood of errors being made in a response (e.g., responding against the wrong machine or launching a response that has large unintended effects). Illustrative Applications of Cyberattack Cyberattack can support military operations. For example, a cyberat- tack could disrupt adversary command, control, and communications; suppress air defenses; degrade smart munitions and platforms; or attack warfighting or warmaking infrastructure (the defense industrial base). Cyberattack might be used to augment or to enable some other kinetic attack to succeed, or to defend a friendly computer system or network by neutralizing the source of a cyberattack conducted against it. Cyberattack can also support covert action, which is designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. government. The range of possible cyberattack options is very large, and so cyberattack-based covert action might be used, for example, to 

SYNOPSIS  influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money. Illustrative Applications of Cyberexploitation For intelligence gathering, cyberexploitation of an adversary’s com- puter systems might yield valuable information. For example, U.S. intel- ligence agencies might learn useful information about an adversary’s intentions and capabilities from a penetration of its classified government networks. Alternatively, they might obtain useful economic information from penetrating the computer systems of a competing nation’s major industrial firms. The Legal Framework Governing Cyberattack In the committee’s view, the essential framework for the legal analy- sis of cyberattack is based on the principle that notions related to “use of force” and “armed attack” (terms of special relevance to the Charter of the United Nations) should be judged primarily by the effects of an action rather than its modality. That is, the fact that an attack is carried out through the use of cyberweapons rather than kinetic weapons is far less significant than the effects that result from such use, where “effects” are understood to include both direct and indirect effects. Furthermore, the committee believes that the principles of the law of armed conflict (LOAC) and the Charter of the United Nations—including both law governing the legality of going to war (jus ad bellum) and law governing behavior during war (jus in bello)—do apply to cyberattack, although new analytical work may be needed to understand how these principles do or should apply to cyberweapons. That is, some types of cyberattack are difficult to analyze within the traditional LOAC structure. Among the more problematic cases are the following: • The presumption of nation-to-nation conflict between national military forces, • The exception for espionage, and • The emphasis on notions of territorial integrity. The Dynamics of Cyberconflict The escalatory dynamics of armed conflict are thought to be under- stood as the result of many years of thinking about the subject, but the dynamics of cyberconflict are poorly understood. This report speculates on some of the factors that might influence the evolution of a cyberconflict. 

 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES For major nation-states with significant capabilities for kinetic attack and cyberattack at their disposal, among the important issues regarding the dynamics of cyberconflict are the following: • Crisis stability (preventing a serious cyberconflict from breaking out), • Preventing a cyberconflict from escalating to physical space, and • Knowing when a cyberconflict has been terminated. Matters can be further complicated by the presence of non-state actors, such as cyberterrorists, patriotic hackers, and criminal groups. Perhaps the most important complication relates to identification of the appropriate party against which action might be taken and the related availability of cyber and/or kinetic targets whose destruction might cause pain or meaningful damage to the terrorist or criminal group. FINDINGS Cyberattack is an important capability for the United States to main- tain, but at the same time the acquisition and use of such capabilities raise many questions and issues, as described below. Overarching Findings   1. The policy and organizational issues raised by U.S. acquisition and use of cyberattack are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversaries capable of employing weapons of mass destruction.   2. The availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers of other nations.   3. Today’s policy and legal framework for guiding and regulat- ing the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain.   4. Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack.   5. The consequences of a cyberattack may be both direct and indi- rect, and in some cases of interest, the indirect consequences of a cyberat- tack can far outweigh the direct consequences. 

SYNOPSIS  Legal and Ethical Findings   6. The conceptual framework that underpins the UN Charter on the use of force and armed attack and today’s law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack. However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks.   7. In today’s security environment, private parties have few useful alternatives for responding to a severe cyberattack that arrives over a network such as the Internet.   8. Cyberattack poses challenges to existing ethical and human rights regimes. Policy Findings   9. Enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States. 10. The United States has much to lose from unrestrained cyberattack capabilities that are proliferated worldwide. 11. Deterrence of cyberattacks by the threat of in-kind response has limited applicability. 12. Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks. Technical and Operational Findings 13. For many kinds of information technology infrastructure targets, the ease of cyberattack is increasing rather than decreasing. 14. Although the actual cyberattack capabilities of the United States are highly classified, they are at least as powerful as those demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful. 15. As is true for air, sea, land, and space operations, the defensive or offensive intent motivating cyber operations in any given instance may be difficult to infer. 16. Certain cyberattacks undertaken by the United States are likely to have significant operational implications for the U.S. private sector. 17. If and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question. 

 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 18. The outcomes of many kinds of cyberattack are likely to be more uncertain than outcomes for other kinds of attack. 19. Early use of cyberattack may be easy to contemplate in a pre-con- flict situation, and so a greater degree of operational oversight for cyberat- tack may be needed compared to that for the use of other options. 20. Developing appropriate rules of engagement for the use of cyber- weapons is very difficult. Organizational Findings 21. Both the decision-making apparatus for cyberattack and the over- sight mechanisms for that apparatus are inadequate today. 22. The U.S. Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circum- stances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons. RECOMMENDATIONS Fostering a National Debate on Cyberattack   1. The United States should establish a public national policy regard- ing cyberattack for all sectors of government, including but not necessar- ily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforce- ment. The senior leadership of these organizations should be involved in formulating this national policy.   2. The U.S. government should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties—particularly Congress, the professional military, and the intel- ligence agencies—are involved in discussions and are familiar with the issues.   3. The U.S. government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building. 

SYNOPSIS  Organizing the Decision-Making Apparatus of the U.S. Government for Cyberattack   4. The U.S. government should have a clear, transparent, and inclu- sive decision-making structure in place to decide how, when, and why a cyberattack will be conducted.   5. The U.S. government should provide a periodic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforce- ment agencies, intelligence agencies, and any other agencies with authori- ties to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such a peri- odic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees. Supporting Cyberattack Capabilities and Policy   6. U.S. policy makers should judge the policy, legal, and ethical sig- nificance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects.   7. U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict.   8. The United States should maintain and acquire effective cyberat- tack capabilities. Advances in capabilities should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be available to appropriate decision makers in the executive and legislative branches.   9. The U.S. government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues. 10. The U.S. government should consider the establishment of a g ­ overnment-based institutional structure through which selected pri- vate sector entities can seek immediate relief if they are the victims of cyberattack. Developing New Knowledge and Insight into a New Domain of Conflict 11. The U.S. government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict. 

 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 12. Foundations and government research funders should support academic and think-tank inquiry into cyberconflict, just as they have sup- ported similar work on issues related to nuclear, biological, and chemical weapons.