Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1 Overview, Findings, and Recommendations 1.1â What Is Cyberattack and Why Is It Important? It is now broadly accepted that nations are becoming ever more dependent on information and information technology. Companies and organizations rely on computers for diverse business processes ranging from payroll and accounting, to the tracking of inventory and sales, to support for research and development (R&D). Food, water, and energy distribution rely on computers and networks at every stage, as do trans- portation, health care, and financial services. The same dependence also increasingly applies to the military. Mod- ern military forces use weapons that are computer-controlled. Even more importantly, the movements and actions of military forces are increasingly coordinated through computer-based networks that allow information and common pictures of the battlefield to be shared. Logistics are entirely dependent on computer-based scheduling and optimization. Even terrorists rely on information technology. Although the weapons of terrorists are generally low-tech, their use of the Internet and informa- tion technology for recruitment, training, and communications is often highly sophisticated. Given the importance of information technology to many societal functions, it is not surprising that there has been much public debate about cybersecurity (i.e., protection of information technology systems and networks and the programs and information within them from hos- tile actions) and about how the United States might improve its cyberse- curity posture in the face of hostile actions perpetrated by an adversary,
10 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES such as a terrorist group, criminals, or another nation. Although in many other domains, security has always had both defensive and attack com- ponents, cybersecurity has been somewhat anomalous, in the sense that its purely defensive side has been the primary focus of attention over the years. But, in fact, it is possible to imagine that cyberattacks might be used to support cyber defensive objectives. It is further possible to imagine that cyberattack would naturally be part of a robust U.S. military posture. The possibility that the United States might choose to engage in cyberattacks to serve its own national interests is, however, rarely dis- cussed in public. For the record, the U.S. government has acknowledged that it has an interest in such capabilities as a possible instrument of national policy, but this is virtually all that it acknowledges publicly. At least one press report has indicated the existence of a still-classified National Security Presidential Directive, NSPD 16, issued in July 2002, that reportedly ordered the U.S. government to develop national-level guidance for determining when and how the United States would launch cyberattacks against enemy computer networks. The National Strategy to Secure Cyberspace, published in February 2003, is entirely silent about an offensive component to U.S. cybersecurity efforts. In practice, hostile actions against a computer system or network can take two forms. One form is destructive in natureâthe action is taken to harm the system or network and render it less functional or useful than before the action was taken. An example of such a hostile action is era- sure by a computer virus of the hard disk of any computer that it infects. The second form is non-destructiveâthe action is taken to extract from a system or network information that would otherwise be kept confi- dential. Actions of this second form are usually clandestine, conducted with the smallest possible interventions that still allow extraction of the information sought. Such an action is exemplified by a computer virus that searches the hard disk of any infected computer and e-mails to the hostile party all files containing a credit card number. Collectively, both forms of hostile action are termed âcyber offensive operations,â or simply, âcyber offense.â In this report, because the distinc- tion between them is often important, the two forms of hostile action are given individual designators and somewhat expanded definitions: â¢ Cyberattack refers to the use of deliberate actionsâperhaps over an extended period of timeâto alter, disrupt, deceive, degrade, or destroy An Assessment of International Legal Issues in Information Operations, 2nd edition, De- partment of Defense, Office of General Counsel, November 1999. Bradley Graham, âBush Orders Guidelines for Cyber-Warfare,â Washington Post, February 7, 2003, p. A01. See http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 11 adversary computer systems or networks or the information and/or pro- grams resident in or transiting these systems or networks. Such effects on adversary systems and networks may also have indirect effects on enti- ties coupled to or reliant on them. A cyberattack seeks to cause adversary computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary. Furthermore, because so many dif- ferent kinds of cyberattack are possible, the term âcyberattackâ should be understood as a statement about a methodology for actionâand that aloneârather than as a statement about the scale of the actionâs effect. â¢ Cyberexploitation refers to the use of cyber offensive actionsâper- haps over an extended period of timeâto support the goals and mis- sions of the party conducting the exploitation, usually for the purpose of obtaining information resident on or transiting through an adversaryâs computer systems or networks. Cyberexploitations do not seek to disturb the normal functioning of a computer system or network from the userâs point of viewâindeed, the best cyberexploitation is one that such a user never notices. Box 1.1 summarizes important distinctions between cyberattacks and cyberexploitations. The committee recognizes that analysts and commen- tators have used a variety of different terms that are closely related to what this report calls cyberattack (Box 1.2). For purposes of this report, cyberattacks do not include kinetic actions taken against computers or networks using cruise missiles, sledgeham- mers, or satchel charges. But in practice, the destruction of or damage to an adversary computer or network could be accomplished by kinetic as well as cyber actions. Thus, as acknowledged by the Department of Defense, a planner contemplating the destruction of an adversary com- puter or network should think about both cyberattack and kinetic attack options. This report also does not consider the use of electromagnetic pulse (EMP) attacks. EMP attacks typically refer to non-selective attacks on electronics and electrical components on a large scale, although a tac- tical EMP weapon intended to selectively target such components on a small scale is possible to imagine. An adversary computer or network may not necessarily be owned and operated by the adversaryâit may simply support or be used by the adversary. âDoD will conduct kinetic missions to preserve freedom of action and strategic advantage in cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects.â See Department of Defense, National Military Strategy for Cyberspace Operations, 2006, available at www.dod. mil/pubs/foi/ojcs/07-F-2105doc1.pdf. For a comprehensive description of the threat from EMP attacks, see Report of the Com- mission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, avail- able at http://www.globalsecurity.org/wmd/library/congress/2004_r/04-07-22emp.pdf.
12 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 1.1â Cyberattack Versus Cyberexploitation ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ Cyberexploitation, intelligence, Cyberattack, attack, ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ exploitation, computer network Terms1 computer network attack ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ exploitation Approach and Degrade, disrupt, deny, Conduct smallest intervention intent destroy attacked consistent with desired infrastructure and operations systems/networks Primary relevant U.S. Code Title 10 U.S. Code Title 50 authorities domestic law authorities and and restrictions restrictions2 Operational agency U.S. Strategic National Security Agency Command, Joint Functional Combatant Command for Network Warfare Main advocate U.S. Air Force Director of National in the U.S. Intelligence government to date Interactions with Based on explicit Based on intelligence reporting tactical military inclusion in battle plans operations Characterization Warfighters Intelligence community of personnel 1 Discussion of these terms and concepts can be found in Chapters 2, 3, and 4. 2 Covert action involving cyberattack would fall under Title 50 authorities. 1.2â Focus of and Motivation for This Report This report of the Committee on Offensive Information Warfare focuses primarily on the policy consequences and legal and ethical implications of U.S. acquisition and use of cyberattack, and secondarily (and only when necessary) on cyberexploitation. There are two reasons that a report on cyberattack necessarily touches on cyberexploitation. First, cyberattack and cyberexploitation are closely related from a technical point of view.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 13 Second, because of such similarities a nation that is the target of a cyberex- ploitation might misinterpret it as being a cyberattackâa possibility that U.S. policy makers must take into account in deciding whether to conduct a cyberexploitation. Nevertheless, the policy and operational dimensions of cyberattack and cyberexploitation are quite different, and this report distinguishes between these two. Cyberattack has a variety of military applications (discussed in Chapter 3) and may be useful for covert action (discussed in Chapter 4). In addition, cyberattack is conceivably a tool that law enforcement agencies or even the private sector might wish to use under some circumstances (discussed in Chapter 5). As suggested in the previous section, cyberattack sometimes arises in the context of defending U.S. computer systems and networks. Passive defensive measures such as hardening systems against attack, facilitat- ing recovery in the event of a successful attack, making security more usable and ubiquitous, and educating users to behave properly in a threat environment are important elements of a strong defensive posture. Nev- ertheless, for the defense to be successful, these measures must succeed every time the adversary attacks. The adversaryâs attack need succeed only once, and an adversary that pays no penalty for failed attacks can continue attacking until he or she succeeds or chooses to stop. This places a heavy and asymmetric burden on a defensive posture that employs only passive defense. If passive defense is insufficient to ensure security, what other approaches might help to strengthen oneâs defensive posture? One possi- bility is to eliminate or degrade an adversaryâs ability to successfully pros- ecute an attack. In that case, the attack is ultimately less successful than it might otherwise have been because the defender has been able to neutral- ize the attack in progress (or perhaps even before it was launched). A second possibility is to impose other costs on the adversary, and such a strategy is based on two premises. First, the imposition of these costs on an attacker reduces the attackerâs willingness and/or ability to initiate or to continue an attack. Second, knowledge that an attack is The broad topic of steps that might be taken to improve passive cyberdefenses and to enhance resilience of U.S. computer systems and networks is not part of this report. There are many important technology and policy issues in the domain of cyberdefense, but many other works have addressed these issues. For a sampling of relevant National Research Council reports on this topic, see Footnotes 1 and 2 in the Preface to this report. Other important reports include Presidentâs Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Tech- nology Research and Development, Washington, D.C., February 2005; and Commission on CyberÂsecurity for the 44th Presidency, Securing Cyberspace for the 44th Presidency, Center for Strategic and International Studies, Washington, D.C., 2008.
14 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 1.2â Terminology Related to Cyberattack1 A wide variety of terms in the literature have definitions that overlap with the definitions used in this report. (It is perhaps emblematic of the state of discussion today that there is no standard and widely accepted term that denotes attacks on computer systems and networks.) For example: â¢ The term âinformation operationsâ was used by the Joint Chiefs of Staff in 1998 to denote âactions taken to affect adversary information and information systems while defending oneâs own information and information systems.â Infor- mation operations were characterized as offensive or defensive, where âoffensive information operationsâ were conducted to affect adversary decision makers and achieve or promote specific objectives. The JCS used the term âinformation war- fareâ to refer to information operations conducted during time of crisis or conflict (including war) to achieve or promote specific objectives over a specific adversary or adversaries.2 â¢ The term ânetwork attackâ is used by the U.S. Air Force Materiel Com- mandâs Electronic Systems Center to refer to âthe employment of network based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks.â3 â¢ The term âoffensive information warfareâ was used by Dorothy Denning to describe an operation that âtargets or exploits a particular information resource with the objective of increasing its value to the offensive player and decreasing its value to the defensive player.â4 â¢ The term âinformation warfareâ has been used often, but with a variety of meanings.5 For example, the term is used by the Center for Strategic and Inter- national Studies to denote data attack, such as propaganda, disinformation, data overload, and spam; software attack using computer viruses, Trojan horses, or trapdoors; hacking, i.e., penetration, unauthorized use, and/or snooping in other computer systems; and physical kinetic or directed energy attacks against informa- tion systems.6 By contrast, Ryan and Ryan define information warfare as âthe appli- cation of destructive force on a large scale against information assets and systems, against computers and networks which support the air traffic control systems, stock transactions, financial records, currency exchanges, Internet communications, telephone switching, credit record, credit card transactions, the space program, the railroad system, the hospital systems that monitor patients and dispense drugs, manufacturing process control systems, newspaper and publishing, the insurance industry, power distribution and utilities, all of which rely heavily on computers.â7 Ryan and Ryan also note that âInformation warfare is, first and foremost, warfare. It is not information terrorism, computer crime, hacking or commercial or state sponsored espionage using networks for access to desirable information.â â¢ The term âinformation attackâ is used by Davis Brown, a former deputy judge advocate for the U.S. Defense Information Systems Agency, to focus on information or information systems as the object, means, or medium of attack.8
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 15 â¢ The terms âoffensive cyber operationsâ and âoffensive cyberspace opera- tionsâ are sometimes heard in discussions with military officials and are appar- ently used to denote one or more actions, perhaps taken over a period of time, to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.9 Offensive cyber or cyber- space operations apparently extend beyond computer network attack (for example, they include computer network exploitation) and recognize the possibility that an extended offensive campaign might be waged in cyberspace involving multiple cyberattacks. â¢ The term âcomputer network attackâ was adopted by the Joint Chiefs of Staff in 2006 to refer to âactions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.â10 In 2006, the Joint Chiefs of Staff also eliminated the term âinformation warfareâ and the distinction between âoffensiveâ and âdefensiveâ information operations. After considering the plethora of terms used in this domain, the committee settled on âcyberattackâ as the term best describing the primary focus of this report. 1 This description of the various terms is derived in part from Davis Brown, âA Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,â Harvard International Law Journal, 47(1):179-221, Winter 2006. 2 Joint Chiefs of Staff, Joint Publication No. 3-13, Joint Doctrine for Information Operations, Oct. 9, 1998. 3 See Broad Agency Announcement (BAA ESC 07-0001) on Network Warfare Operations Capabilities (NWOC): Technology Concept Demonstrations, May 31, 2007. 4 Dorothy E. Denning, Information Warfare and Security, Addison-Wesley Longman Ltd., Essex, UK, 1999. 5 For a review of such definitions, see Chapter 1 of Gregory Rattray, Strategic Warfare in Cyberspace, MIT Press, Cambridge, Mass., 2001. 6 Cybercrime Cyberterrorism Cyberwarfare: Averting an Electronic Waterloo, Center for Strategic and International Studies, 1998. 7 Daniel and Julie Ryan, âProtecting the NII against Infowar,â in Winn Schwartau, Information Warfare, Thunderâs Mouth Press, 1996. 8 Davis Brown, âA Proposal for an International Convention to Regulate the Use of Informa- tion Systems in Armed Conflict,â Harvard International Law Journal 47(1):179-221, Winter 2006. 9 For example, the U.S. Air Force Cyber Command writes that âCyberspace favors offensive operations. These operations will deny, degrade, disrupt, destroy, or deceive an adversary. Cyberspace offensive operations ensure friendly freedom of action in cyberspace while deny- ing that same freedom to our adversaries. . . . As an adversary becomes more dependent on cyberspace, cyberspace offensive operations have the potential to produce greater effects.â See Air Force Cyber Command Strategic Vision, undated document (probably 3 March 2008), available at http://www.afcyber.af.mil/shared/media/document/AFD-080303-054.pdf. 10 Joint Chiefs of Staff, Joint Publication No. 3-13, Joint Doctrine for Information Operations, February 13, 2006.
16 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES costly to an attacker deters other parties from attempting to attackâand advance knowledge of such a possibility may deter the original adversary from attacking in the first place. There are in general many options for imposing costs on an adversary, including economic penalties such as sanctions, diplomatic penalties such as breaking of diplomatic relations, and even kinetic military actions such as cruise missile strikes. In-kind military actionâa counter-cyberattackâis also a possibility. Both of these possible actionsâneutralization of an attackerâs ability to attack and the imposition of costs on the attacker for the attackâare often captured under the rubric of active defense. But actions taken in the name of active defense might well be seen as offensive acts. Consider the act of Zendia probing a computer system or network belonging to Ruritania to gather information about it (what ports are open, what services are protected or available for use, the IP addresses of various machines on it, what operating systems are in use, and so on). If Zendia has already been the target of a cyberattack launched from Ruritania, Zendia may plausibly regard its probes of computer systems in Ruritania as part of a defensive reaction to the attackâgathering infor- mation about the systems involved in an attack may be important for characterizing its scale and intent. But Ruritania may regard such a probe as a hostile action by Zendia against it, because such probes can be used to develop information useful in a cyberattack. The inadequacy of passive defense suggests that the national debate over cybersecurity necessarily includes a consideration of attack options for defensive purposes. Furthermore, once an attack capability is required to conduct active cyberdefense, and once a nation has the capability for active defense, it is also possible for that nation to use an attack capability for other, non-defensive purposes. Attack capabilities may under some circumstances also contribute to deterrenceâa relationship that is expli- cated in more detail in Chapter 9. Given the possibility that cyberattack capabilities might be useful to the U.S. government for many purposes (including active defense), a host of policy issues arise that do not arise if passive defense is the only defen- sive option under consideration. Box 1.3 provides an analogy to describe how policy issues inevitably emerge from any government consideration of offensive options. Note to the reader: When the name of a nation is needed in this report, the names âZendiaâ and âRuritaniaâ are used as stand-ins. Depending on context, these nations may be a near-peer nation-state with military and economic stature and power comparable to that of the United States; a small, relatively undeveloped nation; or something in between. Generally in this report, Zendia is an adversary of the United States.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 17 BOX 1.3â Policy Issues That Flow from Government Use of Guns In order for society to defend itself against armed criminals, one policy choice would be to focus on passive defense against gunsâbulletproof vests might be distributed to the populace. Criminals might then invest in more powerful guns that could shoot through bulletproof vests. In response, the government might then sup- port research into techniques for developing stronger, more difficult-to-penetrate armor or initiate programs to provide bulletproof vests to more citizens more quickly and educate them about how to use bulletproof vests properly. Such policy responses are much simpler than those arising from a situation in which police are themselves armed. Governments that arm police officers must be concerned about: â¢ Training. Police officers must have a level of training and expertise in the use of firearms adequate for most situations they will encounter in their day-to-day work. â¢ Rules of engagement. Police officers must follow pre-established rules of engagement that provide guidance on when the use of firearms is and is not appropriate. â¢ Command and control. Police officers are subject to a chain of command that can grant or withhold permission to discharge firearms. â¢ Identification friend-or-foe (IFF), the process by which police officers de- termine who or what counts as a legitimate target for their weapons. Because undercover police and criminals often choose to look like ordinary citizens (as a rule, they do not wear distinguishing uniforms), police must exercise great care in determining their targets. â¢ Liability. Police (individual officers and the department itself) may be found liable for civil damages or even subject to criminal penalties if a shooting takes place improperly, and especially if someone is injured or killed by such a shooting. Note that the fact of police officers carrying guns serves a defensive pur- poseâprotecting the citizenryâeven though guns themselves are arguably an offensive weapons technology, i.e., a weapons technology that is designed to inflict harm or damage to a target. The committee makes this gun-related analogy not to address any particular policy issue related to private or criminal or even police usage of guns, but to point out that policy and legal issues inevitably flow from the use of offensive weapons by âgood guys.â 1.3â Cyberattack in the Context of an Information Strategy for the United States U.S. military forces have made great progress in developing and implementing plans for joint integrated operations in the conventional
18 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES military sphere, but in the information domain, U.S. doctrine and approaches have left many niches and gaps for adversaries to exploit. The lack of an integrated approach to the information domain has meant that the United States lacks timeliness and synergy in its planning and operations. An integrated approach would spread information and ideas that support U.S. interests and would degrade and disrupt information and ideas abroad that are adverse to U.S. interests (e.g., websites for ter- rorist recruiting). Cyberattack is only one dimension of information operations. In prac- tice, many cyberattacks are likely to take place within a large, diverse, and organically interconnected domain in which deception, espionage, covert influence, diversion, interception and disruption of communications, and other information operations will also take place (as discussed in Box 3.3 in Chapter 3). All of these operations can be used in an intertwined and integrated fashion. Espionage can be a precursor to a denial-of-service attack, while denial of service can be used to facilitate espionage by forc- ing oneâs adversary to use an insecure mode of communication. And information operations are themselves only one aspect of what might be called an information strategy for pursuing U.S. strategic and security interests. Advocates of such an information strategy argue that the nature of warfare and conflict is changing, and that information will be central to national security affairs in the future. This argument is based in part on the idea that adversariesâunable to compete with the United States in tradi- tional military domainsâwill seek to exploit U.S. weaknesses asymmetri- cally, and that the information domain is one of the most important. Information is central for two reasons. First, modern societies are based largely on the effective use of large amounts of informationâa fact reflected in the increasing ubiquity of and dependence on information technology throughout these societies. Second, the âhearts and mindsâ of much of the worldâs population will be won or lost through the influ- ence gained by appropriately targeted ideas and information. The first point suggests that the information assets (and supporting technologies) of modern societies are a possible point of leverage for adversaries that are less dependent on information. The second point suggests that a pre- dominantly military approach to national security is too narrow, and that the United States would be well served by a much broader strategy that puts hearts, minds, and ideas at its center. In this view, the United States must integrate strategic/tactical influ- ence and messaging and perception management with a broad spectrum of capabilities for information attack and defense. At the highest level of strategic perspective, the goal of information attack is to get into the mind of the adversary and influence its decision making at critical times and
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 19 at all levels. This would include making adversaries question their plans, direction, capabilities, actions, likelihood of success, control, and whether generally they trust their information and knowledge base. At the tacti- cal and operational level, information attack entails destroying, denying, degrading, disrupting, influencing, and corrupting an adversaryâs ability to see, know, understand, decide, and take action. The goal of informa- tion defense is to protect our ability to see, know, understand, decide, and take action. A coordinated information strategy would integrate a variety of dis- ciplines and specialties, most of which are not integrated today. These include strategic communications, influence, and messaging; pub- lic diplomacy; perception management; computer network operations (attack, defense, and exploitation); space control; electronic reconnais- sance/warfare; psychological operations; strategic and departmental deception; propaganda, information assurance and infrastructure protec- tion, and counter denial and deception; public affairs; counterintelligence; HUMINT (human intelligence) and OSINT (open source intelligence) activities; imagery and mapping operations; data and information min- ing; and special operations forces. 1.4â Important Characteristics of Cyberattack and Cyberexploitation As noted above, cyberattack refers to actionsâperhaps taken over an extended period of timeâto alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or pro- grams resident in or transiting these systems or networks. Several char- acteristics of weapons for cyberattack are worthy of note. â¢ The indirect effects of weapons for cyberattack are almost always more consequential than the direct effects of the attack. (Direct or immediate effects are effects on the computer system or network attacked. Indirect or fol- low-on effectsâwhich may be the primary purpose of a cyberattackâare effects on the systems and/or devices that the attacked computer system or network controls or interacts with, or on the people who use or rely on the attacked computer system or network.) That is, the computer or network attacked is much less relevant than the systems controlled by the targeted computer or network (e.g., a cyberattack that affects a computer controlling an electric power generator will also, and more importantly, affect the generator itself) or the decision making that depends on the information contained in or processed by the targeted computer or net- work, and indeed the indirect effect is often the primary purpose of the attack. Thus, the scale of damage of any given cyberattack can range from
20 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES the trivial to the enormous, depending on the systems and/or information connected to or associated with the target. â¢ The outcomes of a cyberattack are often highly uncertain. Minute details of configuration can affect the outcome of a cyberattack, and cascading effects often cannot be reliably predicted. One consequence can be that collateral damage and damage assessment of a cyberattack may be very difficult to estimate. â¢ Cyberattacks are often very complex to plan and execute. Cyberattacks can involve a much larger range of options than most traditional military operations, and because they are fundamentally about an attackâs sec- ondary and tertiary effects, there are many more possible outcome paths whose analysis often requires highly specialized knowledge. The time scales on which cyberattacks operate can range from tenths of a second to years, and the spatial scales may be anywhere from âconcentrated in a facility next doorâ to globally dispersed. â¢ Compared to traditional military operations, cyberattacks are relatively inexpensive. The underlying technology for carrying out many types of cyberattacks is widely available, inexpensive, and easy to obtain. An attacker can compromise computers belonging to otherwise uninvolved parties to take part in an attack activity; use automation to increase the amount of damage that can be done per person attacking, increase the speed at which the damage is done, and decrease the required knowledge and skill level of the operator of the system; and even steal the financial assets of an adversary to use for its own ends. On the other hand, some cyberattack weapons are usable only once or a few times. â¢ The identity of the originating party behind a significant cyberattack can be concealed with relative ease, compared to that of a significant kinetic attack. Cyberattacks are very difficult to attribute to any particular actor and are thus easy to conduct with plausible deniabilityâindeed, most cyberat- tacks are inherently deniable. Cyberattacks are thus also well suited for being instruments of catalytic conflictâinstigating conflict between two other parties. Many of the operational considerations for cyberexploitation are simi- lar to those for cyberattack. Like cyberattack, a successful cyberexploita- tion requires a vulnerability, access to that vulnerability, and a payload to be executedâthe only difference is in the payload to be executed. These similarities often mean that a targeted party may not be able to distinguish easily between a cyberexploitation and a cyberattackâa fact that may result in that partyâs making incorrect or misinformed deci- sions. The primary technical requirement of a cyberexploitation is that the delivery and execution of its payload be accomplished quietly and undetectably. Secrecy is often far less important when cyberattack is the
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 21 mission, because in many cases the effects of the attack will be immedi- ately apparent to the target. 1.5â Illustrative Applications of Cyberattack Cyberattack can be used to support many traditional military opera- tions, such as the disruption of adversary command, control, and commu- nications; suppression of adversary air defenses; degradation of adversary smart munitions and platforms; and attack of adversary warfighting or warmaking infrastructure (the adversary defense industrial base). Cyber- attack might be used to augment a kinetic attack or to enable it to succeed, or to defend a friendly computer system or network by neutralizing the source of a cyberattack conducted against it. Cyberattack could also be used to achieve military deception. For example, by assuming control of a computer used by a senior intelligence analyst, a cyberattack could send bogus e-mail traffic to that analystâs clients. The contents of these e-mails could easily provide misinformation regarding the military capabilities, intentions, locations, and operations of friendly forces. From a strictly technical perspective, cyberattack has several attri- butes that are well suited for the shadowy world of intelligence. For example, as noted above, attribution of a cyberattack is usually quite difficult. The effects of a cyberattack may not become visible to the vic- tim for long periods of time, if ever. And the range of possible options is very large, so that cyberattack-based operations might be set in motion to influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money. Such operations can fall into the category of covert action, which by law is defined as political, economic, propaganda, or paramilitary activities and is usually designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. government. 1.6â The Legal Framework Governing Cyberattack The committeeâs view of the basic framework for the legal analysis of cyberattack is based on the principle that notions related to âuse of forceâ and âarmed attackâ (terms of special relevance to the Charter of the United Nations) should be judged primarily by the effects of an action rather than its modality. That is, the fact that an attack is carried out through the use of cyberweapons rather than kinetic weapons is far less significant than the effects that result from such use, where âeffectsâ are understood to include both direct and indirect effects. Accordingly, cyberattack should be judged according to the principles
22 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES of the law of armed conflict (LOAC) and the UN Charter, encompassing both jus ad bellum (law governing the legality of going to war) and jus in bello (law governing behavior during war) with the understanding that new analytical work is needed to understand how these principles do or should apply to cyberweapons. For example, some of the more problem- atic cases involving cyberattack include the following: â¢ Conflicts that do not fall under the presumption of nation-to-nation con- flict between national military forces. When the law of armed conflict was first articulated, only nation-states had the ability to wage war. Because cyberattack weapons are inexpensive and easily available, non-state actors (e.g., terrorist groups, organized crime) are capable of engaging in armed conflict through the use of cyberweapons, as are individuals acting on their own with putatively âpatrioticâ motivations or with criminal inten- tions. Even in non-government hands, these weapons include some that are as capable of doing great harm as those available to governments. Thus, the lines between state, non-state, and individual attackers are unclear in a legal regime that distinguishes between LOAC on the one hand and national criminal laws on the other. â¢ The exception for espionage. The LOAC presumes that a clear distinc- tion can be drawn between the use of force and espionage, where espio- nage is avowedly not a use of force. However, the distinction between cyberattack and cyberexploitation may be very hard to draw from a tech- nical standpoint, and may lie primarily in the intent of the user. â¢ The emphasis on notions of territorial integrity. A target in cyberspace may be known only through an electronic identifier, such as an IP address or a MAC address. (A componentâs Media Access Control addressâgen- erally known as a MAC addressâis a quasi-unique identifier assigned to most network adapters or network interface cards (NICs) by their manu- facturer for identification.) To what extent should the physical location of a computer matter in determining whether it is a legitimate military target that may be subject to cyberattack? Also, the effects of attacking a given computer may not be felt at all in the immediate geographic vicinity of the computer, thus raising the question of which geographic location is relevant to the determination of legitimacy for attack. 1.7â The Dynamics of Cyberconflict The escalatory dynamics of armed conflict are thought to be under- stood as the result of many years of thinking about the subject. The dynamics of cyberwarfare are less well understood. This report spec- ulates on some of the factors that might influence the evolution of a cyberconflict.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 23 For major nation-states with significant kinetic and cyber capabilities at their disposal, some of the important questions to be addressed include the following: â¢ Crisis stability. What is the analog of crisis stability in cyberconflict? What are the incentives for preemptive cyberattack? Crisis stability refers to the condition in which even in a crisis, neither side has an incentive to escalate the conflict. â¢ Resolving the tension between a policy need for rapid response and the technical reality that attribution of a cyber action is a time-consuming task. Shortening the time for investigation may well increase the likelihood of errors being made in a response (e.g., responding against the wrong machine, launching a response that has large unintended effects). â¢ Preventing cyberconflict from escalating to physical space. Given that cyberattacks are likely to occur in the early stages of a conflict, how can cyberconflict between nations be limited to conflict in cyberspace? How should cyberattack be scoped and targeted so that it does not lead an adversary to escalate a conflict into kinetic conflict? How can a modestly scoped cyberattack conducted by a government be differentiated from the background cyberattacks that are going on all of the time? â¢ The complicating presence of non-state actors. How can âfreelanceâ activities on the part of âpatriotic hackersâ be minimized or curtailed? â¢ Termination of cyberconflict. How would two nations engaged in cyberconflict indicate that they have ceased cyberattacks against each other? â¢ The role of transparency. What is the role of transparency in promot- ing crisis stability and conflict limitation in cyberspace? â¢ Catalytic cyberconflict. How can catalytic cyberconflict be avoided? (Catalytic conflict refers to the instigation of conflict between two parties at the behest or initiative of a third party.) For non-state actors such as terrorist or criminal groups, two pri- mary issues relate to identification of the appropriate party against which to retaliate, and the availability of cyber and/or kinetic targets whose destruction might cause pain or meaningful damage to the terrorist or criminal group. At the same time, nations hosting such groups might have plausible targets, and the assistance of those nations in acting against such groups might be obtained.
24 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 1.8â Findings This section presents the committeeâs findings and recommendations, along with supporting arguments that summarize material contained in later chapters. 1.8.1â Technologies as Instruments of U.S. National Policy Once a need has been established, a sound stance regarding the use of most technologies as an instrument of U.S. national policy rests on four pillars: â¢ Capabilities to use the technology in a variety of situations and contexts. That is, the technology must be sufficiently well developed and robust to be usable in ways that advance U.S. national interests. When new tech- nologies are in their infancy, unproven extravagant claims are often made about their putative effectivenessâbut in some cases, such claims do turn out to be valid. â¢ Policy guidance for when and how such capabilities should be exercised. Policy guidance can be expressed in many forms, including statutory and/or common law, regulations and directives, ethical standards, acqui- sition decisions, military doctrine, and so on. As a general rule, these different expressions of national policy should reinforce, or at least be consistent with, each other. But since the U.S. government, like all gov- ernments, has multiple loci for policy formation, such consistency is not always found in national policy. â¢ Decision-making mechanisms for implementing policy guidance in an operational sense regarding the actual use of the capabilities available. For exam- ple, when a crisis occurs, a well-organized government will have clear and transparent mechanisms in place for directing that various actions be taken in response. One central element of such mechanisms is necessar- ily focused on reconciling competing interests and equities that may be present among the various stakeholders represented in the government and/or in the private sector. â¢ Oversight to ensure consistency between actual use and policy guidance. In large bureaucracies, maintaining consistency between policy and actual practice or use is often difficult, and oversight is necessary to ensure such consistency. In practice, oversight closes the feedback loop between out- comes and policy, and provides indicators of whether a policy is working to advance national interests. The first of these elements is inherent in the technology. But the remaining three elements emerge only from the organizations and people who must determine how any given technology is to be usedâand such
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 25 emergence almost always trails the development of technological capa- bilities. Furthermore, a rapid pace of change in technologies relevant to warfare almost always changes the nature of warfare itself, and thus military doctrine and concepts of use must also adjust to the realities of new technologies. Regarding cyberattack, consider that the World Wide Web was invented in the early 1990s and personal computers went mainstream for the general public less than 30 years ago with the introduction of the IBM PC in 1981. Over a billion people use cell phones today, 10 and wire- less services are growing exponentially. Accurate location and velocity information for vehicles is more available than ever before through GPS and similar systems. Taking into account the speed at which organizations such as national governments change, it is not surprising that policy guid- ance, decision-making mechanisms for operational use, and oversight mechanisms for cyberattack have not been fully developed. These ele- ments are the primary focus of the findings and recommendations that follow. As for todayâs policy context, policy and guidance are evolving rap- idly at the time of this writing (early 2009). A number of reports have been recently issued speaking to the importance of cybersecurity to the nation. These reports have either obliquely or explicitly referred to the importance of integrating defensive activities with offensive activities in cyberspace. The outgoing administration launched the $40 billion Com- prehensive National Cybersecurity Initiative (CNCI), which reportedly takes seriously this notion of integration. The organization of the Depart- ment of Defense for cyber operations is in flux as well, as different agen- cies and services make their cases for significant roles regarding the attack mission. 1.8.2â Overarching Findings Finding 1: The policy and organizational issues raised by U.S. acquisition and use of cyberattack are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversar- ies capable of employing weapons of mass destruction. See http://groups.google.com/group/alt.hypertext/msg/395f282a67a1916c. 10 More precisely, the number of mobile telephone subscriptions globally reached 3.3 billion in November 2007. See Reuters, âGlobal Cellphone Penetration Reaches 50 Pct,â November 29, 2007, available at http://investing.reuters.co.uk/news/articleinvesting. aspx?type=media&storyID=nL29172095.
26 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES The statement above represents the primary finding of the commit- tee. All of the findings in this section are elaborations of this primary finding. While the immediate effects of cyberattack are unlikely to be compa- rable to the effects of weapons of mass destruction (for example, nuclear, chemical, or biological weapons), a large-scale cyberattack could mas- sively affect the functioning of a society and lead to many indirect casual- ties. Conversely, it is possible to imagine that certain cyberattacks might be executed on a smaller scale and with a lower degree of lethality than might be expected if kinetic weapons were used for equivalent military purposes. Thus the policy implications of cyberattack have certain com- monalities across the range from non-lethal engagements to wars involv- ing the use of weapons of mass destruction. To the extent that new technologies afford new capabilities, they imply new policy challenges about how to develop, acquire, and use them; about who should use them and who should decide about using them; and indeed about how to think about them. But the policy issues associated with cyberattack are of particular urgency today, because the amount and degree of conceptualization and understanding in the policy- making community about these issues relative to their potential signifi- cance is much lower than is the case with almost any other weapon in the U.S. arsenal. In other words, the state of policy formation regarding cyberattack is still in its infancy compared to policy regarding most other weapons, even though the availability and proliferation of cyberattack technologies is a technological watershed. And it is the committeeâs belief that the issues surrounding cyberattack extend far beyond the traditional responsibilities of the Department of Defense and the intelligence commu- nity and touch national interests such as diplomacy and foreign relations, law enforcement, and commerce and trade. Finally, the committee notes that the goals of a cyberattack (i.e., the alteration, disruption, deception, degradation, or destruction of a com- puter system or network) may sometimes be accomplished by more tra- ditional kinetic means. Any planner contemplating the destruction of an adversary computer or network would have to think about both cyber- attack and kinetic attack options. But there is a well-developed body of doctrine and guidance regarding kinetic options, and so the committee has not specifically examined or presented the kinetic perspective in any systematic way in this report. Finding 2: The availability of cyberattack technologies for national purposes greatly expands the range of options avail- able to U.S. policy makers as well as to policy makers of other nations.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 27 Cyberattack technologies can have a broad range of effects and impacts (Chapter 2). They are thus quite flexible, and for example can sometimes be operated reversibly or irreversibly and in a lethal/destructive or non- lethal/non-destructive manner depending on the specific technology involved. In addition, cyberattack technologies have a largely clandestine character and are relatively inexpensive. These characteristicsâflexibility, clandestine nature, and low costâcan be helpful in many applications by the military, intelligence, and law enforcement communities. An important consequence of the broad range of possible effects and impacts is that cyberattack as an instrument of national policy has both offensive and defensive implications (as noted in Section 1.2 and Chapter 2), and both tactical and strategic implications as well (Chapter 9). Fur- thermore, much of the supporting technology for characterizing ongoing cyberattacks (e.g., detection, warning, attack assessment) is relevant to both offense and defense, and to tactical and strategic planning and deci- sion making. Such dualities can be found for kinetic technologies as well, but they are front and center in thinking about cyberconflict. The fact that cyberattack technologies can have a broad range of effects and impacts also means that their use may sometimes result in unanticipated, unforeseen, or unintended consequences. Concerns about these unanticipated consequences may (and perhaps should) inhibit the use of cyberattack under some circumstances. Finding 18 notes the uncer- tainties associated with the effects of many kinds of cyberattack. In addition, the nature of cyberattack technologies is that they are available to other nations and non-state actors as well as to the United Statesâa fact that results in the plentitude of vulnerabilities to the U.S. critical infrastructure and U.S. military documented in so many reports.11 Finding 3: Todayâs policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain. To date, national policy regarding cyberconflict has focused mostly on the defense of friendly computer systems and networks against cyberat- tack, although by most accounts the information technology infrastructure of the United States is still quite vulnerable and policy for cyberdefense 11 See, for example, Presidentâs Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C., February 2005.
28 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES is still uncertain.12 But the United States has no comprehensive publicly stated strategic national policy apart from a criminal framework concern- ing how it will regard cyberattacks conducted against the United States or how it might use cyberattack in support of U.S. interests. The most relevant international legal frameworkâthe law of armed conflict com- bined with the Charter of the United Nationsâwas formulated in an era that long predates the information age and cyberattack, and although the principles of the LOAC framework still apply (Finding 6), the specifics of applying the principles to cyberattack are sometimes uncertain. These points illustrate the lack of a shared conceptual understanding about the full spectrum of issues regarding cyberattack among all of the stakeholdersâmilitary, intelligence, law enforcement authorities, and the private sector. Such a shared understanding is a prerequisite for respon- sible decision making about this topic. The undeveloped and uncertain nature of this legal and policy frame- work poses a number of dangers for the United States, not the least of which is that policy and law developed in a time of (or in response to) crisis are oftenâsome might argue usuallyâhastily formulated and thus incompletely considered. Crisis may also bias the policy consideration in undesirable ways. For example, arguments in favor of a particular course of action can be artificially bolstered by crisis, and arguments against that course of action artificially suppressed, thus bypassing the weighing of tradeoffs that characterizes non-crisis decision making. And unsound policy formulated and implemented during crisis may prove difficult to change or reverse when the crisis has passed. Finding 4: Secrecy has impeded widespread understanding and debate about the nature and implications of U.S. cyberattack. The relatively recent emergence of cyberattack technologies and the resulting dearth of associated policy, law, and ethics raise some very important issues for all sectors of society. Nevertheless, a full public discussion of these issues has yet to coalesce, and classification of such topics as being at secret or higher levels has left U.S. government think- ing on these issues highly opaque. Such opacity has many undesirable consequences: â¢ Neither the potential importance and usefulness of cyberattack as 12 See, for example, National Research Council, Information Technology for Counterterror- ism: Immediate Actions and Future Possibilities, The National Academies Press, Washington, D.C., 2003, and National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington D.C., 2007.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 29 an instrument of national policy nor the potential perils and pitfalls of using cyberattack are well understood outside niches in the defense and intelligence communities. Secrecy about policy relevant to cyberattack inhibits public scrutiny and thus increases the likelihood that policy will be formulated with narrow parochial or short-term interests foremost in mind. â¢ Programs to develop cyberattack capabilities are classified and dispersed throughout many program elements within the Department of Defense, with the result that overall capabilities may not be widely known even among those with the necessary clearances. Effective congressional oversight that goes beyond a few individuals on the relevant committees is also inhibited. â¢ Unclassified programs to develop stronger or more effective defen- sive capabilities do not benefit from the insights derived from knowledge of cyberattack. Yet it is well known that many intellectual and program- matic synergies are possible when experts in defense and attack can collaborate. â¢ Independent research and investigation about the topic is inhibited, in particular for two groups: non-military/non-government researchers and DOD/intelligence community personnel (both uniformed and non- uniformed) who do not now but may in the future need to know about this area. ï£§For the first group, the loss of independent non-governmental analysis increases the likelihood that the full array of national and interna- tional intellectual capital will not be brought to bear on the issue, thereby depriving policy makers of its potential contributions to understanding the issue. (In this regard, the committee notes a 50-year history of inde- pendent non-government analysis that has made important contributions to the formulation of U.S. policy regarding nuclear, chemical, and biologi- cal weapons.) ï£§For the second group, it is not reasonable to expect individuals placed into responsible positions to get up to speed quickly if they do not have the basic and fundamental background knowledge needed. Yet this is precisely what is implied by the current regime of secrecy surrounding cyberattackâDOD/intelligence community personnel in other assign- ments have no reasonable opportunity to be exposed to the basic policy issues involved in cyberattack (because they have no âneed to knowâ in their current duty assignments), and they are expected to be in a position to make sound policy judgments when they fill their cyberattack billets. Moreover, personnel in non-cyberattack assignments need to comprehend the basic policy issues involved in cyberattack so that they are able to
30 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES understand and assess what these policy issues for cyberattack mean for the responsibilities of their current positions. â¢ Dissemination even of unclassified information is inhibited by the broad classification of the cyberattack topic. Guidelines for the protection of classified information force individuals with clearances and access to such information to be certain that information they discuss publicly is indeed unclassifiedâotherwise, they are obligated to treat any material received in classified settings as classified even if the material in question is in fact unclassified. The result is that such individuals are reluctant to talk publicly about such issues at all. â¢ Professional military education cannot explore the cyberattack topic in any meaningful sense. Nevertheless, professional military educa- tion is one of the most important venues in which those military person- nel unfamiliar with critical topics can learn about them. â¢ Secrecy has also inhibited discussion of issues related to cyberat- tack outside the defense context. For secrecy as well as other reasons, discussion about the pros and cons of cyberattack as a component of a comprehensive defense has been inhibited and delegitimized. Greater public discussion of cyberattack in a military context is likely to spur greater discussion of related issues in non-military contexts. Finding 5: The consequences of a cyberattack may be both direct and indirect, and in some cases of interest, the indi- rect consequences of a cyberattack can far outweigh the direct consequences. To the extent that there has been any public discussion about cyberat- tack, the full range of possible effects and consequences of cyberattack is often not addressed. In fact, cyberattacks can have a very broad range of consequence, from barely noticeable by careful observers to immediately significant on a global scale. For this reason, any discussion of cyberat- tack in use must address its effects. Furthermore, since the information available to attackers may well be limited, there will also be some range of uncertainty about the extent and nature of a cyberattackâs effects. A full consideration of a cyberattackâs effects necessarily includes both direct (immediate) and indirect (follow-on) effects (Section 1.4). Direct or immediate effects are effects on the computer system or network attacked. Indirect or follow-on effects are effects on the systems and/or devices that the attacked computer system or network controls or interacts with, or on the people that use or rely on the attacked computer system or network. Another dimension of the effects issue relates to the time scale on which the effects of a cyberattack will be manifest. Some cyberattacks
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 31 target data or software, and such attacks are usually more easily and more rapidly reversed, at least in part, than are kinetic attacks on objects that are energetically disassembled (blown up). For example, if backup media are easily accessible, it may be possible to restore corrupted data and software to their pre-attack states relatively quickly and with only mini- mal losses. An attacker might have the ability to restore data as well (e.g., some cyberattacks call for the in-place encryption of data and decrypting it only after hostilities terminate). But the indirect or follow-on effects are generally not as easily reversible in much the same way that the direct effects of kinetic attacks are generally not easily reversible. A cyberat- tack on the computer controlling a generator or a dam that was in fact intended to disable the generator or the dam could cause the generator to burn itself out or the dam to release its floodgates too soon. Such effects are kinetic in nature, and thus are only as reversible as their underlying physical structures are replaceable or repairable. (Even in the case where a cyberattack is intended to confuse the enemy (e.g., by altering data) rather than to cause a kinetic or physical effect, the ultimate results of that confu- sion are likely to be difficult to reverse.) Depending on the nature of the cyberattack, the extent of reversibility may be an additional (and possibly significant) factor in undertaking any analysis of its effects. One important consequence of Finding 5 is that policy makers and operational commanders cannot assume that cyberattacks are non-lethal simply because they target computers or networksâa fact that provides further support for Finding 1. The full scope of effects, both direct and indirect, must be taken into account in a determination of the lethality and other consequences of any given cyberattackâand this is true for attacks launched by the United States as well as for attacks directed against the United States. A second consequence is that not all cyberattacks constitute âcyber- warfare.â As a form of warfare, cyberwarfare automatically brings in all of the associated legal and ethical constructs associated with the term, and they may not apply in all cases of cyberattack. Furthermore, cyberattacks should not be conflated with cyberexploitations, as they often are in the popular press and in lay discussions of the topic (Box 1.4). 1.8.3â Legal and Ethical Findings Much of todayâs current thinking about how to engage in armed con- flict originated a century ago, and thus it is not surprising that todayâs international lawâand especially the law of armed conflictâmay not be entirely adequate to handle all of the implications of cyberattack technolo- gies that have emerged only in the last few decades. The same is true of
32 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 1.4â Conflation of Cyberattack and Cyberexploitationâ Negative Consequences Cyberattack and cyberexploitation are often conflated in public discourse, and in particular cyberexploitations are reported and discussed using the term âcyberattack.â For example: â¢ Congress. Representative Frank Wolf (R-VA) stated on the House floor in June 2008 that âIn August 2006, four of the computers in my personal office were compromised by an outside source. On these computers was information about all of the work I have done on behalf of political dissidents and human rights activists around the world. . . . The FBI revealed that the outside sources responsible for this attack [emphasis added] came from within the Peopleâs Republic of China.â1 â¢ News organizations. A Time magazine article of 2005 stated that âCar- penter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack [emphasis added] took 10 to 30 minutes.â2 â¢ National laboratories. In December 2007, the Oak Ridge National Labora- tory posted a notice labeled Potential Identity Theft stating that âOak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack [emphasis added] that appears to be part of a coordinated attempt to gain access to com- puter networks at numerous laboratories and other institutions across the country. A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications. When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employeesâ computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory.â3 domestic lawâthis too has lagged behind the times in coming to terms with the implications of new cyberattack technologies. Finding 6: The conceptual framework that underpins the UN Charter on the use of force and armed attack and todayâs law of armed conflict provides a reasonable starting point for an inter- national legal regime to govern cyberattack. However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 33 The committee believes that conflating these terms does not contribute to an informed public discussion of cyberattack or the broader discussion of cybersecu- rity. Indeed, such conflation has a number of negative consequences: â¢ It overstates the actual threat, thus inflaming public passion and beating the drums of war unnecessarily. It is certainly true that cyberexploitations are not friendly acts, but they are not armed attacks either. Most nations engage in es- pionage even against allies and neutral nations without it leading to war or even armed conflict, and cyberexploitation is in essence a form of espionage. â¢ Calling a cyberexploitation an attack may imply in the public mind an im- mediate right to counterattackâperhaps through cyber means or perhaps through kinetic meansâeven though the action in question would not properly be regarded as a military attack. Thus, if policy makers lump together cyberexploitations and real cyberattacks as âcyberattack,â they may well be impelled to counterattack with more force than is appropriate under the circumstances. â¢ Calling cyberexploitation a cyberattack could prejudge U.S. positions and interests in future cyber arms control talks. With an overly broad definition, the United States might find itself unwilling to ratify a treaty in order to preserve certain capabilities that fall short of actual attack, and thus end up outside international norms even when it might not object to limiting certain attack capabilities. 1 See http://wolf.house.gov/?sectionid=211§iontree=7,211&itemid=1213. The Congres- sional Record transcript can be found at http://www.fas.org/irp/congress/2008_cr/wolf061108. html. 2 By Elaine Shannon, âThe Invasion of the Chinese Cyberspies (and the Man Who Tried to Stop Them),â Time, August 29, 2005, available at http://www.time.com/time/magazine/Â article/0,9171,1098961,00.html. 3 See http://www.ornl.gov/identifytheft/. The committee believes that the conceptual framework that under- pins the UN Charter and todayâs law of armed conflict regarding the use of force and armed attack is generally consistent with the notion that the effects of an action rather than the modality of that action are the primary measure in judging its legality under the UN Charter or LOAC. Prior to an acknowledged armed conflict, the legal status of any mili- tary activity is judged by its effects (regardless of the means) according to the criteria of the UN Charter and jus ad bellum. Therefore, if the effects (including both direct and indirect effects) to be produced by a cyberat- tack would, if produced by other means, constitute an armed attack in the
34 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES sense of Article 51 of the UN Charter, it should be treated as an armed attack. Similarly, if a cyberattack would have the same effects as certain governmentally initiated coercive/harmful actions that are traditionally and generally not treated as the âuse of forceâ (e.g., economic sanctions, espionage, or certain covert actions), such a cyberattack should also not be regarded as a use of force. Article 51 acknowledges the conditional right of a nation to engage in the use of armed force for self-defense, including the situation in which the nation is the target of an armed attack, even without Security Council authorization. Thus, the response to a cyberattack by acts constituting use of force is legal, permitted, and proper only if and whenâbut definitely if and whenâthe effect of the initial action is equivalent to the effect of an armed attack. If the initial provocation does not rise to the level of being an armed attack, it is not legal to respond with any act that constitutes the use of force, whether cyberattack or otherwise. The committee also concurs in the judgment of the U.S. armed forces that during acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), military use of cyberattack is governed by all the standard LOAC criteria of jus in belloâmilitary necessity (and seeking the destruction only of legitimate targets that make a direct contribution to the enemyâs war effort), pro- portionality (and thus pursuing offensive action only when the military advantage to be gained by the attack outweighs the collateral damage that would ensue), and distinction (restricting combatants and non-combat- ants to their legitimate roles in return for the different legal protections afforded to them). At the same time, the framework underpinning existing law is poorly suited to deal with certain aspects of cyberattack. One major complicating factor in the analysis of cyberattacks is that although the law of armed conflict continues to govern the use of cyberattacks by the U.S. armed forces (and in principle, by other nations as well), LOAC is based on a state-to-state framework and thus largely assumes interstate conflict. But today, and especially in cyberspace, non-state actors (e.g., terror- ist groups, organized crime) are entirely capable of engaging in armed conflict, as are individuals acting on their own with putatively âpatri- oticâ motivationsâand the lines between state, non-state, and individual attackers are unclear in a legal regime that focuses primarily on LOAC on the one hand and national criminal laws on the other. International agree- ments, such as the Convention on Cybercrime (Section 7.2.4), will help to increase the effectiveness of criminal law in dealing with cyberattacks, but it is likely that some gray area will always exist between LOAC and criminal law when certain kinds of cyberattack occur. Of course, the notion that a threat might emanate from a non-state
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 35 actor is not unique to the domain of cyberattack. Terrorists seeking to inflict kinetic damage often operate from a neutral nationâs territoryâand indeed, using cyberattack as an instrument against non-state actors brings into play many of the issues that arise in fighting terrorists. For example, self-defense against attacking parties in neutral territory (discussed in Section 18.104.22.168.4) can easily become relevant to a decision to launch a counter-cyberattack against a cyberattack apparently emerging from a neutral nationâand the structure of the process used in deciding this case would be very similar to the decision-making process used in decid- ing whether to launch a kinetic attack against terrorists operating from a failed state. A second complicating factor is related to various technical charac- teristics of cyberattacks that may be carried over the Internet. Today, the United States is undertaking major efforts to monitor Internet activity for indications of hostile intent. For example, the DOD, under the auspices of the U.S. Strategic Command, monitors attacks on DOD systems. A variety of computer emergency response teams and commercial anti- virus/worm-detection firms also continually monitor Internet network operations for indications of threat warning. These monitoring efforts are likely to provide some degree of âearly warningâ for impending cyberat- tacks conducted over the Internet, although that time may be measured in seconds. As such an attack unfolds, its scope and effects may become clearer as well. However, these efforts at Internet surveillance will not necessarily reveal planning and preparation of the attack, nor intent or even origin. Neither does surveillance reveal aspects of the attack that take place at protocol levels below the monitoring sensors, or above them if concealed. (For example, a cyberattack may be deliberately designed to hide the extent and nature of the damage it causes. In addition, an adversaryâs battlefield preparation for a cyberattack (e.g., installing easy-to-use back doors) may be done surreptitiously, thus making it difficult for the victim to know the scope and nature of the preparation.) Because LOAC and the UN Charter presume not only nation-states in conflict but also that the specific nation-states involved are known to all, the difficulty of attribut- ing a cyberattack in its early stages to a particular actor, which may be a state or a non-state actor, remains a major challenge to the current legal regime. Thus, the United States may know that it has suffered an âarmed attackâ or been the target of a âuse of force,â but it may take a long time to determine the party or parties responsible. Finally, because so much of LOAC and the UN Charter is based on the idea that civilian and military assets can be separated, the intermingling and interconnection of military and civilian information technology assets and the importance of a nationâs critical infrastructure to both military and
36 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES civilian activities will present challenges to todayâs LOAC/UN Charter regime. Even with the intent to comply with LOAC and the UN Charter, policy makers will face many difficulties in arriving at sound judgments regarding events involving cyberattack, whether the United States is the victim or the launcher of a cyberattack. Finding 7: In todayâs security environment, private parties have few useful alternatives for responding to a severe cyberattack that arrives over a network such as the Internet. When a private party is the target of a cyberattack that arrives over a network such as the Internet, it has four options for responding. First, it can implement passive measures to strengthen its defensive posture. For example, it can drop functionality on its own systems that the attacker is trying to exploit, reject traffic, and close ports on its firewall. Second, it can report the event to law enforcement authorities, and law enforcement authorities can take appropriate action to try to shut down the cyberattack (e.g., by finding the perpetrator and arresting him, but not by launching a cyber counterattack). Third, it can take self-help measures to further investigate and characterize the source of the cyberattack and then report the information to appropriate law enforcement authorities. Fourth, it can take actions to actively neutralize the incoming cyberattack. The first two options are generally legal under U.S. domestic law. But the first option may cause the victim to lose the benefit of essential computer and network services and connections. With respect to the second option, law enforcement authorities may not be able to respond effectively on a time scale that will prevent significant immediate harm to the victim, although arrest and prosecution might provide a possible venue for restitution. That is, there appears to be no government agency that has the legal authorization to perform a âharm cessationâ function apart from the arrest-and-prosecute mode. Furthermore, the appropriate and relevant law enforcement authori- ties are not always easily identified. If a U.S. firm with offices in Japan is cyberattacked in Japan by the Russian mob, are the cognizant law enforce- ment authorities American (because the firm is a U.S. firm), Japanese (because that was the place where the consequences were manifested), or Russian (because Russia was the national home of the bad attackers)? If the first two options are not sufficient to keep losses to an accept- able level, the victim might understandably consider the third and fourth options. That is, if the victim is unable to strengthen its defenses without losing essential functionality, and law enforcement authorities cannot prevent further harm, self-help options gain in attractiveness. However, regarding option three, it may well be illegal under both
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 37 the Computer Fraud and Abuse Act (CFAA) and the Electronic Commu- nications Protection Act for the victim to investigate and characterize the attack and attacker by initiating probes of its own, even if such informa- tion would be useful for law enforcement authorities in conducting their own investigation. Option four likely violates the CFAA, which forbids private individu- als and organizations to intentionally cause damage in excess of $5,000, without authorization, to any computer âused in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.â Still, limited rights regarding the defense of property intended to prevent continuing harm have traditionally been afforded to victims of attack under some circum- stances even in the absence of explicit legislative authority for actions taken in the defense of property. In short, even a private party under continuing cyberattack may itself have some rights to use a cyberattack of its own to stop the incoming cyberattack. To the best of the committeeâs knowledge, defense of property has never been invoked in a defense against charges of violating the CFAA, and so the legal justifiability of such actions is subject to some doubt. At the same time and regardless of the legality of such actions, exer- cise of such rights may well be problematic both for the attacked party and for the nation at large from a policy perspective: â¢ The particular conditions necessary to invoke rights to defense of property are not clearly specified anywhere, and thus some degree of legal uncertainty necessarily attaches to such actions. â¢ Because many kinds of cyberattack can be transmitted across large distances, cyber actions taken to respond to a cyberattack will almost inevitably invade the premises of the attacker. â¢ Actions taken by the attacked party may be attributed to the gov- ernment with responsible authority over it, especially if government stan- dards governing the invocation of such rights are established. â¢ Given the difficulties of technical attribution of a cyberattacker, a victim undertaking a responsive cyberattack has a non-negligible chance of striking innocent third parties, making defense of property in this con- text far more problematic than the defense engaged in by a homeowner shooting at a home intruder. Finding 8: Cyberattack poses challenges to existing ethical and human rights regimes. As noted in Chapter 7, the laws of armed conflict are based on two
38 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES central ethical principlesâthat the use of force or violence against another state must be justified by âgoodâ reasons for doing so, and that even if violent conflict between nations is inevitable from time to time, unneces- sary human suffering should be minimized. To the extent that the laws of armed conflict govern the use of cyberattack, cyberattack is not a sui generis phenomenon that is incompatible with these ethical principles. On the other hand, cyberattack can complicate the application of these ethical principles. For example, the argumentation for Finding 6 noted the complications introduced into todayâs legal regime by the dual-use nature of todayâs information technology infrastructure. This dual-use nature also complicates ethical judgments that have traditionally been based on the notion of separating civilian and military assets, and the need for making such judgment may well be relevant in situations short of acknowledged armed conflict in which LOAC is held to apply. The possibility of extended cyberattacks on a societyâs information technology infrastructure also raises the question of whether the IT- dependent features of modern society are in any sense essential to life as the citizens of that society know it. For example, the citizens of a large nation often use credit cards to conduct retail transactions. If a cyberattack on the financial infrastructure disrupted the ability of citizens to conduct electronic transactions for an extended period of time without causing large-scale death or destruction of property, what, if any, is the ethical responsibility of the nation launching the attack? Estonia, for example, has gone so far as to declare that Internet access is a fundamental right of its citizenry.13 An extended cyberattack campaign against a modern nation that deprived citizens only of such features of modern life (and did not cause large-scale death or destruction of property) might still be reasonably considered a use of force by the attacked nation and the world community and/or a human rights violation of the citizens of the attacked nation by the attacker. The International Covenant on Civil and Political Rights articulates one current international understanding of human rights. But although a number of its provisions can be argued to be relevant to the cyber domain, it is reasonably clear that the framers of that convention did not take explicit account of the possibility that cyberattacks might affect human rights. The United States has argued that the convention does not apply extraterritorially, and hence it would not regulate U.S. behavior regarding other countriesâhowever, as a practical matter, the role of human rights law during conflict is contested internationally, and there is no reason to expect that cyberconflict will be exempt from this debate. 13 Colin Woodward, âEstonia, Where Being Wired Is a Human Right,â Christian Science Â onitor, July 1, 2003, available at http://www.csmonitor.com/2003/0701/p07s01-woeu.html. M
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 39 Finally, if cyberattack capabilities are seen as providing policy makers with an alternative short of using traditional kinetic armed force in the conduct of their international relations (Section 8.4), they may increase the likelihood that national leaders will choose to intervene when they might otherwise have refrained from intervention.Â Such an outcome may raise ethical and moral issues as well. 1.8.4â Policy Findings Finding 9: Enduring unilateral dominance in cyberspace is nei- ther realistic nor achievable by the United States. In the event that conflict does occur, U.S. military doctrine seeks dom- inance in the relevant domains of conflictâthat is, U.S. freedom of action in any domain of conflict (including cyberconflict) coupled with denying U.S. adversaries the same freedom of action.14 Dominance requires supe- riority in both offensive and defensive capabilities. â¢ Many cyberattack technologies are inexpensive and easily avail- able to non-state actors, including individuals, and these technologies include some that are as capable of doing great harm as those available to governments. Much of the expertise needed to wield cyberattack weap- ons effectively is widespread. These points, discussed further in Chapter 2, suggest that the United States cannot maintain overall dominance in cyberattack capabilities for any extended period of time. â¢ With respect to cyberdefense, current trends in information tech- nology development and deployment suggest that exploitable vulner- abilities will continue to be present in both civilian and military computer systems and networks of the United States. Thus, the U.S. information technology infrastructure is likely to remain vulnerable to cyberattack for the foreseeable future.15 Thus, cyberconflict is quite unlike the land, air, and maritime domains in which U.S. armed forces operate, and enduring unilateral dominance 14 According to the Joint Chiefs of Staff, joint force commanders are called upon to âseek superiority early in air, land, maritime, and space domains and the information environment to prepare the operational area and information environment and to accomplish the mission as rapidly as possible.â Joint Publication 3-0, Joint Operations, February 13, 2008, available at http://www.dtic.mil/doctrine/jel/new_pubs/jp3_0.pdf. 15 In addition, another nation may impose by decree cybersecurity measures on all information technology used by that nation or it may impose and enforce a strong separa- tion between the information and information technology infrastructures for military and civilian use. Such a nation would likely have advantages in a cyberconflict with the United States, which does not do either of these things.
40 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES with respect to cyberconflict is not realistically achievable by the United States. This does not mean that the United States should refrain from developing cyberattack capabilitiesâonly that it should not expect endur- ing advantage from such development. Finding 10: The United States has much to lose from unrestrained cyberattack capabilities that are proliferated worldwide. The United States is highly dependent on the capabilities afforded by ubiquitous information technology in every sector, both military and civilian. Consequently, the United States has much to lose from unre- strained cyberattack capabilities that are proliferated worldwide. (Some analysts also make the further argument that the United States would have the most to lose compared to any other nationâan assessment that is plausible but that depends on relative judgments about the dependence on information technology of various nations. The committee would not dispute that conclusion if it were accompanied by a defensible analysis, but it was not willing to make that assessment itself.) In addition, comparing the as-yet-unproven utility of U.S. cyberattack against its adversaries to the demonstrated growing dependence of the United States on information technology, it is generally more important for the United States to be able to use information technology freely in pursuit of its national interests than for it to be able to deny adversaries the use of their own systems and networks. However, this conclusion does not rule out the possibility that cyberattacks by the United States will be an appropriate and useful action under some circumstances, although it does emphasize the importance of protecting the U.S. information tech- nology infrastructure. Finding 11: Deterrence of cyberattacks by the threat of in-kind response has limited applicability. In general, deterrence of adversaries is the cornerstone of U.S. mili- tary strategy. Deterrence seeks to promote stability by persuading an adversary to refrain from taking aggressive actions against U.S. interests. Deterrence is based on two elementsâpunishment and denial. Deterrence by punishment threatens to inflict unacceptable costs on an adversary that takes aggressive actions. If he knows he will suffer such costs should he take such actions, he will refrain from taking them. Deterrence by denial seeks to deny the adversary success from his aggressive actions. If he knows his aggressive actions will not result in success, he will refrain from taking them. As applied to cyberconflict, deterrence is complex. For the most part, defensive capabilities contribute to deterrence by denial, and attack
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 41 capabilities contribute to deterrence by punishment. Actions taken to strengthen important U.S. computer systems and networks promote deterrence by denial, but for a host of reasons described in Chapter 2 and in other reports,16 the gap between defensive capabilities and the adver- sarial cyberattack threat is large and growing today. Deterrence by punishment is more likely to be an effective strategy against nations that are highly dependent on information technology, because such nations have a much larger number of potential targets that can be attacked. Nevertheless, even nations with a less technologically sophisticated national infrastructure are probably vulnerable to cyberÂ attack in selected niches. A cyber aggressor also knows the time of his cyberattack, and can take action to mitigate the punishment that will follow his attack. The aggres- sor can take steps to invalidate the intelligence information on cyber targets that the defender has already collected on him, and thus can force the defender into either a non-selective retaliation or a retaliation delayed until new intelligence information can be collected. In the first case, the defender may not be willing to risk the large-scale escalation that might accompany a non-selective retaliatory cyberattack, and in the second case, the aggressor may have already achieved its objectives by the time a new retaliatory strike can be planned. Perhaps most importantly, deterrence by punishment requires knowl- edge of an adversaryâs identityâanonymous adversaries cannot be pun- ished. As noted in Chapter 2, todayâs information technology makes it easy for evildoers to act anonymouslyâand even in the event that new information technologies are developed with stronger authentication capabilities, there is always the risk that an authenticated computer could be improperly compromised to conduct aggressive action. On the other hand, an actionable degree of attribution might be possible by making use of non-technical information. Policy makers seeking absolute and unam- biguous technical proof that a specific party is responsible for a cyberat- tack will almost certainly be disappointed in any real-life incident, and may ultimately be forced to rely on non-technical information more than they would prefer. The bottom line is that it is too strong a statement to say that plausible attribution of an adversaryâs cyberattack is impossible, but it is also too strong to say that definitive and certain attribution of an adversaryâs cyberattack will always be possible. Assuming that the adversaryâs identity can be known, there is no reason that a retaliatory cyberattack would necessarily be favored over a retaliatory kinetic attack. A variety of considerations might apply to choosing the retaliatory mode. For example, a âtit-for-tatâ retaliatory 16 See, for example, National Research Council, Toward a Safer and More Secure Cyber- space, The National Academies Press, Washington, D.C., 2007.
42 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES response against an adversary might call for a cyberattack of compa- rable scale against a comparable target. However, a threat to do so might not be credible if the United States has a great deal to lose from such an action, thus throwing doubt on the viability of an âin-kindâ deter- rence strategy. On the other hand, a near-peer competitor might well be deterred from launching a large-scale cyberattack by the knowledge that it too would have much to lose if the United States launched an in-kind counterattack. If an access path is available to the adversary, it may be reasonable to use attack capabilities to neutralize an incoming cyberattack even if the identity of the adversary is not known. By developing capabilities to deny the adversary a successful cyberattack, the United States might be able to deter adversaries from launching at least certain kinds of cyberat- tack against the United States. Yet neutralization is likely to be difficultâ destroying or degrading the source of a cyberattack may simply lead the adversary to launch the attack from a different source. Deterrence also relies on the adversaryâs belief that the United States is indeed capable of neutralizing its attackâand such capabilities may well have to be dem- onstrated in order to induce that belief. But a demonstration may provide an adversary with ways of defending against those capabilities, and so the fragility of cyberweapons, noted in Chapter 2, may itself provide dis- incentives for the United States to provide such demonstrations. These disincentives may raise the thresholds at which the United States is willing to use those particular weapons. Thus, neutralization may be an appropri- ate response strategy, but whether a threat to neutralize an adversaryâs attack is a reasonable basis for a strategy of deterrence through denial remains to be seen. As for the tailored deterrence discussed in Chapter 9, that concept is premised on an understanding and a knowledge of specific adversaries. Indeed, it presumes that such knowledge is available in advance as the basis for tailoring a deterrence strategy against that particular adversary. But by definition, deterrence cannot be tailored to an adversary about whom nothing is known. Against non-state parties, deterrence by punishment may be par- ticularly ineffective, as noted in Section 9.3. First, a non-state group may be particularly difficult to identify. Second, it is likely to have few if any information technology assets that can be targeted. Third, some groups (such as organized hacker groups) regard counterattacks as a challenge to be welcomed rather than something to be feared. Fourth, a non-state group such as a terrorist or insurgent group might seek to provoke cyber retaliation in order to galvanize public support for it or to antagonize the public against the United States.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 43 Finding 12: Options for responding to cyberattacks on the United States span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyber- attacks, and kinetic attacks. Today, important information systems in the United States are subject to innumerable hostile actions on a daily basis from a variety of actors ranging from teenagers acting on their own to major nation-states.17 An important question for policy makers to address is thus, How should the United States respond to such attacks? And if or when the nature of cyber- attacks changes in the future, how should it respond to those attacks? Such questions cannot be addressed in the absence of specific facts. But it is important to understand that the United States has a multitude of options for responding to any given cyberattack, depending on its scope and character; these options include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks. Put differently, the United States is in no way obli- gated to employ an in-kind response to a cyberattack, even if an in-kind response may superficially seem most obvious or natural. Some of the potential responses are less escalatory (e.g., changes in defensive postures), others more so (e.g., retaliatory cyberattacks or kinetic attacks). Implementing less escalatory responses would seem to require lower levels of authority than would more escalatory responses, and thus would be more easily undertaken. 1.8.5â Technical and Operational Findings Cyberattack technologies are a relatively new addition to the tech- nologies of warfare. Finding 13: For many kinds of information technology infra- structure targets, the ease of cyberattack is increasing rather than decreasing. Many recent reports have noted that the increasing use of informa- tion technology in existing and new infrastructure in the United States is increasing the vulnerability of that infrastructure. For example, Toward a Safer and More Secure Cyberspace notes that an increasing dependence on information technology applications in all walks of life has resulted in 17See, for example, Dennis Blair, Director of National Intelligence, Annual Threat As- sessment of the Intelligence Community for the Senate Select Committee on Intelligence, February 12, 2009, available at http://intelligence.senate.gov/090212/blair.pdf.
44 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES vulnerabilities being created faster than they can be found and fixed.18 Because the culture of information technology development in the United States does not promote security, new technologies, new architectures, and new applications result in new opportunities for attack. Old technologies and legacy systems also exhibit significant vulnerabilities because retrofit- ted security is often much less effective than security that is âdesigned inâ from the start. The times required for defenders to repair security holes are long compared to the times required for attackers to develop new attacks. Many individuals and institutions do not know how to defend themselves because it is hard to do, and this is especially true of end users and small organizations. These comments are also likely to be true for many other parties as wellâto the extent that other nations are becoming dependent on infor- mation technology, there is no reason to suppose that they do not suffer from the same kinds of vulnerabilities. This is not to say that cyberattack on certain specific targets will not be very difficult, or that all cyberat- tacks can be assured of success with high probability. But on average and as argued in many reports,19 the gap between the attackerâs capability to attack many vulnerable targets and the defenderâs inability to defend all of them is growing rather than diminishing. Finding 14: Although the actual cyberattack capabilities of the United States are highly classified, they are at least as powerful as those demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful. The cyberattack capability of a major nation-state (such as the United States) is almost certainly greater than that of the individual hacker or even the most talented cybercriminals. Such greater capability arises pri- marily from the resources available to nation-states rather than from fundamental differences in the base technologies available. A nation-state can draw on the services of its intelligence services and the funds in its national treasury, has enormous influence with the private sector compa- nies over which it has jurisdiction, and is more than willing to bribe or extort to compromise a trusted insider if that is a cost-effective route to its objectives. In addition, it is entirely possible that certain technical prob- lems have solutions that are today classified and thus not available to the 18 National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington D.C., 2007. 19 See, for example, National Research Council, Information Technology for Counterterror- ism: Immediate Actions and Future Possibilities, The National Academies Press, Washington, D.C., 2003; and National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 45 world at large. In the domain of cryptography, it is known that the British Government Communications Headquarters (GCHQ; the UK equivalent of the National Security Agency) knew of public key encryption and in particular of the RSA algorithm for public key encryption several years before they were announced in the open literature.20 Thus, one might rea- sonably presume that there may well be technical approaches to various forms of cyberattack that are known, at present, only on the âinside.â The open literature documents a variety of sophisticated cyberattacks and cyberexploitations that have been used by criminals, and tools for these activities available to them. It is thus reasonable to posit that some of the tools available to nation-states are more sophisticated versions of criminal tools, that the associated procedures and practices are also more sophisticated versions of social engineering, and that the intelligence ser- vices of nation-states have greater capabilities with respect to cyberattacks that depend on some kind of close access. Put differently, the cyberat- tack capabilities of a major nation-state are at least as capable as those of sophisticated cybercriminals from a technical standpoint, and the attacks undertaken by such parties have been sophisticated indeed. The comments above notwithstanding, non-state actors have certain advantages over nation-states. Non-state actors are known for their ability to act and react more nimbly. Neither terrorists nor criminals are subject to the often-ponderous processes of governmental oversight, which sug- gests that they may be able to move faster to take advantage of emergent opportunities for cyberattack (e.g., the approvals needed to conduct a cyberattack are likely to be fewer than in the U.S. government). Nor are they likely to adhere to either the letter or spirit of the laws of armed conflict in conducting their cyberattacks, which suggests that their plan- ning is likely to be simpler and face fewer constraints (e.g., they can avoid the need to minimize collateral damage). And in a search for technical expertise and talent, they can often offer financial compensation that far exceeds anything that the U.S. government can legitimately offer its employees or troops. Whether such advantages offset the nation-stateâs superiority of resources and access regarding actual operations and the best use of available capabilities is not clear. Finding 15: As is true for air, sea, land, and space operations, the defensive or offensive intent motivating cyber operations in any given instance may be difficult to infer. 20 Peter Wayner, âBritish Document Outlines Early Encryption Discovery,â New York Times, December 24, 1997, available at http://www.nytimes.com/library/cyber/week/ 122497encrypt.html#1.
46 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES This report distinguishes between different kinds of cyber actions (that is, cyber actions with different effects) and different intents (whether an action is carried out with offensive or defensive intent). A useful anal- ogy is military mines. From a technological standpoint, a mine is an explosive device designed to explode (for example) on contact with a vehicle or a vessel. But it can be used for both defensive and offensive purposes. U.S. mines in the Korean demilitarized zone are intended to slow a North Korean attack, and their deployment is thus defensive in intent. U.S. mines in Nicaraguan ports were intended to contribute to the economic isolation of Nicaragua, and thus their deployment was offensive in intent. Similarly, a U.S. cyberattack against a specific Zendian computer sys- tem may be conducted in order to stop an attack on U.S. systems emanat- ing from that Zendian system (a defensive use), or it may be conducted in order to cripple a military computer system in anticipation of a U.S. kinetic attack on Zendia (an offensive use). Such issues affect perception across national boundaries as wellâwhat the United States regards as a defensive action another nation may regard as an offensive action. And both perceptions would have some factual basis. Furthermore, and as noted in Section 9.2.2, it may be more difficult to discern or assess intent when cyberattack is involved than when tradi- tional military forces are involved. From a policy perspective, this point regarding the difficulty of inferring intent is significant when the United States is the target of cyberattacks as well as when it conducts cyberat- tacks. The strategic significance and societal effect of a cyberattack on the United States originating with an overly curious teenaged hacker in San Diego or in Mexico City is not the same as one originating from Zendiaâs 342nd Information Operations regiment, although in the initial stages of a cyberattack on the United States, it may not be entirely clear which of these parties is behind it. At the same time, if an adversary is uncertain about the intent behind a cyberattack emanating from the United States, its reaction may well be may be hard to predict. Finding 16: Certain cyberattacks undertaken by the United States are likely to have significant operational implications for the U.S. private sector. The private sector owns and operates much of the infrastructure through which certain cyberattacks might be transmitted and also has a significant stake in the continuing operation of that infrastructure, in particular the Internet. Thus, cyberattacks launched through the Inter- net may well have implications for and impacts on other non-military national interests.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 47 It is not new that military decision makers must consider the impact of such decisions on other parties; for example, military decision makers have long known that reducing the availability of GPS satellites could have a major impact on non-military transportation, and efforts to jam adversary radars might impact non-military communications. However, in many such instances, the impacts could be spatially localized, e.g., by reducing the availability of GPS satellites only in the theater of conflict. Furthermore, because the adversary has been assumed to be confined to a particular geographic theater, adversary reactions to U.S. offensive opera- tions have been confined as wellâthus allowing non-military national activities outside the theater to be pursued under more or less normal conditions. However, the Internet portion of cyberspace is entirely shared between military and civilian uses and between the United States and adversaries. Thus, the U.S. private sector must be prepared to deal with the conse- quences should the United States take actions that provoke in-kind coun- terattack by an adversary. In addition, the United States must consider the possibility that a cyberattack of its own, carried over the Internet, might be detected by U.S. Internet service providers carrying that trafficâand then shut down in the (mistaken) belief that it was an attack being carried out by hackers or another nation. Lastly, U.S. cyberattacks that are directed against globally shared infrastructure supporting the private sector might have deleterious âblow- backâ effects on U.S. private sector entities. Such effects might be direct, in the sense that a U.S. cyberattack might propagate to harm a U.S. firm. Or they might affect the supply chain of a U.S. firmâa node in Zendia might support communications between a key U.S. firm and a supplier firm in Ruritania as well as military communications in Zendia, and a disabling cyberattack on that node might leave the U.S. firm without the ability to order goods from the Ruritanian firm. Finding 17: If and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be neces- sary, depending on the scope and nature of the cyberattack in question. Significant amounts of coordination with multiple parties may be required if and when the U.S. government contemplates the use of cyber- attack. Although cyberattacks that are narrowly focused on highly spe- cific objectives may not have much potential for interfering with other ongoing cyber operations initiated by other parties, a sufficiently broad cyberattack might indeed interfere. In such cases, it may be necessary to
48 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES coordinate among a number of parties, including various U.S. govern- ment agencies and allied nations. All of these parties may have various cyber operations underway that might interfere with a U.S. cyberattack on an adversary. In addition, these agencies and nations would likely benefit from the strengthening of their defensive postures that could occur with advance notice of a possible in-kind response. The same considerations apply to private sector operators of information infrastructure that would be likely targets of an adversaryâs in-kind response to a U.S. cyberat- tack and for which advance notice of cyberattack would be helpful in strengthening their defensive posture, although selective notification for operators of U.S. information technology infrastructure may raise issues of discrimination comparable to those that led to the State Departmentâs adoption (after the Pan Am 103 bombing) of a policy of not warning gov- ernment employees of a terrorist threat without making a general public announcement of the threat. Certain kinds of cyberattack may require the cooperation of various vendorsâe.g., virus attacks that depend on disabling antivirus protection supplied by U.S. or foreign vendors or denial-of-service attacks requiring increased bandwidth supplied by U.S. or foreign Internet service providers. Finally, the United States is likely to have in its midst âpatriotic hackersââU.S. citizens and others who are strongly motivated to take direct action in putative support of an overt U.S. confrontation with another nation. These individualsâprivate citizens with some skills in the use of cyberattack weaponsâmight well launch cyberattacks on an adversary nation on their own initiative, that is, without the blessing and not under the direction or control of the U.S. government. Such actions might interfere tactically with operations planned by the U.S. govern- ment, and strategically they might be misinterpreted by the party being attacked as intentional U.S. actions and thus complicate the conduct of diplomatic action. Thus, the U.S. government would have to be prepared to discour- age their actions using all legal means at U.S. disposal (e.g., through law enforcement authorities seeking to enforce the Computer Fraud and Abuse Act against these patriotic hackers) and would have to anticipate in its planning the actions that were not discouraged. Such means are not limited to prosecution (which would almost surely require a time scale much longer than that of a U.S. cyberattack); other legal means are often available to shut down the operational capability of a patriotic hacker, including arrest, seizure of the computer involved, disconnection from the Internet service provider that the hacker uses, and so on. In extreme cases, the agency conducting the cyberattack might also find it necessary to conduct a cyberattack to neutralize the civilian sys- tem involved in this unhelpful hacker activity. Clear standards, thresh-
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 49 olds, and approval requirements would be necessary if such action were contemplated, and higher authority would have to consider a variety of questions. What sort of âinterferenceâ with a U.S. cyberattack is enough to justify an attack on a civilian U.S. system? What sort of circumstances would warrant such an attack? Need legal methods be attempted first? What level of certainty must exist about the involvement of the site before it can be attacked? Who must give the approval? Finding 18: The outcomes of many kinds of cyberattack are likely to be more uncertain than outcomes for other kinds of attack. Although planners for any kind of attack, kinetic or cyber, must take into account many uncertainties about the characteristics of the target and the environment around it, the intelligence information needed for a successful cyberattack (e.g., details of cabling between two systems) is often difficult to obtain through traditional methods such as remote photo reconnaissance. Such uncertainties can increase significantly the likelihood of unintended and/or unanticipated consequences. By contrast, many of the uncertainties in kinetic targeting can be calculated and bounded, and most of the remaining uncertainties relate to matters such as target selec- tion and collocation of other entities with the intended target. These comments should not be taken to imply that the mere pres- ence of uncertainty renders cyberweapons inherently unusable. In some cases, operational or policy goals may require âtaking a chanceâ even if the uncertainty of a given cyberattackâs effects is large. In other cases, the uncertainty inherent in a given cyberattack may not be significant from an operational or policy perspective. Moreover, the uncertainty associated with any and all cyberattacks is not necessarily large. A cyberattack might be designed to affect only a specific computer with a specific known serial numberâsuch an attack would have few ill effects on any other computer system. A close-access cyberattack on a computer without electronic con- nections with the outside world is very unlikely to have effects in the outside world, as long as it remains isolated. A cyberattack using soft- ware agents exploiting vulnerabilities in Linux cannot necessarily exploit similar vulnerabilities on computers running Windows or Macintosh-OS systems. But greater intelligence efforts to resolve uncertainties are likely to be necessary to achieve levels of confidence equivalent to those that generally characterize kinetic attacksâand such efforts may in some cases take long enough to render the use of cyberattack moot. Finding 19: Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and so a greater degree of operational
50 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES oversight for cyberattack may be needed compared to that for the use of other options. It is easy to see how policy makers might regard cyberattack as a desirable option when coercive measures are needed. Cyberattack can be portrayed as an instrument that is easy, simple, temporary, reversible, non-lethal, and non-risky for the United States to use. But although it is possible to imagine that such attributes might characterize some cyberat- tacks, the committee believes that such claims should generally engender a certain degree of skepticism among policy makers. For example, a cyberattack might be regarded as a minor step. Although it is not new that âsmallâ activities in a preconflict situation may have large consequences,21 the operational footprint left by cyberat- tack activities is small, a fact that tends to render activities related to this area less visible to senior decision makers. Given the fact that cyberattack may have strategic significance (perhaps inadvertently),22 senior military commanders (for example) will need to take special care to maintain situ- ational awareness and affirmative control of their own forces under these circumstances and will need to exercise a greater degree of oversight than might be necessary if only conventional military forces are involved. (Of course, they also need to maintain awareness of adversary forces.) Similar considerations apply to those responsible for making deci- sions about covert action. From a technical standpoint, cyberattack is an i Â nstrument that is well suited to covert action because of the inherent deniability of a cyberattack and the ability to conduct such an attack without âboots on the groundâ (and thus without placing U.S. or other friendly lives at risk). This point is not intended to comment on the desir- ability of covert action as an option for U.S. decision makersâonly that should covert action be determined to be desirable and in the national interest, policy makers are likely to be drawn to cyberattack as a preferred methodology for implementing such action. Accordingly, all of those responsible for exercising oversight over covert actions up the entire 21 For example, during the Cuban Missile Crisis, a U-2 reconnaissance aircraft on a âroutine air sampling missionâ over Alaska went off course and flew into Soviet air- space. The Soviet Union scrambled fighters to intercept the airplane, and the United States scrambled fighters to provide cover for the U-2. These U.S. fighters had been armed with nuclear air-to-air missiles. Upon hearing this news, Secretary of Defense Robert McNamara expressed grave concerns that the U-2 flight could have been interpreted as the prelude to a U.S. nuclear strike on the Soviet Union. See Max Frankel, High Noon in the Cold War: Kennedy, Khrushchev, and the Cuban Missile Crisis, Random House, New York, 2005. 22 Consider the possibility that a nuclear-armed nation might respond with the use of nuclear weapons to a major cyberattack (i.e., one with major societal consequences), as discussed in Section 10.3.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 51 chain of command must be cognizant and aware of the risks, benefits, and uncertainties that they entail, whether they involve the use of cyberattack or other instruments. The possibility of using cyberattack as a means of covert action may also tempt decision makers to think that they might conduct a covert action with very little chance of detectionâand there- fore might lead to an inclination to intervene simply because the risks of detection are seen as lower. Finding 20: Developing appropriate rules of engagement for the use of cyberweapons is very difficult. Rules of engagement (ROEs) specify for military personnel the cir- cumstances under which they can use their weapons and the author- ity required for doing so. Most importantly, ROEs are supposed to be developed prior to the need for use of their weapons, so that operators have proper guidance under operational circumstances. This fact means that various contingencies must be anticipated in advance, and of course it is difficult to imagine all possible contingencies before any of them happen. Although ROEs normally are not specific to individual weapons sys- tems, the presence of weapons or tools for cyberattack may be problem- atic. When cyberattack may be used, ROEs must be developed to cope with the fact that several dimensions of cyberattack span a wide range. A cyberattack may be non-lethal, or it may be destructive on a society-wide scale. The impact of a cyberattack can be easily predicted in some cases and highly uncertain in other cases. The set of potential targets that may be adversely affected by a cyberattack is quite large, and likely larger than the corresponding set of potential targets for other weapons. A cyberat- tack conducted for offensive purposes may well require authorization from higher levels of command than would a technically similar cyberat- tack conducted for defensive purposes. The adversary might not react at all to a cyberattack, or it might react with nuclear weapons. The adversary might be a solo hacker or a well-funded nation-state. It is thus unrealistic to try to craft a single ROE that attempts to cover all uses of cyberattack. Rather, it will be necessary to tailor an array of ROEs that are applicable to specific kinds of cyberattack and for likely specific circumstances. And it will be at least as difficult to craft ROEs for missions involving cyberat- tack as for missions involving other kinds of weapons. As an illustration of the complexity of developing ROEs in a specific situation involving cyberattack, consider some of the issues in developing, in advance, military ROEs for active threat neutralizationâunder what circumstances governed by what authority might a counter-Âcyberattack be launched to neutralize an immediate or ongoing threat?
52 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES â¢ Who should have influence on the development of ROEs for active threat neutralization? It is obvious that the agency conducting a counterattack should have input (likely the DOD or the intelligence community). But other agencies (notably the Departments of Homeland Security, State, Justice, and Commerce) may have equities at stake as well. And although it makes little sense for Congress to be involved in approving rules of engagement in detail, Congress should have mechanisms for being kept informed of the general circumstances under which the U.S. government does undertake active threat neutralization. â¢ How, if at all, are the intent and the identity of a cyberattacker relevant? If the cyberattacker is determined to be a nation-state, does it increase or decrease the appropriateness of a neutralization effort? (If it depends on other factors, what other factors?) And if intent is relevant, how is the intent of the cyberattacker to be ascertained? Suppose that the proximate nodes involved in an attack can be identified but they are likely innocent parties who have been compromisedâis it appropriate to neutralize the threat emanating from their systems? â¢ How does the proportionality principle apply to active threat neutraliza- tion? Proportionality requires that the value of neutralizing the threat be outweighed by the likely collateral damage of the counterattack. How is the likely collateral damage to be estimated, especially if the response is automated and launched without human analysis or intervention? Or does a proper proportionality analysis require human intervention before such a response is launched? â¢ How far down the chain of command should delegation of authority to launch an active threat neutralization be carried? For example, although the commander of the U.S. Strategic Command has the authority under standing rules of engagement to conduct a response action, it is unlikely (though possible) that he must himself approve the action. It is more likely that the authority to do so is further delegated to other parties down the chain of command. But since a response action is a serious thing, there must be limits (not known to the committee) to how far this authority is delegated. (An automated response, as proposed by the U.S. Air Forceâs Concept of Operations for its Cyber Control System, would represent the ultimate in delegation of authority.) â¢ What level of impact (among other factors) must an incoming cyberattack threat achieve in order to justify an active threat neutralization? The standard used by the U.S. Strategic Command is that an incoming cyberattack must have a material impact on the DODâs ability to perform a mission or to carry out an operation, and that cyberattacks that merely cause inconve- nience or that are directed only at intelligence gathering do not rise to the threshold of warranting such a response. For example, a cyberattack on the command and control system for Navy ballistic missile submarines
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 53 might warrant an active threat neutralization, but a cyberattack on the administrative computers of the U.S. Strategic Command might not. â¢ How should the scope, duration, and intensity of a neutralization action be calibrated? The intent of neutralization is to stop an incoming attack. But the scope, duration, and intensity of a response may relate to oneâs con- fidence in actually achieving an effective neutralization, as well as to the collateral damage that may be incurred. In addition, political reality may dictate that only a commensurate response (i.e., a response that inflicts a similar amount of harm on an adversary) is possibleâhow might this requirement square with effectiveness in stopping the attack? A further level of complication in developing rules of engagement is that the factors above cannot be assessed independently. For example, the authority needed to launch an active threat neutralization may depend on the identity of the attackerâperhaps local authority would be needed if the attacker were a teenager in Zendia, but perhaps the personal author- ity of the commander of U.S. Strategic Command would be needed if the attacker were the 418th Zendian Information Operations Brigade. Perhaps higher-level authority would be needed if more collateral damage were possible. The difficulties in formulating appropriate rules of engagement, and of different human beings interpreting these rules in a manner consis- tent with the intent in formulating them, suggest that there may well be differences between what is intended and what is actually doneâand furthermore that these differences reflect an enduring reality of the way such processes operate. 1.8.6â Organizational Findings Finding 21: Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today. Adequate policy decision making and oversight require a sufficient base of technical knowledge relevant to the activities in question, an organizational structure that enables decision making and oversight to take place, and information about activities that are actually undertaken under the rubric of policy. Cyberattack is a relatively new addition to the menu of options that policy makers may exercise, and there are few precedents and little his- tory to guide them today. The infrastructure and resources needed to conduct such activities, and the activities themselves, are by their nature less visible than those associated with more traditional military, intel-
54 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES ligence, or law enforcement activities. They do not fit into standard cat- egoriesâthe weapons involved initially act in a non-lethal manner, even though they may have subsequent effects that are lethal or destructive; the activities for which they are suited go far beyond just surveillance or just covert action; and they are shrouded in secrecy. In many cases, bud- gets to acquire cyberattack capabilities are likely small compared to the budgets for major weapons acquisition programs. The technical knowl- edge needed to conduct informed oversight is not widespread, and the importance of cyberattack as a possible option for policy makers is not widely appreciated. Procedures for informing potentially relevant policy makers in both the executive and the legislative branches appear to be minimal or non-existent. To illustrate the committeeâs concerns, consider the delegation of authority to the commander of the U.S. Strategic Command for conduct- ing an active threat neutralization (a limited and specific form of active defense) to protect military computer systems and networks whose mis- sion performance has been compromised by a cyberattack. The implica- tions of such an action conducted against computer systems or networks outside U.S. borders may range beyond strictly military ones, especially if the potential for unintended consequences is taken into account. This is not to say that all active responses have such potential, or that any active response will necessarily have unintended consequences. But absent mechanisms for factoring in diplomatic or political considerations, the committee is concerned about a decision to conduct an active threat neu- tralization that takes into account only military or local tactical consider- ations of protecting the mission capability of U.S. military networks. With such factors in play, an adequate organizational structure for making decisions and exercising oversight has not emerged, and much of the information relevant to conducting oversight is unavailable. As a result, government and society at large are neither organized nor pre- pared to think about the implications of cyberattack as an instrument of national policy, let alone to make informed decisions about them. Finding 22: The U.S. Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons. One important missing elementâconspicuous in its absenceâin the decision-making apparatus of the U.S. government is the role that the Congress does or should play in decisions related to cyberattack. As noted in Chapter 6, Congress has an important authorization role regarding
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 55 the use of military force under many circumstances, although the limits of that authority are the subject of much dispute between the executive and legislative branches. If the necessity of congressional authorization for the use of traditional U.S. military forces is disputed as it has been in recent U.S. history, consider the conundrums that could accompany the use of weapons that are for all practical purposes covert and whose âdeploymentsâ would be entirely invisible to the public or even to most uniformed military personnel. In general terms, the use of cyberattack raises the same sorts of issues as other instruments of warfare such as frigates and cruise mis- siles. When does the President have inherent authority to act regardless of what Congress says or does? When must the President obtain congres- sional approval before acting? When can Congress define the standards and procedures that limit what would otherwise be plenary presidential authority? Nevertheless, cyberweapons raise particularly difficult issues in this context (as do certain kinds of non-cyberweapons), because of the need for speed in using such weapons (e.g., because of a targetâs tran- sience), the risk of unintended and unknown consequences, and the lack of visibility of their use. The committee refrains from making a finding on the boundaries between presidential and congressional authorities in this area, but notes the existence of certain limiting cases on both sides of this debate. In one limiting case, the committee believes it would be broadly accepted that presidential views of executive branch powers notwithstanding, congres- sional authorization is required for the United States to launch a large- scale cyberattack against another nation with the intent of shutting down the essential civil services of that nationâtransportation, electric power, financial services, and so onâif the attack were contemplated as a first use of coercive or aggressive action against that nation. In another limiting case on the other side, the committee believes that there are certainly some circumstances under which some kind of cyberat- tack might be launched without explicit congressional authorization, just as certain kinds of military force can be used under some circumstances without such authorization. The canonical example of the latter is the use of force in self-defenseâif U.S. military units are attacked, standing rules of engagement generally permit the use of lethal force against the attacking party. However, in the vast area of possible circumstances in between these two limiting cases in which the United States might contemplate a cyber- attack, the lines are most unclear, and the committee is explicitly silent on those lines. A variety of factors may influence whether a given situation falls above the line requiring congressional authorization or below the line.
56 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Possibly relevant factors include the scale of the cyberattack contem- plated, the target of the cyberattack, and the circumstances that define âfirst use.â One particularly problematic issue is the possibility of escala- tion and unanticipated effects, in which cyberattacks that do not require congressional authorization might evolve into cyberattacks that do. (Unanticipated effects are, by definition, unintentional, although they might well not be perceived by the attacked party as unintentional.) The escalation issue is also present in a non-cyber context, and is indeed what the War Powers Resolution was intended to prevent, but as discussed in Section 6.2.1, the cyber dimension of the issue significantly increases the complexity of the problem. Finally, the committee calls special attention to the fact that congres- sional concerns about asserting authority over the use of military forces are generally at their maximum when U.S. military forces are placed directly in harmâs wayâthat is, when U.S. casualties may be the result of direct combat. Cyberattacks launched by the United States are highly unlikely to place U.S. forces at direct risk, and indeed would in general be easy to undertake with minimal public visibility. Thus, explicit mechanisms to provide relevant information to the appropriate congressional parties are essential if Congress is to know if and when it should be involved. 1.9â Recommendations U.S. acquisition and use of cyberattack capabilities raise many issues in need of broad understanding and deserving of extensive and wide- spread national conversation and debate. One set of committee recom- mendations focuses on fostering that debate. A second set of recommen- dations focuses on operational needs. A caution to the reader: For the most part, the recommendations below are formulated as advising that âthe U.S. government should do X or Y.â This formulation violates a basic canon of making recommenda- tions to policy makers, namely that the party viewed by the committee as responsible for taking action on a recommendation should always be made as specific as possible. However, consistent with Finding 21, the committee could not identify an appropriate entity within the U.S. government to take action, and indeed as this report is being written, the U.S. government is trying to decide how best to organize itself internally to deal with the implications of cyberattack as an instrument of national policy.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 57 1.9.1â Fostering a National Debate on Cyberattack Recommendation 1: The United States should establish a public national policy regarding cyberattack for all sectors of govern- ment, including but not necessarily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforcement. The senior leader- ship of these organizations should be involved in formulating this national policy. As noted in Chapter 6, the DOD Information Operations Roadmap of 2003 recommended that the U.S. government should have a declara- tory policy on the use of cyberspace for offensive cyber operations. As the committee has been unable to find any such statement of declaratory policy, it concurs with and reiterates this call. At a minimum, such a policy would involve the DOD, the intelligence community, and law enforce- ment agencies, and would address the following questions: â¢ For what purposes does the United States maintain a capability for cyberattack? â¢ Do cyberattack capabilities exist to fight wars and to engage in covert intelligence or military activity if necessary, or do they exist pri- marily to deter others (nation-states, terrorist groups) from launching cyberattacks on the United States? â¢ If they exist to fight wars, are they to be used in a limited fash- ion? Under what circumstances would what kinds of cyberattack be launched? â¢ What legal regimes are relevant to different levels of cyberconflict? â¢ How and when is cyberconflict to be stopped? â¢ To the extent that cyberattack is part of the U.S. deterrent posture, how can its use be established as a credible threat? â¢ What, if any, role do cyberattack capabilities have in law enforce- ment efforts directed against transnational criminal groups? A clear statement of policy in this area would enable various gov- ernment actors, and the private sector as well, to understand the con- straints and limitations on using cyberattack for various purposes and to establish appropriate standards of behavior in this domain. Appro- priate policy would provide important guidance for U.S. armed forces, intelligence agencies, and others in a domain in which international and national law may be inadequate to manage the full ramifications of using cyberattack.
58 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES For example, the United States could declare its commitment to abid- ing by the laws of armed conflict with respect to cyberattack. Such a posture could well affect the willingness of other nations to make simi- lar declarations. Another related example concerns the national military strategy of the United States. As noted in Section 6.1.1, the National Mili- tary Strategy of the United States, published in 2004, indicated that the United States could respond using nuclear weapons to certain kinds of large-scale cyberattacks. Does this presumably authoritative statement of 2004 continue to reflect U.S. policy? If not, how does current policy differ? If so, is this an appropriate policy? The new administration could undertake a review of cyberattack policy comparable to the nuclear policy review that new administrations often perform. Congressional hearings on this topic would also be useful in shedding light on government thinking about this topic. The promulgation of a comprehensive declaratory policy would be a good first step for the government in becoming more forthcoming about its own thinking in this area and providing a benchmark for public discus- sion. But although the committee endorses the 2003 DOD recommenda- tion regarding establishment of declaratory policy with respect to military equities, the committee goes further still. As noted in Finding 1, the com- mittee believes that U.S. acquisition and use of cyberattack raises many important policy issues that go far beyond the Department of Defense. Such issues deserve an extensive and widespread national conversa- tion and debate about how cyberattack might affect a broad spectrum of national interests. The Departments of State, Homeland Security, and Treasury, and law enforcement agencies are thus included in Recommendation 1, even though they are not traditionally regarded as agencies with interests in cyberattack. The State Department is included because cyberattack has many international dimensions. The DHS and law enforcement agencies are included because tracing the ultimate source of an incoming cyber- attack often requires the investigator to penetrate intermediate nodes, capture the relevant traffic, and then analyze it to determine the next node in the chain. Law enforcement authorities are also responsible for aspects of preventing or prosecuting cybercrime. The Department of the Treasury has responsibility for enforcing sanctions, and cyberattack may be relevant to the performance of this mission. In addition, implementa- tion of Recommendation 10 may call for the establishment of an agency or a body with certain law-enforcement-like responsibilities that would also find some utility in conducting certain kinds of cyberattack. Recommendation 2: The U.S. government should conduct a broad, unclassified national debate and discussion about cyber-
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 59 attack policy, ensuring that all partiesâparticularly Congress, the professional military, and the intelligence agenciesâare involved in discussions and are familiar with the issues. As noted in the Preface, the topic of cyberattack is highly classified within the U.S. government. Some aspects of the topic are classified with good reasonâthese include the fact of U.S. interest in a specific cyberat- tack technology (rather than the nature of that technology itself); fragile and sensitive operational details that are not specific to the technologies themselves (e.g., the existence of a covert operative in a specific foreign country or a particular vulnerability); or capabilities and intentions of spe- cific adversaries. But the details of these areas are not particularly relevant to answering questions about declaratory policy, and thus secrecy even about broad policy issues serves mostly to inhibit necessary discussion about them. Although implementation of Recommendation 2 would benefit both the private and public sectors of the nation as a whole, two stakeholder groups have particular significance. Both the U.S. Congress and the profes- sional military/intelligence agencies need at least a basic understanding of the policy issues and their relationship to the basic technologies involved, but the broad classification of virtually all issues related to cyberattack is a significant barrier to the discharge of their responsibilities. Recommendation 3: The U.S. government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as mea- sures to promote transparency and confidence building. The committee believes that most other nations are no farther along in their understanding of the key issues than is the United States. It is therefore important for the United States to begin to find common ground on this topic with allies, neutrals, and potential adversaries. In this con- text, âcommon groundâ is not a euphemism for treaties or arms control agreements regarding cyberattack. It is rather a term that denotes a com- mon understanding of its significance for policyâand common ground is important for allies and adversaries alike if misunderstandings are to be avoided. Consultations with allies of the United States (such as the NATO countries) are likely to be the easiest to undertake. Such consultations should take two tracksâbetween the governmental entities that would be responsible for executing cyberattacks in these nations and between the cognizant policy decision makers. At the very least, those with opera-
60 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES tional responsibility for attack execution need to develop mechanisms for coordinating cyberattacks so that they do not interfere with each other. And policy makers must be able to discuss issues related to cyberattack in an informed manner, without having to learn about them in the middle of a cyber crisis. As an example of such consultation, NATO established in March 2008 the Cyber Defence Management Authority, which will manage cyberde- fense across all NATOâs communication and information systems and could support individual allies in defending against cyberattacks upon request.23 One press report indicates that âthe Authority will also develop and propose standards and procedures for national and NATO cyberde- fence organisations to prevent, detect, and deter attacks,â but will focus on defense âwhether an attack comes from state, criminal or other sources.â24 Similar efforts to reach common understandings regarding cyberattack (and on the relationship of cyberattack to cyberdefense) would be help- ful as well. Consultations with potential near-peer adversaries, or with the United Nations, are more politically fraught, especially with the Russian Federa- tion seeking to delegitimize cyberattack entirely as a method of warfare. But Russian proposals on this topic are based on a Russian view of the topic, and it is worth understanding in some detail the sources of Russian concerns, even if the ultimate result is an agreement to disagree about basic premises and concepts. More generally, it would be helpful for all of the worldâs nations to understand the scope and nature of their interests where cyberattack is involved, and the only way to begin the process of developing understanding is to start consultations. There are, of course, multiple forums in which to initiate consulta- tions. Treaty negotiations are one possible forum, although U.S. policy makers may feel that such a forum grants too much legitimacy to an idea deemed by many in the U.S. government to be inconsistent with U.S. national interests. The UN Security Council itself could be another forum for discussions. NATO or G-7 ministerial discussions could be used to start consultations among allies. The committee believes that greater mutual understanding and com- mon ground should be sought on the following topics: â¢ The scope and nature of cyberattacks, especially including those that would constitute a âuse of forceâ and an âarmed attack.â Given the overall lack 23 NATO, âDefending Against Cyber Attacks: What Does This Mean in Practice?,â March 31, 2008, available at http://www.nato.int/issues/cyber_defence/practice.html. 24 See http://www.computerweekly.com/Articles/2008/04/04/230143/nato-sets-up- cyber-defence-management-authority-in-brussels.htm/.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 61 of experience and history with cyberattack, such discussions would serve to provide common vocabularies and conceptual frameworks for address- ing the issue in the future. What activities constitute a cyberattack? How might damage or harm from a cyberattack be assessed? What activities might constitute evidence of hostile intent? How should cyberexploitation and intelligence gathering be differentiated from cyberattacks? How, if at all, should exploitations for economic purposes be differentiated from exploitations for national security purposes? During discussions of these issues, no nation would have to acknowledge undertaking any of these activities since the intent would be the development of common concep- tual frameworks. â¢ Measures to promote transparency and to build confidence in the lack of aggressive intent. By analogy to confidence-building measures in other domains (Chapter 10), the United States and other nations should seek to establish lines of communication between responsible and authoritative parties within their respective governments that would be able to account for or to deny suspicious cyber operations that might appear to be occur- ring at government direction. To make such communications meaningful, it would also be helpful for the nation involved to agree to cooperate in the investigation of such operations and/or to allow the victimized party to engage in self-help activities. Explicit agreement could be sought on what is required in order to âcooperateâ on any investigation. For example, cooperation might require the nation hosting a network node involved in a cyberattack to provide forensic analysis of information on that node. â¢ Building of informal relationships among key participants in both the public and the private sector. One of the primary lessons of the Estonian incident of 2007 was the enormous value of relationships of trust among certain individuals in the Estonian government and top technical people from the various Internet service providers for Estonia and around the world. By exploiting these relationships, it was possible to take action to dampen the effect of the cyberattack against Estonia in a much shorter time than would have been possible if only formally sanctioned relation- ships between governments were available. Support and encouragement to develop such relationships should be provided by the governments involved. â¢ Separation or identification of the computer systems and networks of military forces, the civilian population, and specifically protected entities (e.g., hospitals). Much of the difficulty of adhering to the framework of the law of armed conflict in the context of cyberattack arises from the difficulty of distinguishing between valid military targets and other entities that are specially protected or are possible victims of collateral damage. It may be possible to develop mutually agreed methods or cooperative technical
62 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES means for cyberattackers to distinguish between these different catego- ries to minimize inadvertent damage to non-military targets and ways to verify that these declared distinctions were being properly applied. â¢ The significance of non-state parties that might launch cyberattacks, and how nations should respond to such attacks. Today, the Convention on Cybercrime is the only international agreement on how nations should respond to cyberattacks, and is in essence an agreement to harmonize criminal law in this area and to facilitate law enforcement cooperation among the signatories. But as noted in the argumentation for Finding 7, the law enforcement framework operates in many cases on a time scale that is far too long to protect victims of cyberattack from harm. 1.9.2â Organizing the Decision-Making Apparatus of the U.S. Government for Cyberattack Recommendation 4: The U.S. government should have a clear, transparent, and inclusive decision-making structure in place to decide how, when, and why a cyberattack will be conducted. As noted earlier, the use of cyberattack in pre-conflict situations is likely to be tempting to policy makers. But because cyberattack can have far-reaching implications (at least in part because the actual scope of a cyberattack somehow gone awry may be much greater than that intended), senior policy makers should have a mechanism for ensuring that consulta- tions take place with all stakeholders with equities that might be affected by a U.S. cyberattack in pre-conflict situations. At a minimum, it would appear that the Departments of Defense, State, and Homeland Security, and the law enforcement and intelligence communities would have to be involved in coming to terms with issues, such as advance coordination of a U.S. cyberattack that might lead to a cyberattack on the United States or to a determination that exploitation of adversary computers should (or should not) have priority over disabling or damaging them. As an example of a question for which the U.S. government as a whole needs to establish an authoritative decision-making structure, con- sider cyberattack in the context of the dividing line between covert action and military activity. The U.S. Code defines covert action as âan activity or activities of the United States Government to influence political, eco- nomic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publiclyâ (50 USC 413b(e)). At the same time, the U.S. code also defines any activity executed under control of the DOD chain of command as falling under the definition of a traditional military activity associated
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 63 with anticipated or ongoing hostilities, and such activity thus is not covert action subject to the findings and congressional reporting process. The question of the boundaries between covert action and traditional military activities has been the subject of much discussion over the past several years (since the U.S. invasions of Afghanistan and Iraq). The find- ings and reporting process is often disliked by incumbent administrations, because it constrains an administrationâs ability to act freely and quickly and runs the risk of leaks that may reveal the existence of a covert action. On the other hand, many informed advocates of the process believe that the existence of such a process forces the executive branch to coordinate internal stakeholders and their equities, and also provides for necessary external review of actions that may be ill-advised from a broader public policy perspective. The committee was not constituted to address this tension in its broad- est formulation. But the stealthy operation and the difficulty of attribution associated with cyberattack weapons inherently makes them instruments of deniable action and may change the cost-benefit calculation in deciding whether a given covert action should be undertaken. Thus, the committee anticipates that this tension will increasingly manifest itself in a cyberat- tack context, and may push the boundaries of settled law and policy into uncharted territory. Accordingly, the committee believes that the issue is sufficiently important to warrant high-level attention from both the Administration and the Congress. A second example of the need for an inclusive decision-making struc- ture regarding cyberattack relates to active defense. As noted in Chapter 3, STRATCOM has the authority to neutralize a cyberthreat that compro- mises DOD mission effectiveness. Such authority is consistent with the traditional DOD standing rules of engagement that provide for force pro- tection. Depending on the nature of the response action taken, however, a response may have strategic implications that go beyond force protection, even if the response action is limited in scope, effect, and duration. For example, if a cyberthreat is emanating from the military forces of a near- peer adversary, a response action may lead to escalationâespecially if the response is not as controlled in execution as it was in planning or if the incident occurs during times of tension. For such reasons, the committee believes that the decision to take such actions should be made at levels of authority high enough to weigh the various equities (military, diplomatic, and so on) appropriately. For example, the committee believes that the stakes of a neutralization cyber- attack must be high enough (i.e., the damage being caused to computer systems and networks important and serious enough) and success likely enough to justify the political risks of launching a counterattack, such as the possibility that world opinion might not see U.S. cyberattacks under-
64 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES taken under the rubric of active defense as innocent acts of self-defense, even if they are. Such an assessment can be made only at the highest levels of government. These points should not be taken to imply that the authority to con- duct a neutralization response should not be delegated (though they do suggest that delegation should not go too far down the chain of com- mand). Delegation with clear rules of engagement may be the only way to reconcile high-level decision making with the need for prompt response. Such rules would clearly establish the threshold at which a military mis- sion is compromised and the constraints on the scope and nature of a neutralization response. For instance, one constraint might be conducting a neutralization response only when other methods25 for responding to a cyberattack have proven (or will prove) ineffective. Another constraint might require that a neutralization response be limited in scope and as focused as possible on eliminating the threat in order to minimize the pos- sibility of inadvertent escalation.26 (Both of these constraints appear to be consistent with the rules of engagement described in Section 3.3 concern- ing possible DOD response actions for computer network defense.) But because of the potential for erroneous response (Chapter 2 dis- cusses the difficulties of attribution and attack assessment) and for inad- vertent escalation (as described in Chapter 9), the committee is highly skeptical of the idea that delegation should include automated neutraliza- tion responses, a capability of interest to the U.S. Air Force (as noted in Box 3.5). Indeed, the authority for conducting a neutralization response should flow explicitly from higher authority, only after higher authority has considered all of the various equities in an integrated manner, and only after higher authority has reviewed and if necessary modified stand- ing rules of engagement during times of crisis. Whether this description of the flow of authority in fact characterizes current rules of engagement for STRATCOMâs authority to conduct response actions is not known to the committee. A third example of the need for an inclusive decision-making struc- 25 These other methods may include dropping connections, closing ports, asking Inter- net service providers to shut down nodes identified as being sources of the attack, diverting attack traffic to other locations, changing IP addresses, and so on. 26 For example, consider two possible neutralization responses to a given botnet threat, wherein the botnet is controlled by a machine to which an access path has been established. One approach might be to launch a denial-of-service attack against the controller in order to prevent it from communicating with the bots it controls. Another approach might be to break into the controller to assume control of the botnet, and then issue orders to shut off the attack. Although the first method might be faster, it presumes that the attacked machine is dedicated to the controlling function, whereas in fact the machine in question might have other non-hostile functions whose termination might constitute an escalation.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 65 ture can be seen in the fact that during active hostilities, a cyberattack conducted for tactical purposes might lead to opportunities whose exploi- tation would have strategic significance. For example, consider a cyberat- tack on the command and control network in the nationwide Zendian air defense system. In the process of exploring the network, corrupting data, and issuing confusing or damaging commands, U.S. operators might stumble onto a communications link with the Zendian national command authority (NCA). Exploitation of that link might enable the United States to penetrate the command and control network of the Zendian NCAâbut a decision to do so should not be made by operators and commanders on the ground but rather by higher U.S. authorities. Thus, mechanisms must be established to provide such information up the chain of com- mand when necessary, and other mechanisms established to act on such information should it be made available. Recommendation 5: The U.S. government should provide a peri- odic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more com- prehensive understanding of these activities. Such an accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees. Whether or not cyberattack falls into the category of covert action, it appears that even within the executive branch, knowledge of the actual cyberattack activities of the United States is highly fragmented. An authoritative source, updated periodically, that documents the extent and nature of such activities and provides analyses of their impact and/ or significance would help senior decision makers within the executive branch and Congress in carrying out their authorization and oversight responsibilities. The committee expects that such a compendium would be highly classified, as it would likely reveal many sensitive details regarding actual U.S. capabilities and actions. For understanding policy and for exercising oversight, such an accounting would describe the purposes served by any given cyberattack, the intended target(s), the outcome, the difficulties encountered in conducting the attack, the rules of engagement relevant to that cyberattack, and both the anticipated and the actual value of the attack in serving U.S. national interests. If necessary, exemptions to such reporting for extremely sensitive operations might be modeled on those
66 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES in the statute on covert action providing for more limited âGang-of-Eightâ reporting.27 One approach to collecting the information would be for cyberattacks to be reported more or less contemporaneously to the National Security Council, which would compile and analyze the information and then distribute it when required to do so. This approach also has the advan- tage of informing senior executive branch decision makers of potentially significant events that might affect their activities and decisions in other domains (e.g., if undertaken in the middle of a crisis, an inappropriately timed cyberattack might have diplomatic repercussions).28 Also, consistent with Finding 22, the committee recommends the establishment of mechanisms to promptly inform the appropriate parties in Congress before the United States launches significant U.S. cyberat- tacks against other powers or entities or promptly thereafter. âPromptlyâ should be understood to refer to a time scale shorter than or comparable to those required by the War Powers Resolution for introducing U.S. armed forces into hostilities. Finally, the committee recognizes that many definitional issues remain to be worked out. It is the committeeâs recommendation that a reportable cyberattack be defined as one that was initiated with the intent of alter- ing, disrupting, deceiving, degrading, or destroying adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks immediately or in the future. For example, reasonable people might disagree over whether cyberexploita- tions should also be included, but the goal is for responsible senior deci- sion makers to have a reasonably comprehensive view of the cyberattack- related activities of the U.S. government. 1.9.3â Supporting Cyberattack Capabilities and Policy Recommendation 6: U.S. policy makers should judge the policy, legal, and ethical significance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects. 27 âGang-of-Eightâ reporting refers to the requirement to report only to the chair and ranking minority member of the House and Senate Select Committees on Intelligence, the Senate majority and minority leaders, and the Speaker of the House and the House Minor- ity Leader. Reporting to the âGang of Eightâ meets the legal requirement for presidential briefing to Congress for certain selected intelligence activities. 28 In this regard, executive branch notification might be regarded as being analogous to notifying the secretary of defense about all missile test launches. The intent of this long- standing rule was not that the secretary had to approve such launches but rather that the secretary should know if a launch was going to occur in the middle of other events or dur- ing a crisis.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 67 As noted in Finding 5, the consequences of a cyberattack may be both direct and indirectâand both must be taken into account in determining appropriate courses of action. Cyberattacks cannot be assumed to be of lesser consequence simply because they are primarily non-kinetic attacks on computer systems or networks. This point is especially relevant in considering responses to a crisis or an incident in which a forceful U.S. response is desired. Because a cyber- attack may appear to be an action short of a ârealâ military deployment or response if only direct effects are considered, and in any event would be unlikely to place U.S. forces directly in harmâs way, policy makers may be unduly tempted to take such an action unless they consider the cyberattackâs indirect effects as well. More generally, the difficult legal and ethical policy issues regard- ing the appropriateness of using cyberattack seem to arise mostly in a prekinetic situation, where traditional armed conflict has not yet arisen (and may never arise). In this context, decision makers must determine whether a cyberattack would be equivalent to âthe use of forceâ or âan armed attack.â Effects-based analysis provides one criterion for such a determinationâequivalence would be determined by comparing the scale of death and/or destruction that would result from a cyberattack (taking into account both direct and indirect effects) to that which would result from a use of kinetic force. As for the situation in which a âkineticâ conflict has already broken out, cyberattack is just one more tactical military option to be evaluated along with other such optionsâthat is, when U.S. military forces are engaged in traditional tactical armed conflict and except in extraordinary circumstances, there is no reason that any non-LOAC restrictions should be placed on the use of cyberattack vis-Ã -vis any other tactical military option. Thus, if a given tactical operation calls for attacking a certain target, LOAC questions about necessity, proportionality, and distinction must be asked about the use of cyberattack, the use of special operations troops, and the use of a cruise missileâand attacks that do not satisfy LOAC constraints may not be used. (Needless to say, both direct and indirect effects must be considered in this analysis, and uncertainties in the answers to these questions must be taken into account as well.) The extraordinary circumstances mentioned above relate to instances in which U.S. military forces might be contemplating actions with stra- tegic significance. For example, a cyberattack on an adversary satellite might have tactical benefits, but the use of a cyberattack for this purpose should be considered just as carefully as the use of a direct-ascent mis- sile or a ground-based laser. The latter decision today would not be the sole province of the commander in the field, but would likely involve the National Command Authority directly, and so should the former. Com-
68 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES manders in the field should not be tempted by the seeming ease or low profile of cyberattack to use such an option when other options would not be used. Finally, Recommendation 6 should not be taken to mean that only effects are relevant to a policy, legal, or ethical analysis of any given cyber- attack. The committee recognizes, for example, that the intent with which a cyberattack is carried out may well be relevant to such analysis, though the attackerâs intent may be largely irrelevant to its effects. Indeed, the DOD standing rules of engagement (mentioned in Section 3.3) obligate military commanders to âdefend that commanderâs unit and other U.S. forces in the vicinity from a hostile act or demonstration of hostile intent.â The party responsible for the attack is also a relevant factorâit matters whether the responsible party is a nation-state, terrorist group, criminal organization, hacker, or a careless graduate student. Thus, a cyberattack launched by a terrorist group affecting a small number of important national security computer systems may well be regarded as a more hostile act than a cyberattack launched by a careless graduate student affecting millions of systems around the world (including some national security computer systems)âand a national response should account for such differences. Recommendation 7: U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict. As noted in Chapter 7, the law of armed conflictâspecifically jus in belloâdoes not pertain to the behavior of military forces in situations that fall short of actual armed conflict, and the relevant international law under such circumstances is poorly developed at best. Nevertheless, the committee believes that U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict jus in bello (pro- portionality, necessity, distinction, and so on) to cyberattack even if the use of cyberattack is contemplated for situations that fall short of actual armed conflict. The application of these principles would be particularly relevant in two situations: â¢ Covert actions involving cyberattack. (As noted in Chapter 4, tradi- tional U.S. interpretations of the laws of armed conflict require covert action, whether or not it involves violent activities, to be conducted con- sistent with LOACâs requirements.) â¢ Periods of heightened tension, during which combatant commanders
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 69 may undertake some cyberattack activities for shaping the operational environment to facilitate later employment of other activities (as noted in Chapter 3). Recommendation 8: The United States should maintain and acquire effective cyberattack capabilities. Advances in capabili- ties should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be avail- able to appropriate decision makers in the executive and legisla- tive branches. The committee believes that it would be unwise policy to eschew cyberattack under all circumstances. For those instances in which the use of cyberattack is warranted, the United States should have at its disposal the most effective and flexible cyberattack technologies and sup- porting infrastructure possibleâsystems that can operate on the time scales required, with the necessary command and control (including self- destruct when necessary and appropriate), guided by the best possible intelligence information, with a high probability of mission success and a low risk of collateral damage. Accordingly, in addition to a robust and significant effort for research, development, testing, and evaluation to strengthen U.S. cyber defensive capabilities, the committee believes that the United States should continue to invest in the development and acquisition of effective and highly flex- ible cyberattack capabilities. In addition to providing operational utility, such capabilities may strengthen deterrence against cyber adversaries. Lastly, increased knowledge of cyberattack technologies will contribute to the knowledge base supporting development of improved defensive capabilities, assuming that mechanisms can be found to promote cross- fertilization among the researchers in the relevant areas. If and when new policy emerges that calls for a deemphasis of cyber- attack capabilities, the U.S. investment can be scaled back at that time. The committee recognizes precedents from history in which the momen- tum built up by a large-scale development and procurement plan made changes in policy more difficult to accomplish. Nevertheless, it believes that acquiring many kinds of cyberattack weaponry is relatively inexpen- sive compared to traditional large-scale weapons acquisition efforts, and thus policy changes would be easier to effect. In addition, even if international agreements are made to restrict the use of cyberattack, nations must prepare for the possibility that non-sig- natories (e.g., non-state actors, or recalcitrant states) or âcheatingâ states will not abide by the provisions of any such agreementâand for the
70 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES United States to not be prepared to compete successfully in such a world is unacceptable. Finally, it is important for the United States to have a comprehen- sive view of the effort among all of the relevant stakeholders to develop and acquire cyberattack capabilities. Some responsible party within the executive branch, perhaps an office within the Office of Management and Budget, should have a cross-agency view into overall amounts being spent on acquisition of cyberattack capabilities and the details of how individual agency budgets are being spent. Overall levels of spending and the relevant detail should be available, on a classified basis as necessary, to appropriate congressional decision makers. (Recommendation 8 is not a plea for centralized direction of the acquisition effort, but rather one for information to help policy makers understand the overall effort.) Recommendation 9: The U.S. government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues. The issues related to cyberconflict are quite complex. Conducting cyberattacks requires specialized expertise in operations, intelligence, and communications, as well as law and technology. Understanding policy related to cyberattack requires expertise in defense, intelligence, law enforcement, and homeland security, and in diplomacy, foreign relations, and international law. In short, the prospect of cyberconflict requires that considerable attention be given to professionalization of the involved workforce. These needs contrast with the history of how todayâs thinking about cyberattack has evolved over the last few decades. The personal comput- ers first introduced in the 1980s and then later the World Wide Web in the mid-1990s are the most visible signs of the information technology revolution that increasingly has affected all sectors of society, including the military. The possibility of information and information technology as the driver for a revolution in military affairs began to gain influence dur- ing this time, along with the notion of attacking an adversaryâs comput- ers as an instrument of warfare. However, for the most part, that notion was confined to the grass roots of the military, and only recently has the thinking of senior military leadership begun to embrace such possibilities seriously. Against this backdrop, the paucity of educational opportunities in this domain for senior leadership, the professional military, the diplo- matic corps, intelligence analysts, law enforcement officials, and others is striking. As importantly, because cyberconflict is interdisciplinary, career
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 71 paths and opportunities for specialists in this area are few in number. Accordingly, the committee believes that the U.S. government should make significant efforts to develop human capital with expertise in the issues related to cyberattack. Recommendation 10: The U.S. government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack. As suggested in Finding 7, the United States lacks mechanisms for responding effectively to prevent further harm if a private sector entity is subjected to a cyberattack. Given the numerous cyberattacks endured by U.S. private sector enti- ties, it would not be surprising if one or more of these entities have taken self-help action in the past. And it is further likely that in the absence of meaningful and effective mechanisms to prevent further damage in the wake of a cyberattack, some such parties will seriously contemplate taking such action in the future if they feel that the costs of such action are less than the benefits from neutralizing the incoming attack, even if such actions constitute a violation of the Computer Fraud and Abuse Act (Section 5.2). The argumentation for Finding 7 noted some of the undesirable aspects of taking self-help action. But the committee does not believe that a simple prohibition on such action, or even raising the penalties for such action, are alone sufficient to prevent all self-help actions in the future. For this reason, it may be desirable to consider the establishment of a government-regulated institutional structure through which private sector entities that are the targets of sustained and ongoing cyberattack can seek immediate relief. A boundary condition in determining the appropriate structure is the impact of similar developments in other nations. That is, the U.S. government should consider the impact on the United States if other nations were to develop similar institutional structures to protect their own private sector entities. In the absence of further study, the committee makes no endorsement of specific elements that should be included in the structure proposed in Recommendation 10. The following elements are listed for illustrative purposes only, and it should be noted that committee members disagreed among themselves about the desirability of some of these as elements of a structure for helping private sector victims of a cyberattack. â¢ Improvements in capabilities for threat warning and attack assessment to
72 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES support better forensics. Such improvements are a necessary precondition if active threat neutralization is to be a viable policy option. â¢ International agreements that bind signatories to respond quickly with law enforcement actions to suppress cyberattacks emanating from their territory, with failure to do so entitling the target of the cyberattack to seek threat neutralization in response if it is located in a signatory nation. â¢ An explicit clarification of the limits to defense of property for violating the Computer Fraud and Abuse Act, which could explicitly allow or prohibit cyberattacks for this purpose. â¢ An explicit clarification of whether the victim of a cyberattack is permitted to non-destructively gather intelligence on the attacker in a non-cooperative man- ner. If allowed, such activities would have to be documented meticulously to demonstrate the lack of hostile intent. â¢ A capability for gathering the information needed to effect threat neu- tralization, accompanied by explicit rules and regulation, perhaps established by statute, to specify: ï£§The selected private sector entities that are entitled to call on the government to exercise this capability for threat neutralization and the standards of security practice required of such entities;29 ï£§The circumstances under which threat neutralization is to be performed; ï£§The criteria needed to identify the attacking party with suffi- ciently high confidence; and ï£§The evidence needed to make the determination that any given cyberattack posed a threat sufficiently severe to warrant neutralization. Again, to be clear, the committee does not recommend that any spe- cific element in the list above be included or excluded in the institutional structure proposed for consideration in Recommendation 10. For exam- ple, some committee members believe that a government capability for threat neutralization is a necessary element of a robust deterrence posture against cyberattack on private sector entities, and they argue that entities under attack should themselves be allowed to effect threat neutralization subject to appropriate government regulation. Others believe it would be a serious mistake to erode the governmentâs legal monopoly on cyber violence, and that such a capability, even if invoked promptly, would have 29 The term âselectedâ is used in recognition of the fact that not all such entities neces- sarily warrant access to the institutional structure considered in Recommendation 10, and thus some mechanism will be necessary for selecting those entities that are deemed eligible. âStandards of security practiceâ refers to the fact that these entities should be required to adhere to good security practices as a necessary prior condition before calling for outside assistance.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 73 at best a minimal impact in providing relief to the private sector entities under attack. Despite such disagreements, the committee does believe that it is important for the U.S. government to consider what can be done to help private sector entities cope with the undeniable inadequacies of passive defense as things currently stand. 1.9.4â Developing New Knowledge and Insight into a New Domain of Conflict Recommendation 11: The U.S. government should conduct high- level wargaming exercises to understand the dynamics and poten- tial consequences of cyberconflict. As noted in Chapter 9, the dynamics of cyberconflict are not well understood, and many of the most interesting questions about cybercon- flict concern matters related to deterrence, compulsion, and escalation. What are the elements that contribute to stability when cyberconflict is possible? What causes cyber adversaries to be deterred from taking hostile action? How might cyberwarfare escalate? Significant insight into crisis stability, deterrence, escalation, and other issues related to cyber- conflict might be gained by conducting serious high-level wargaming exercises involving individuals with policy backgrounds and others with operational experience in cyberattack. The participation of active-duty and in-office individuals would also help to familiarize them with some of the issues. As importantly, a âgamemasterâ with detailed technical knowl- edge of cyberdefenses and what is and is not possible through cyberattack would be essential for such exercises to produce useful knowledge. The insight and knowledge gained would be useful to senior decision makers (who would become more familiar with the issues involved), to analysts (who would gain insight into how decision makers think about such issues), and to operational personnelâthe warfightersâwho would gain experience in the same way that regular exercises help traditional forces develop expertise. Recommendation 12: Foundations and government research funders should support academic and think-tank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons. The committee believes that cyberconflict and cyberattack are topics that are both important and understudied. Much of the serious thought about such subjects to date has originated in the Department of Defense, and much of that work has been classified. Whether or not the commit-
74 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES teeâs recommendation is adopted regarding declassification of the policy- related discussion of cyberattack, the nation can only be better served by more open debate, discourse, and scholarship across the intellectual spectrum. As noted in the Preface to this report, a greater interest in and more open intellectual activity regarding the subject of cyberattack would con- stitute an important mark of success for this committeeâs efforts. Some important technical issues worth investigation include the following: â¢ Attribution of cyberattacks. Arguably the most salient technical issue in cyberconflict, other reports have underscored both the importance and the difficulty of solving the attribution problem.30 This report emphati- cally reiterates those conclusions. â¢ Attack identification. Knowing that a nation or even a particular facility is under serious cyberattack is highly problematic given the back- ground noise of ongoing cyberattacks all the time. â¢ Geolocation of a computer that might be remotely attacked. Given that computers are physical objects, any computer that might be attacked is in some physical location. Knowledge of that location may be important in understanding the political impact of any given cyberattack. â¢ Techniques for limiting the scope of a cyberattack. Associated with a kinetic munition is the notion of a lethal radius outside of which a given type of target is likely to be relatively unharmed. Lethal radius is a key construct for minimizing collateral damage when such munitions are used. In a world of interconnected computers, what might be a plausible analog for a âlethal radiusâ for cyberweapons? There are also a host of non-technical issues raised by some of the discussion in this report. For example: â¢ How might cyberattack best be used to undermine the confidence of users in their information technology systems? What are the character- istics of the minimum attack needed to achieve this goal? â¢ What might be the impact on conflict escalation of inhibiting cyber offensive actions early in a tense international situation? â¢ How might cyberattack be used to support information operations such as propaganda? â¢ What are the relative advantages and disadvantages of different declaratory policies regarding cyberattack? 30 National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington D.C., 2007.
OVERVIEW, FINDINGS, AND RECOMMENDATIONS 75 â¢ What are the relative advantages and disadvantages of different policies regarding self-help actions by private sector entities that come under cyberattack themselves? â¢ What are the dynamics of known instances of cyberattack and cyberconflict? How did the parties learn they were under attack? How did they decide to respond? What were the ramifications of responding? 1.10â Conclusion Cyberattack technologies bring to the forefront of policy a wide range of possibilities in many dimensions: They raise many new policy issues, they provide many more options for operational commanders, and they complicate existing legal regimes to a considerable extent. But the find- ings of this report illustrate that thinking about U.S. acquisition and use of cyberattack capabilities need not start from scratch. Although a number of important nuances and subtleties can significantly complicate policy making regarding cyberattack, cyberattack should not be regarded as a sui generis form of warfare, and there is much to be said for drawing analogies to existing procedures, practices, and intellectual paradigms. At the same time, developing new knowledge is likely to be essential for genuinely informed policy making regarding cyberattack. The thinking of the U.S. government on the topic of cyberattack is changing rapidly even as this report is being written. Because most of this ferment takes place behind the shields of classification, it is impossible to provide in an unclassified study a definitive report on what is going on today within the U.S. government, and it is entirely possible that some of the findings articulated and discussed above are already reflected in parts of the U.S. government and that some of the recommendations are already being implemented. If so, the committee applauds such actions. But for those findings and recommendations that have not been incorporated into government processes and thinking, the committee hopes that they will be seriously considered and that they will stimulate a government reexamination of its thinking in the relevant areas.