The Future of US Cyberattack

This is going to take some digesting. The National Academies today released their new report on US cyberspace strategy. Weighing in at roughly 300 pages I’m not going to have time to read through it for a while – looks like it’s a job for a rainy weekend. Worse, you’re going to have to read it online, as the pdf is not free, for some inexplicable reason. Despite that, I have no doubt this document will progress the debate on cyberspace and strategy substantially. I’ve extracted the key findings and recommendations in full below.

The summary below could usefully be read in conjunction with Jeff Carr’s new piece on Projecting Borders into Cyberspace, and his attempt to update the 36 Stratagems for cyber warfare. There are also two slightly older pieces by Sam Liles on the Cybersecurity Act 2009 (here and here). Sam also critiques new policy in Another Cyber Treatise. Without further ado…

William A. Owens, Kenneth W. Dam, and Herbert S. Lin, eds. (2009), Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, Computer Science and Telecommunications Board [source]

FINDINGS

Cyberattack is an important capability for the United States to maintain, but at the same time the acquisition and use of such capabilities raise many questions and issues, as described below.

Overarching Findings

1. The policy and organizational issues raised by US acquisition and use of cyberattack are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversaries capable of employing weapons of mass destruction.

2. The availability of cyberattack technologies for national purposes greatly expands the range of options available to US policy makers as well as to policy makers of other nations.

3. Today’s policy and legal framework for guiding and regulating the US use of cyberattack is ill-formed, undeveloped, and highly uncertain.

4. Secrecy has impeded widespread understanding and debate about the nature and implications of US cyberattack.

5. The consequences of a cyberattack may be both direct and indirect, and in some cases of interest, the indirect consequences of a cyberattack can far outweigh the direct consequences.

Legal and Ethical Findings

6. The conceptual framework that underpins the UN Charter on the use of force and armed attack and today’s law of armed conflict provides a reasonable starting point for an international legal regime to govern cyberattack. However, those legal constructs fail to account for non-state actors and for the technical characteristics of some cyberattacks.

7. In today’s security environment, private parties have few useful alternatives for responding to a severe cyberattack that arrives over a network such as the Internet.

8. Cyberattack poses challenges to existing ethical and human rights regimes.

Policy Findings

9. Enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States.

10. The United States has much to lose from unrestrained cyberattack capabilities that are proliferated worldwide.

11. Deterrence of cyberattacks by the threat of in-kind response has limited applicability.

12. Options for responding to cyberattacks on the US span a broad range and include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks.

Technical and Operational Findings

13. For many kinds of information technology infrastructure targets, the ease of cyberattack is increasing rather than decreasing.

14. Although the actual cyberattack capabilities of the US are highly classified, they are at least as powerful as these demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful.

15. As is true for air, sea, land, and space operations, the defensive or offensive intent motivating cyber operations in any given instance may be difficult to infer.

16. Certain cyberattacks undertaken by the US are likely to have significant operational implications for the US private sector.

17. If and when the US decides to launch a cyberattack, significant coordination among allied natios and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question.

18. The outcomes of many kinds of cyberattack are likely to be more uncertain than outcomes for other kinds of attack.

19. Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and so a greater degree of operational oversight for cyberattack may be needed compared to that for the use of other options.

20. Developing appropriate rules of engagement for the use of cyberweapons is very difficult.

Organizational Findings

21. Both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today.

22. The US Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons.

RECOMMENDATIONS

Fostering a National Debate on Cyberattack

1. The US should establish a public national policy regarding cyberattack for all sectors of government, including but not necessarily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforcement. The senior leadership of these organizations should be involved in formulating this national policy.

2. The US government should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties – particularly Congress, the professional military, and the intelligence agencies – are involved in discussions and are familiar with the issues.

3. The US government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building.

Organizing the Decision-Making Apparatus of the US Government for Cyberattack

4. The US government should have a clear, transparent, and inclusive decision-making structure in place to decide how, when, and why a cyberattack will be conducted.

5. The US government should provide a periodic accounting of cyberattacks undertaken by the US armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision-makers with a more comprehensive understanding of these activities. Such a periodic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees.

Supporting Cyberattack Capabilities and Policy

6. US policy makers should judge the policy, legal, and ethical significace of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects.

7. US policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict.

8. The US should maintain and acquire effective cyberattack capabilities. Advances in capabilities should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be available to appropriate decision makers in the executive and legislative branches.

9. The US government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues.

10. The US government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack.

Developing New Knowledge and Insight into a New Domain of Conflict

11. The US government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict.

12. Foundations and government research funders should support academic and thinktank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons.