Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 9
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 1 Overview, Findings, and Recommendations 1.1 WHAT IS CYBERATTACK AND WHY IS IT IMPORTANT? It is now broadly accepted that nations are becoming ever more dependent on information and information technology. Companies and organizations rely on computers for diverse business processes ranging from payroll and accounting, to the tracking of inventory and sales, to support for research and development (R&D). Food, water, and energy distribution rely on computers and networks at every stage, as do transportation, health care, and financial services. The same dependence also increasingly applies to the military. Modern military forces use weapons that are computer-controlled. Even more importantly, the movements and actions of military forces are increasingly coordinated through computer-based networks that allow information and common pictures of the battlefield to be shared. Logistics are entirely dependent on computer-based scheduling and optimization. Even terrorists rely on information technology. Although the weapons of terrorists are generally low-tech, their use of the Internet and information technology for recruitment, training, and communications is often highly sophisticated. Given the importance of information technology to many societal functions, it is not surprising that there has been much public debate about cybersecurity (i.e., protection of information technology systems and networks and the programs and information within them from hostile actions) and about how the United States might improve its cybersecurity posture in the face of hostile actions perpetrated by an adversary,
OCR for page 10
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities such as a terrorist group, criminals, or another nation. Although in many other domains, security has always had both defensive and attack components, cybersecurity has been somewhat anomalous, in the sense that its purely defensive side has been the primary focus of attention over the years. But, in fact, it is possible to imagine that cyberattacks might be used to support cyber defensive objectives. It is further possible to imagine that cyberattack would naturally be part of a robust U.S. military posture. The possibility that the United States might choose to engage in cyberattacks to serve its own national interests is, however, rarely discussed in public. For the record, the U.S. government has acknowledged that it has an interest in such capabilities as a possible instrument of national policy,1 but this is virtually all that it acknowledges publicly. At least one press report has indicated the existence of a still-classified National Security Presidential Directive, NSPD 16, issued in July 2002, that reportedly ordered the U.S. government to develop national-level guidance for determining when and how the United States would launch cyberattacks against enemy computer networks.2 The National Strategy to Secure Cyberspace, published in February 2003, is entirely silent about an offensive component to U.S. cybersecurity efforts.3 In practice, hostile actions against a computer system or network can take two forms. One form is destructive in nature—the action is taken to harm the system or network and render it less functional or useful than before the action was taken. An example of such a hostile action is erasure by a computer virus of the hard disk of any computer that it infects. The second form is non-destructive—the action is taken to extract from a system or network information that would otherwise be kept confidential. Actions of this second form are usually clandestine, conducted with the smallest possible interventions that still allow extraction of the information sought. Such an action is exemplified by a computer virus that searches the hard disk of any infected computer and e-mails to the hostile party all files containing a credit card number. Collectively, both forms of hostile action are termed “cyber offensive operations,” or simply, “cyber offense.” In this report, because the distinction between them is often important, the two forms of hostile action are given individual designators and somewhat expanded definitions: Cyberattack refers to the use of deliberate actions—perhaps over an extended period of time—to alter, disrupt, deceive, degrade, or destroy 1 An Assessment of International Legal Issues in Information Operations, 2nd edition, Department of Defense, Office of General Counsel, November 1999. 2 Bradley Graham, “Bush Orders Guidelines for Cyber-Warfare,” Washington Post, February 7, 2003, p. A01. 3 See http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf.
OCR for page 11
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks.4 Such effects on adversary systems and networks may also have indirect effects on entities coupled to or reliant on them. A cyberattack seeks to cause adversary computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary. Furthermore, because so many different kinds of cyberattack are possible, the term “cyberattack” should be understood as a statement about a methodology for action—and that alone—rather than as a statement about the scale of the action’s effect. Cyberexploitation refers to the use of cyber offensive actions—perhaps over an extended period of time—to support the goals and missions of the party conducting the exploitation, usually for the purpose of obtaining information resident on or transiting through an adversary’s computer systems or networks. Cyberexploitations do not seek to disturb the normal functioning of a computer system or network from the user’s point of view—indeed, the best cyberexploitation is one that such a user never notices. Box 1.1 summarizes important distinctions between cyberattacks and cyberexploitations. The committee recognizes that analysts and commentators have used a variety of different terms that are closely related to what this report calls cyberattack (Box 1.2). For purposes of this report, cyberattacks do not include kinetic actions taken against computers or networks using cruise missiles, sledgehammers, or satchel charges. But in practice, the destruction of or damage to an adversary computer or network could be accomplished by kinetic as well as cyber actions. Thus, as acknowledged by the Department of Defense,5 a planner contemplating the destruction of an adversary computer or network should think about both cyberattack and kinetic attack options. This report also does not consider the use of electromagnetic pulse (EMP) attacks. EMP attacks typically refer to non-selective attacks on electronics and electrical components on a large scale, although a tactical EMP weapon intended to selectively target such components on a small scale is possible to imagine.6 4 An adversary computer or network may not necessarily be owned and operated by the adversary—it may simply support or be used by the adversary. 5 “DoD will conduct kinetic missions to preserve freedom of action and strategic advantage in cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects.” See Department of Defense, National Military Strategy for Cyberspace Operations, 2006, available at www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf. 6 For a comprehensive description of the threat from EMP attacks, see Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, available at http://www.globalsecurity.org/wmd/library/congress/2004_r/04-07-22emp.pdf.
OCR for page 12
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 1.1 Cyberattack Versus Cyberexploitation Terms1 Cyberattack, attack, computer network attack Cyberexploitation, intelligence, exploitation, computer network exploitation Approach and intent Degrade, disrupt, deny, destroy attacked infrastructure and systems/networks Conduct smallest intervention consistent with desired operations Primary relevant domestic law U.S. Code Title 10 authorities and restrictions2 U.S. Code Title 50 authorities and restrictions Operational agency U.S. Strategic Command, Joint Functional Combatant Command for Network Warfare National Security Agency Main advocate in the U.S. government to date U.S. Air Force Director of National Intelligence Interactions with tactical military operations Based on explicit inclusion in battle plans Based on intelligence reporting Characterization of personnel Warfighters Intelligence community 1 Discussion of these terms and concepts can be found in Chapters 2, 3, and 4. 2 Covert action involving cyberattack would fall under Title 50 authorities. 1.2 FOCUS OF AND MOTIVATION FOR THIS REPORT This report of the Committee on Offensive Information Warfare focuses primarily on the policy consequences and legal and ethical implications of U.S. acquisition and use of cyberattack, and secondarily (and only when necessary) on cyberexploitation. There are two reasons that a report on cyberattack necessarily touches on cyberexploitation. First, cyberattack and cyberexploitation are closely related from a technical point of view.
OCR for page 13
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Second, because of such similarities a nation that is the target of a cyberexploitation might misinterpret it as being a cyberattack—a possibility that U.S. policy makers must take into account in deciding whether to conduct a cyberexploitation. Nevertheless, the policy and operational dimensions of cyberattack and cyberexploitation are quite different, and this report distinguishes between these two. Cyberattack has a variety of military applications (discussed in Chapter 3) and may be useful for covert action (discussed in Chapter 4). In addition, cyberattack is conceivably a tool that law enforcement agencies or even the private sector might wish to use under some circumstances (discussed in Chapter 5). As suggested in the previous section, cyberattack sometimes arises in the context of defending U.S. computer systems and networks. Passive defensive measures such as hardening systems against attack, facilitating recovery in the event of a successful attack, making security more usable and ubiquitous, and educating users to behave properly in a threat environment are important elements of a strong defensive posture.7 Nevertheless, for the defense to be successful, these measures must succeed every time the adversary attacks. The adversary’s attack need succeed only once, and an adversary that pays no penalty for failed attacks can continue attacking until he or she succeeds or chooses to stop. This places a heavy and asymmetric burden on a defensive posture that employs only passive defense. If passive defense is insufficient to ensure security, what other approaches might help to strengthen one’s defensive posture? One possibility is to eliminate or degrade an adversary’s ability to successfully prosecute an attack. In that case, the attack is ultimately less successful than it might otherwise have been because the defender has been able to neutralize the attack in progress (or perhaps even before it was launched). A second possibility is to impose other costs on the adversary, and such a strategy is based on two premises. First, the imposition of these costs on an attacker reduces the attacker’s willingness and/or ability to initiate or to continue an attack. Second, knowledge that an attack is 7 The broad topic of steps that might be taken to improve passive cyberdefenses and to enhance resilience of U.S. computer systems and networks is not part of this report. There are many important technology and policy issues in the domain of cyberdefense, but many other works have addressed these issues. For a sampling of relevant National Research Council reports on this topic, see Footnotes 1 and 2 in the Preface to this report. Other important reports include President’s Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C., February 2005; and Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th Presidency, Center for Strategic and International Studies, Washington, D.C., 2008.
OCR for page 14
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 1.2 Terminology Related to Cyberattack1 A wide variety of terms in the literature have definitions that overlap with the definitions used in this report. (It is perhaps emblematic of the state of discussion today that there is no standard and widely accepted term that denotes attacks on computer systems and networks.) For example: The term “information operations” was used by the Joint Chiefs of Staff in 1998 to denote “actions taken to affect adversary information and information systems while defending one’s own information and information systems.” Information operations were characterized as offensive or defensive, where “offensive information operations” were conducted to affect adversary decision makers and achieve or promote specific objectives. The JCS used the term “information warfare” to refer to information operations conducted during time of crisis or conflict (including war) to achieve or promote specific objectives over a specific adversary or adversaries.2 The term “network attack” is used by the U.S. Air Force Materiel Command’s Electronic Systems Center to refer to “the employment of network based capabilities to destroy, disrupt, corrupt, or usurp information resident in or transiting through networks.”3 The term “offensive information warfare” was used by Dorothy Denning to describe an operation that “targets or exploits a particular information resource with the objective of increasing its value to the offensive player and decreasing its value to the defensive player.”4 The term “information warfare” has been used often, but with a variety of meanings.5 For example, the term is used by the Center for Strategic and International Studies to denote data attack, such as propaganda, disinformation, data overload, and spam; software attack using computer viruses, Trojan horses, or trapdoors; hacking, i.e., penetration, unauthorized use, and/or snooping in other computer systems; and physical kinetic or directed energy attacks against information systems.6 By contrast, Ryan and Ryan define information warfare as “the application of destructive force on a large scale against information assets and systems, against computers and networks which support the air traffic control systems, stock transactions, financial records, currency exchanges, Internet communications, telephone switching, credit record, credit card transactions, the space program, the railroad system, the hospital systems that monitor patients and dispense drugs, manufacturing process control systems, newspaper and publishing, the insurance industry, power distribution and utilities, all of which rely heavily on computers.”7 Ryan and Ryan also note that “Information warfare is, first and foremost, warfare. It is not information terrorism, computer crime, hacking or commercial or state sponsored espionage using networks for access to desirable information.” The term “information attack” is used by Davis Brown, a former deputy judge advocate for the U.S. Defense Information Systems Agency, to focus on information or information systems as the object, means, or medium of attack.8
OCR for page 15
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities The terms “offensive cyber operations” and “offensive cyberspace operations” are sometimes heard in discussions with military officials and are apparently used to denote one or more actions, perhaps taken over a period of time, to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.9 Offensive cyber or cyberspace operations apparently extend beyond computer network attack (for example, they include computer network exploitation) and recognize the possibility that an extended offensive campaign might be waged in cyberspace involving multiple cyberattacks. The term “computer network attack” was adopted by the Joint Chiefs of Staff in 2006 to refer to “actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”10 In 2006, the Joint Chiefs of Staff also eliminated the term “information warfare” and the distinction between “offensive” and “defensive” information operations. After considering the plethora of terms used in this domain, the committee settled on “cyberattack” as the term best describing the primary focus of this report. 1 This description of the various terms is derived in part from Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal, 47(1):179-221, Winter 2006. 2 Joint Chiefs of Staff, Joint Publication No. 3-13, Joint Doctrine for Information Operations, Oct. 9, 1998. 3 See Broad Agency Announcement (BAA ESC 07-0001) on Network Warfare Operations Capabilities (NWOC): Technology Concept Demonstrations, May 31, 2007. 4 Dorothy E. Denning, Information Warfare and Security, Addison-Wesley Longman Ltd., Essex, UK, 1999. 5 For a review of such definitions, see Chapter 1 of Gregory Rattray, Strategic Warfare in Cyberspace, MIT Press, Cambridge, Mass., 2001. 6 Cybercrime Cyberterrorism Cyberwarfare: Averting an Electronic Waterloo, Center for Strategic and International Studies, 1998. 7 Daniel and Julie Ryan, “Protecting the NII against Infowar,” in Winn Schwartau, Information Warfare, Thunder’s Mouth Press, 1996. 8 Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal 47(1):179-221, Winter 2006. 9 For example, the U.S. Air Force Cyber Command writes that “Cyberspace favors offensive operations. These operations will deny, degrade, disrupt, destroy, or deceive an adversary. Cyberspace offensive operations ensure friendly freedom of action in cyberspace while denying that same freedom to our adversaries…. As an adversary becomes more dependent on cyberspace, cyberspace offensive operations have the potential to produce greater effects.” See Air Force Cyber Command Strategic Vision, undated document (probably 3 March 2008), available at http://www.afcyber.af.mil/shared/media/document/AFD-080303-054.pdf. 10 Joint Chiefs of Staff, Joint Publication No. 3-13, Joint Doctrine for Information Operations, February 13, 2006.
OCR for page 16
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities costly to an attacker deters other parties from attempting to attack—and advance knowledge of such a possibility may deter the original adversary from attacking in the first place. There are in general many options for imposing costs on an adversary, including economic penalties such as sanctions, diplomatic penalties such as breaking of diplomatic relations, and even kinetic military actions such as cruise missile strikes. In-kind military action—a counter-cyberattack—is also a possibility. Both of these possible actions—neutralization of an attacker’s ability to attack and the imposition of costs on the attacker for the attack—are often captured under the rubric of active defense. But actions taken in the name of active defense might well be seen as offensive acts. Consider the act of Zendia8 probing a computer system or network belonging to Ruritania to gather information about it (what ports are open, what services are protected or available for use, the IP addresses of various machines on it, what operating systems are in use, and so on). If Zendia has already been the target of a cyberattack launched from Ruritania, Zendia may plausibly regard its probes of computer systems in Ruritania as part of a defensive reaction to the attack—gathering information about the systems involved in an attack may be important for characterizing its scale and intent. But Ruritania may regard such a probe as a hostile action by Zendia against it, because such probes can be used to develop information useful in a cyberattack. The inadequacy of passive defense suggests that the national debate over cybersecurity necessarily includes a consideration of attack options for defensive purposes. Furthermore, once an attack capability is required to conduct active cyberdefense, and once a nation has the capability for active defense, it is also possible for that nation to use an attack capability for other, non-defensive purposes. Attack capabilities may under some circumstances also contribute to deterrence—a relationship that is explicated in more detail in Chapter 9. Given the possibility that cyberattack capabilities might be useful to the U.S. government for many purposes (including active defense), a host of policy issues arise that do not arise if passive defense is the only defensive option under consideration. Box 1.3 provides an analogy to describe how policy issues inevitably emerge from any government consideration of offensive options. 8 Note to the reader: When the name of a nation is needed in this report, the names “Zendia” and “Ruritania” are used as stand-ins. Depending on context, these nations may be a near-peer nation-state with military and economic stature and power comparable to that of the United States; a small, relatively undeveloped nation; or something in between. Generally in this report, Zendia is an adversary of the United States.
OCR for page 17
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX 1.3 Policy Issues That Flow from Government Use of Guns In order for society to defend itself against armed criminals, one policy choice would be to focus on passive defense against guns—bulletproof vests might be distributed to the populace. Criminals might then invest in more powerful guns that could shoot through bulletproof vests. In response, the government might then support research into techniques for developing stronger, more difficult-to-penetrate armor or initiate programs to provide bulletproof vests to more citizens more quickly and educate them about how to use bulletproof vests properly. Such policy responses are much simpler than those arising from a situation in which police are themselves armed. Governments that arm police officers must be concerned about: Training. Police officers must have a level of training and expertise in the use of firearms adequate for most situations they will encounter in their day-to-day work. Rules of engagement. Police officers must follow pre-established rules of engagement that provide guidance on when the use of firearms is and is not appropriate. Command and control. Police officers are subject to a chain of command that can grant or withhold permission to discharge firearms. Identification friend-or-foe (IFF), the process by which police officers determine who or what counts as a legitimate target for their weapons. Because undercover police and criminals often choose to look like ordinary citizens (as a rule, they do not wear distinguishing uniforms), police must exercise great care in determining their targets. Liability. Police (individual officers and the department itself) may be found liable for civil damages or even subject to criminal penalties if a shooting takes place improperly, and especially if someone is injured or killed by such a shooting. Note that the fact of police officers carrying guns serves a defensive purpose—protecting the citizenry—even though guns themselves are arguably an offensive weapons technology, i.e., a weapons technology that is designed to inflict harm or damage to a target. The committee makes this gun-related analogy not to address any particular policy issue related to private or criminal or even police usage of guns, but to point out that policy and legal issues inevitably flow from the use of offensive weapons by “good guys.” 1.3 CYBERATTACK IN THE CONTEXT OF AN INFORMATION STRATEGY FOR THE UNITED STATES U.S. military forces have made great progress in developing and implementing plans for joint integrated operations in the conventional
OCR for page 18
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities military sphere, but in the information domain, U.S. doctrine and approaches have left many niches and gaps for adversaries to exploit. The lack of an integrated approach to the information domain has meant that the United States lacks timeliness and synergy in its planning and operations. An integrated approach would spread information and ideas that support U.S. interests and would degrade and disrupt information and ideas abroad that are adverse to U.S. interests (e.g., websites for terrorist recruiting). Cyberattack is only one dimension of information operations. In practice, many cyberattacks are likely to take place within a large, diverse, and organically interconnected domain in which deception, espionage, covert influence, diversion, interception and disruption of communications, and other information operations will also take place (as discussed in Box 3.3 in Chapter 3). All of these operations can be used in an intertwined and integrated fashion. Espionage can be a precursor to a denial-of-service attack, while denial of service can be used to facilitate espionage by forcing one’s adversary to use an insecure mode of communication. And information operations are themselves only one aspect of what might be called an information strategy for pursuing U.S. strategic and security interests. Advocates of such an information strategy argue that the nature of warfare and conflict is changing, and that information will be central to national security affairs in the future. This argument is based in part on the idea that adversaries—unable to compete with the United States in traditional military domains—will seek to exploit U.S. weaknesses asymmetrically, and that the information domain is one of the most important. Information is central for two reasons. First, modern societies are based largely on the effective use of large amounts of information—a fact reflected in the increasing ubiquity of and dependence on information technology throughout these societies. Second, the “hearts and minds” of much of the world’s population will be won or lost through the influence gained by appropriately targeted ideas and information. The first point suggests that the information assets (and supporting technologies) of modern societies are a possible point of leverage for adversaries that are less dependent on information. The second point suggests that a predominantly military approach to national security is too narrow, and that the United States would be well served by a much broader strategy that puts hearts, minds, and ideas at its center. In this view, the United States must integrate strategic/tactical influence and messaging and perception management with a broad spectrum of capabilities for information attack and defense. At the highest level of strategic perspective, the goal of information attack is to get into the mind of the adversary and influence its decision making at critical times and
OCR for page 19
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities at all levels. This would include making adversaries question their plans, direction, capabilities, actions, likelihood of success, control, and whether generally they trust their information and knowledge base. At the tactical and operational level, information attack entails destroying, denying, degrading, disrupting, influencing, and corrupting an adversary’s ability to see, know, understand, decide, and take action. The goal of information defense is to protect our ability to see, know, understand, decide, and take action. A coordinated information strategy would integrate a variety of disciplines and specialties, most of which are not integrated today. These include strategic communications, influence, and messaging; public diplomacy; perception management; computer network operations (attack, defense, and exploitation); space control; electronic reconnaissance/warfare; psychological operations; strategic and departmental deception; propaganda, information assurance and infrastructure protection, and counter denial and deception; public affairs; counterintelligence; HUMINT (human intelligence) and OSINT (open source intelligence) activities; imagery and mapping operations; data and information mining; and special operations forces. 1.4 IMPORTANT CHARACTERISTICS OF CYBERATTACK AND CYBEREXPLOITATION As noted above, cyberattack refers to actions—perhaps taken over an extended period of time—to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks. Several characteristics of weapons for cyberattack are worthy of note. The indirect effects of weapons for cyberattack are almost always more consequential than the direct effects of the attack. (Direct or immediate effects are effects on the computer system or network attacked. Indirect or follow-on effects—which may be the primary purpose of a cyberattack—are effects on the systems and/or devices that the attacked computer system or network controls or interacts with, or on the people who use or rely on the attacked computer system or network.) That is, the computer or network attacked is much less relevant than the systems controlled by the targeted computer or network (e.g., a cyberattack that affects a computer controlling an electric power generator will also, and more importantly, affect the generator itself) or the decision making that depends on the information contained in or processed by the targeted computer or network, and indeed the indirect effect is often the primary purpose of the attack. Thus, the scale of damage of any given cyberattack can range from
OCR for page 66
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities in the statute on covert action providing for more limited “Gang-of-Eight” reporting.27 One approach to collecting the information would be for cyberattacks to be reported more or less contemporaneously to the National Security Council, which would compile and analyze the information and then distribute it when required to do so. This approach also has the advantage of informing senior executive branch decision makers of potentially significant events that might affect their activities and decisions in other domains (e.g., if undertaken in the middle of a crisis, an inappropriately timed cyberattack might have diplomatic repercussions).28 Also, consistent with Finding 22, the committee recommends the establishment of mechanisms to promptly inform the appropriate parties in Congress before the United States launches significant U.S. cyberattacks against other powers or entities or promptly thereafter. “Promptly” should be understood to refer to a time scale shorter than or comparable to those required by the War Powers Resolution for introducing U.S. armed forces into hostilities. Finally, the committee recognizes that many definitional issues remain to be worked out. It is the committee’s recommendation that a reportable cyberattack be defined as one that was initiated with the intent of altering, disrupting, deceiving, degrading, or destroying adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks immediately or in the future. For example, reasonable people might disagree over whether cyberexploitations should also be included, but the goal is for responsible senior decision makers to have a reasonably comprehensive view of the cyberattack-related activities of the U.S. government. 1.9.3 Supporting Cyberattack Capabilities and Policy Recommendation 6: U.S. policy makers should judge the policy, legal, and ethical significance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects. 27 “Gang-of-Eight” reporting refers to the requirement to report only to the chair and ranking minority member of the House and Senate Select Committees on Intelligence, the Senate majority and minority leaders, and the Speaker of the House and the House Minority Leader. Reporting to the “Gang of Eight” meets the legal requirement for presidential briefing to Congress for certain selected intelligence activities. 28 In this regard, executive branch notification might be regarded as being analogous to notifying the secretary of defense about all missile test launches. The intent of this longstanding rule was not that the secretary had to approve such launches but rather that the secretary should know if a launch was going to occur in the middle of other events or during a crisis.
OCR for page 67
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities As noted in Finding 5, the consequences of a cyberattack may be both direct and indirect—and both must be taken into account in determining appropriate courses of action. Cyberattacks cannot be assumed to be of lesser consequence simply because they are primarily non-kinetic attacks on computer systems or networks. This point is especially relevant in considering responses to a crisis or an incident in which a forceful U.S. response is desired. Because a cyberattack may appear to be an action short of a “real” military deployment or response if only direct effects are considered, and in any event would be unlikely to place U.S. forces directly in harm’s way, policy makers may be unduly tempted to take such an action unless they consider the cyberattack’s indirect effects as well. More generally, the difficult legal and ethical policy issues regarding the appropriateness of using cyberattack seem to arise mostly in a prekinetic situation, where traditional armed conflict has not yet arisen (and may never arise). In this context, decision makers must determine whether a cyberattack would be equivalent to “the use of force” or “an armed attack.” Effects-based analysis provides one criterion for such a determination—equivalence would be determined by comparing the scale of death and/or destruction that would result from a cyberattack (taking into account both direct and indirect effects) to that which would result from a use of kinetic force. As for the situation in which a “kinetic” conflict has already broken out, cyberattack is just one more tactical military option to be evaluated along with other such options—that is, when U.S. military forces are engaged in traditional tactical armed conflict and except in extraordinary circumstances, there is no reason that any non-LOAC restrictions should be placed on the use of cyberattack vis-à-vis any other tactical military option. Thus, if a given tactical operation calls for attacking a certain target, LOAC questions about necessity, proportionality, and distinction must be asked about the use of cyberattack, the use of special operations troops, and the use of a cruise missile—and attacks that do not satisfy LOAC constraints may not be used. (Needless to say, both direct and indirect effects must be considered in this analysis, and uncertainties in the answers to these questions must be taken into account as well.) The extraordinary circumstances mentioned above relate to instances in which U.S. military forces might be contemplating actions with strategic significance. For example, a cyberattack on an adversary satellite might have tactical benefits, but the use of a cyberattack for this purpose should be considered just as carefully as the use of a direct-ascent missile or a ground-based laser. The latter decision today would not be the sole province of the commander in the field, but would likely involve the National Command Authority directly, and so should the former. Com-
OCR for page 68
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities manders in the field should not be tempted by the seeming ease or low profile of cyberattack to use such an option when other options would not be used. Finally, Recommendation 6 should not be taken to mean that only effects are relevant to a policy, legal, or ethical analysis of any given cyberattack. The committee recognizes, for example, that the intent with which a cyberattack is carried out may well be relevant to such analysis, though the attacker’s intent may be largely irrelevant to its effects. Indeed, the DOD standing rules of engagement (mentioned in Section 3.3) obligate military commanders to “defend that commander’s unit and other U.S. forces in the vicinity from a hostile act or demonstration of hostile intent.” The party responsible for the attack is also a relevant factor—it matters whether the responsible party is a nation-state, terrorist group, criminal organization, hacker, or a careless graduate student. Thus, a cyberattack launched by a terrorist group affecting a small number of important national security computer systems may well be regarded as a more hostile act than a cyberattack launched by a careless graduate student affecting millions of systems around the world (including some national security computer systems)—and a national response should account for such differences. Recommendation 7: U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict. As noted in Chapter 7, the law of armed conflict—specifically jus in bello—does not pertain to the behavior of military forces in situations that fall short of actual armed conflict, and the relevant international law under such circumstances is poorly developed at best. Nevertheless, the committee believes that U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict jus in bello (proportionality, necessity, distinction, and so on) to cyberattack even if the use of cyberattack is contemplated for situations that fall short of actual armed conflict. The application of these principles would be particularly relevant in two situations: Covert actions involving cyberattack. (As noted in Chapter 4, traditional U.S. interpretations of the laws of armed conflict require covert action, whether or not it involves violent activities, to be conducted consistent with LOAC’s requirements.) Periods of heightened tension, during which combatant commanders
OCR for page 69
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities may undertake some cyberattack activities for shaping the operational environment to facilitate later employment of other activities (as noted in Chapter 3). Recommendation 8: The United States should maintain and acquire effective cyberattack capabilities. Advances in capabilities should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be available to appropriate decision makers in the executive and legislative branches. The committee believes that it would be unwise policy to eschew cyberattack under all circumstances. For those instances in which the use of cyberattack is warranted, the United States should have at its disposal the most effective and flexible cyberattack technologies and supporting infrastructure possible—systems that can operate on the time scales required, with the necessary command and control (including self-destruct when necessary and appropriate), guided by the best possible intelligence information, with a high probability of mission success and a low risk of collateral damage. Accordingly, in addition to a robust and significant effort for research, development, testing, and evaluation to strengthen U.S. cyber defensive capabilities, the committee believes that the United States should continue to invest in the development and acquisition of effective and highly flexible cyberattack capabilities. In addition to providing operational utility, such capabilities may strengthen deterrence against cyber adversaries. Lastly, increased knowledge of cyberattack technologies will contribute to the knowledge base supporting development of improved defensive capabilities, assuming that mechanisms can be found to promote cross-fertilization among the researchers in the relevant areas. If and when new policy emerges that calls for a deemphasis of cyberattack capabilities, the U.S. investment can be scaled back at that time. The committee recognizes precedents from history in which the momentum built up by a large-scale development and procurement plan made changes in policy more difficult to accomplish. Nevertheless, it believes that acquiring many kinds of cyberattack weaponry is relatively inexpensive compared to traditional large-scale weapons acquisition efforts, and thus policy changes would be easier to effect. In addition, even if international agreements are made to restrict the use of cyberattack, nations must prepare for the possibility that non-signatories (e.g., non-state actors, or recalcitrant states) or “cheating” states will not abide by the provisions of any such agreement—and for the
OCR for page 70
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities United States to not be prepared to compete successfully in such a world is unacceptable. Finally, it is important for the United States to have a comprehensive view of the effort among all of the relevant stakeholders to develop and acquire cyberattack capabilities. Some responsible party within the executive branch, perhaps an office within the Office of Management and Budget, should have a cross-agency view into overall amounts being spent on acquisition of cyberattack capabilities and the details of how individual agency budgets are being spent. Overall levels of spending and the relevant detail should be available, on a classified basis as necessary, to appropriate congressional decision makers. (Recommendation 8 is not a plea for centralized direction of the acquisition effort, but rather one for information to help policy makers understand the overall effort.) Recommendation 9: The U.S. government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues. The issues related to cyberconflict are quite complex. Conducting cyberattacks requires specialized expertise in operations, intelligence, and communications, as well as law and technology. Understanding policy related to cyberattack requires expertise in defense, intelligence, law enforcement, and homeland security, and in diplomacy, foreign relations, and international law. In short, the prospect of cyberconflict requires that considerable attention be given to professionalization of the involved workforce. These needs contrast with the history of how today’s thinking about cyberattack has evolved over the last few decades. The personal computers first introduced in the 1980s and then later the World Wide Web in the mid-1990s are the most visible signs of the information technology revolution that increasingly has affected all sectors of society, including the military. The possibility of information and information technology as the driver for a revolution in military affairs began to gain influence during this time, along with the notion of attacking an adversary’s computers as an instrument of warfare. However, for the most part, that notion was confined to the grass roots of the military, and only recently has the thinking of senior military leadership begun to embrace such possibilities seriously. Against this backdrop, the paucity of educational opportunities in this domain for senior leadership, the professional military, the diplomatic corps, intelligence analysts, law enforcement officials, and others is striking. As importantly, because cyberconflict is interdisciplinary, career
OCR for page 71
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities paths and opportunities for specialists in this area are few in number. Accordingly, the committee believes that the U.S. government should make significant efforts to develop human capital with expertise in the issues related to cyberattack. Recommendation 10: The U.S. government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack. As suggested in Finding 7, the United States lacks mechanisms for responding effectively to prevent further harm if a private sector entity is subjected to a cyberattack. Given the numerous cyberattacks endured by U.S. private sector entities, it would not be surprising if one or more of these entities have taken self-help action in the past. And it is further likely that in the absence of meaningful and effective mechanisms to prevent further damage in the wake of a cyberattack, some such parties will seriously contemplate taking such action in the future if they feel that the costs of such action are less than the benefits from neutralizing the incoming attack, even if such actions constitute a violation of the Computer Fraud and Abuse Act (Section 5.2). The argumentation for Finding 7 noted some of the undesirable aspects of taking self-help action. But the committee does not believe that a simple prohibition on such action, or even raising the penalties for such action, are alone sufficient to prevent all self-help actions in the future. For this reason, it may be desirable to consider the establishment of a government-regulated institutional structure through which private sector entities that are the targets of sustained and ongoing cyberattack can seek immediate relief. A boundary condition in determining the appropriate structure is the impact of similar developments in other nations. That is, the U.S. government should consider the impact on the United States if other nations were to develop similar institutional structures to protect their own private sector entities. In the absence of further study, the committee makes no endorsement of specific elements that should be included in the structure proposed in Recommendation 10. The following elements are listed for illustrative purposes only, and it should be noted that committee members disagreed among themselves about the desirability of some of these as elements of a structure for helping private sector victims of a cyberattack. Improvements in capabilities for threat warning and attack assessment to
OCR for page 72
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities support better forensics. Such improvements are a necessary precondition if active threat neutralization is to be a viable policy option. International agreements that bind signatories to respond quickly with law enforcement actions to suppress cyberattacks emanating from their territory, with failure to do so entitling the target of the cyberattack to seek threat neutralization in response if it is located in a signatory nation. An explicit clarification of the limits to defense of property for violating the Computer Fraud and Abuse Act, which could explicitly allow or prohibit cyberattacks for this purpose. An explicit clarification of whether the victim of a cyberattack is permitted to non-destructively gather intelligence on the attacker in a non-cooperative manner. If allowed, such activities would have to be documented meticulously to demonstrate the lack of hostile intent. A capability for gathering the information needed to effect threat neutralization, accompanied by explicit rules and regulation, perhaps established by statute, to specify: The selected private sector entities that are entitled to call on the government to exercise this capability for threat neutralization and the standards of security practice required of such entities;29 The circumstances under which threat neutralization is to be performed; The criteria needed to identify the attacking party with sufficiently high confidence; and The evidence needed to make the determination that any given cyberattack posed a threat sufficiently severe to warrant neutralization. Again, to be clear, the committee does not recommend that any specific element in the list above be included or excluded in the institutional structure proposed for consideration in Recommendation 10. For example, some committee members believe that a government capability for threat neutralization is a necessary element of a robust deterrence posture against cyberattack on private sector entities, and they argue that entities under attack should themselves be allowed to effect threat neutralization subject to appropriate government regulation. Others believe it would be a serious mistake to erode the government’s legal monopoly on cyber violence, and that such a capability, even if invoked promptly, would have 29 The term “selected” is used in recognition of the fact that not all such entities necessarily warrant access to the institutional structure considered in Recommendation 10, and thus some mechanism will be necessary for selecting those entities that are deemed eligible. “Standards of security practice” refers to the fact that these entities should be required to adhere to good security practices as a necessary prior condition before calling for outside assistance.
OCR for page 73
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities at best a minimal impact in providing relief to the private sector entities under attack. Despite such disagreements, the committee does believe that it is important for the U.S. government to consider what can be done to help private sector entities cope with the undeniable inadequacies of passive defense as things currently stand. 1.9.4 Developing New Knowledge and Insight into a New Domain of Conflict Recommendation 11: The U.S. government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict. As noted in Chapter 9, the dynamics of cyberconflict are not well understood, and many of the most interesting questions about cyberconflict concern matters related to deterrence, compulsion, and escalation. What are the elements that contribute to stability when cyberconflict is possible? What causes cyber adversaries to be deterred from taking hostile action? How might cyberwarfare escalate? Significant insight into crisis stability, deterrence, escalation, and other issues related to cyberconflict might be gained by conducting serious high-level wargaming exercises involving individuals with policy backgrounds and others with operational experience in cyberattack. The participation of active-duty and in-office individuals would also help to familiarize them with some of the issues. As importantly, a “gamemaster” with detailed technical knowledge of cyberdefenses and what is and is not possible through cyberattack would be essential for such exercises to produce useful knowledge. The insight and knowledge gained would be useful to senior decision makers (who would become more familiar with the issues involved), to analysts (who would gain insight into how decision makers think about such issues), and to operational personnel—the warfighters—who would gain experience in the same way that regular exercises help traditional forces develop expertise. Recommendation 12: Foundations and government research funders should support academic and think-tank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons. The committee believes that cyberconflict and cyberattack are topics that are both important and understudied. Much of the serious thought about such subjects to date has originated in the Department of Defense, and much of that work has been classified. Whether or not the commit-
OCR for page 74
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities tee’s recommendation is adopted regarding declassification of the policy-related discussion of cyberattack, the nation can only be better served by more open debate, discourse, and scholarship across the intellectual spectrum. As noted in the Preface to this report, a greater interest in and more open intellectual activity regarding the subject of cyberattack would constitute an important mark of success for this committee’s efforts. Some important technical issues worth investigation include the following: Attribution of cyberattacks. Arguably the most salient technical issue in cyberconflict, other reports have underscored both the importance and the difficulty of solving the attribution problem.30 This report emphatically reiterates those conclusions. Attack identification. Knowing that a nation or even a particular facility is under serious cyberattack is highly problematic given the background noise of ongoing cyberattacks all the time. Geolocation of a computer that might be remotely attacked. Given that computers are physical objects, any computer that might be attacked is in some physical location. Knowledge of that location may be important in understanding the political impact of any given cyberattack. Techniques for limiting the scope of a cyberattack. Associated with a kinetic munition is the notion of a lethal radius outside of which a given type of target is likely to be relatively unharmed. Lethal radius is a key construct for minimizing collateral damage when such munitions are used. In a world of interconnected computers, what might be a plausible analog for a “lethal radius” for cyberweapons? There are also a host of non-technical issues raised by some of the discussion in this report. For example: How might cyberattack best be used to undermine the confidence of users in their information technology systems? What are the characteristics of the minimum attack needed to achieve this goal? What might be the impact on conflict escalation of inhibiting cyber offensive actions early in a tense international situation? How might cyberattack be used to support information operations such as propaganda? What are the relative advantages and disadvantages of different declaratory policies regarding cyberattack? 30 National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington D.C., 2007.
OCR for page 75
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities What are the relative advantages and disadvantages of different policies regarding self-help actions by private sector entities that come under cyberattack themselves? What are the dynamics of known instances of cyberattack and cyberconflict? How did the parties learn they were under attack? How did they decide to respond? What were the ramifications of responding? 1.10 CONCLUSION Cyberattack technologies bring to the forefront of policy a wide range of possibilities in many dimensions: They raise many new policy issues, they provide many more options for operational commanders, and they complicate existing legal regimes to a considerable extent. But the findings of this report illustrate that thinking about U.S. acquisition and use of cyberattack capabilities need not start from scratch. Although a number of important nuances and subtleties can significantly complicate policy making regarding cyberattack, cyberattack should not be regarded as a sui generis form of warfare, and there is much to be said for drawing analogies to existing procedures, practices, and intellectual paradigms. At the same time, developing new knowledge is likely to be essential for genuinely informed policy making regarding cyberattack. The thinking of the U.S. government on the topic of cyberattack is changing rapidly even as this report is being written. Because most of this ferment takes place behind the shields of classification, it is impossible to provide in an unclassified study a definitive report on what is going on today within the U.S. government, and it is entirely possible that some of the findings articulated and discussed above are already reflected in parts of the U.S. government and that some of the recommendations are already being implemented. If so, the committee applauds such actions. But for those findings and recommendations that have not been incorporated into government processes and thinking, the committee hopes that they will be seriously considered and that they will stimulate a government reexamination of its thinking in the relevant areas.
OCR for page 76
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities This page intentionally left blank.