Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of CYBERATTACK CAPABILITIES William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Editors Committee on Offensive Information Warfare Computer Science and Telecommunications Board Division on Engineering and Physical Sciences NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES THE NATIONAL ACADEMIES PRESS Washington, D.C. www.nap.edu
OCR for page R2
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the MacArthur Foundation under award number 04-80965-000-GSS, the Microsoft Corporation under an unnumbered award, and the NRC Presidents’ Committee under an unnumbered award. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the organizations that provided support for the project. International Standard Book Number-13: 978-0-309-13850-5 International Standard Book Number-10: 0-309-13850-7 Library of Congress Control Number: 2009930416 Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 (800) 624-6242 (202) 334-3313 (in the Washington metropolitan area) Internet: http://www.nap.edu Copyright 2009 by the National Academy of Sciences. All rights reserved. Printed in the United States of America
OCR for page R3
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities THE NATIONAL ACADEMIES Advisers to the Nation on Science, Engineering, and medicine The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org
OCR for page R4
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities This page intentionally left blank.
OCR for page R5
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities COMMITTEE ON OFFENSIVE INFORMATION WARFARE WILLIAM A. OWENS, AEA Holdings, Inc., Co-chair KENNETH W. DAM, University of Chicago, Co-chair THOMAS A. BERSON, Anagram Laboratories GERHARD CASPER, Stanford University DAVID D. CLARK, Massachusetts Institute of Technology RICHARD L. GARWIN, IBM Fellow Emeritus JACK L. GOLDSMITH III, Harvard Law School CARL G. O’BERRY, The Boeing Company JEROME H. SALTZER, Massachusetts Institute of Technology (retired) MARK SEIDEN, MSB Associates SARAH SEWALL, Harvard University WALTER B. SLOCOMBE, Caplin & Drysdale WILLIAM O. STUDEMAN, U.S. Navy (retired) MICHAEL A. VATIS, Steptoe & Johnson LLP Staff HERERT S. LIN, Study Director KRISTEN BATCH, Associate Staff Officer (through August 2008) TED SCHMITT, Consultant JANICE SABUDA, Senior Project Assistant (through March 2008) ERIC WHITAKER, Senior Project Assistant
OCR for page R6
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chair PRITHVIRAJ BANERJEE, Hewlett Packard Company FREDERICK R. CHANG, University of Texas, Austin WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Almaden Research Center DEBORAH L. ESTRIN, University of California, Los Angeles KEVIN C. KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation RANDY H. KATZ, University of California, Berkeley JOHN E. KELLY III, IBM Research SARA KIESLER, Carnegie Mellon University JON KLEINBERG, Cornell University PETER LEE, Carnegie Mellon University TERESA H. MENG, Stanford University WILLIAM H. PRESS, University of Texas, Austin PRABHAKAR RAGHAVAN, Yahoo! Research DAVID E. SHAW, D.E. Shaw Research ALFRED Z. SPECTOR, Google, Inc. ROBERT F. SPROULL, Sun Microsystems, Inc. PETER SZOLOVITS, Massachusetts Institute of Technology ANDREW J. VITERBI, Viterbi Group, LLC PETER WEINBERGER, Google, Inc. JON EISENBERG, Director RENEE HAWKINS, Financial and Administrative Manager HERBERT S. LIN, Chief Scientist, CSTB LYNETTE I. MILLETT, Senior Program Officer NANCY GILLIS, Program Officer ENITA A. WILLIAMS, Associate Program Officer MORGAN R. MOTTO, Program Associate SHENAE BRADLEY, Senior Program Assistant ERIC WHITAKER, Senior Program Assistant For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail CSTB at email@example.com.
OCR for page R7
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Preface Given the reality of a densely interconnected information society, much has been written about the possibility that adversaries of the United States such as terrorists or hostile nations might conduct very damaging cyberattacks against critical sectors of the U.S. economy and critical national infrastructure that depend on reliably functioning, secure computer systems and networks. For some years, the topic of cybersecurity has been an important part of the report portfolio of the National Research Council,1 and a great deal of national attention has been given, in public, to the problem of how to protect U.S. information technology systems and networks against such attacks—that is, how to defend these systems and networks in both military and non-military contexts.2 But, perhaps reflecting the common wisdom of the time, these efforts have focused almost exclusively on the cyberdefense side of the equation. The possibility that the United States might choose to engage in cyberattacks to serve its own national interests—in cyberdefense as well 1 An old but still quite relevant report on this topic is CSTB/National Research Council, Computers at Risk, National Academy Press, Washington, D.C., 1991; other relevant NRC reports include CSTB/NRC, Trust in Cyberspace, National Academy Press, Washington, D.C., 1999, and NRC, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007. 2 See, for example, National Research Council, Information Technology for Counterterrorism, The National Academies Press, Washington, D.C., 2003; NRC, Cybersecurity Today and Tomorrow: Pay Now or Pay Later, The National Academies Press, Washington, D.C., 2002; and CSTB/NRC, Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, Washington, D.C., 1998.
OCR for page R8
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities as in other areas—is rarely discussed in public. One recent public hint of U.S. government interest in the topic can be found in the still-classified Comprehensive National Cybersecurity Initiative (CNCI), which was adopted as national policy in January 2008 as part of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23). According to the director of national intelligence in February 2009, “The CNCI addresses current cybersecurity threats, anticipates future threats and technologies, and develops a framework for creating in partnership with the private sector an environment that no longer favors cyber intruders over defenders. The CNCI includes defensive, offensive [emphasis added], education, research and development, and counterintelligence elements.”3 Press reports indicated that the CNCI involves 12 components designed to protect computer networks and systems and to improve information technology processes and policies.4 These components included a program to reduce the number of connections from federal agencies to external computer networks to 100 or fewer. The other 11 programs address intrusion detection; intrusion prevention; research and development; situational awareness (involving the coordination of information from all agencies to help secure cyber networks and systems); cyber counterintelligence; classified network security; cyber education and training; implementation of information security technologies; deterrence strategies [emphasis added]; global supply chain security; and public/private collaboration. There is some public writing on the subject of cyberattack. Starting in the mid-1990s, the first papers on the topic emerged, many of them focusing on the legal issues involved in military uses of cyberattack.5 One of 3 Dennis Blair, Director of National Intelligence, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence, February 12, 2009, available at http://intelligence.senate.gov/090212/blair.pdf. 4 See Jill R. Aitoro, “National Cyber Security Initiative Will Have a Dozen Parts,” Government Executive, August 1, 2008, available at http://www.nextgov.com/nextgov/ng_20080801_9053.php. 5 See, for example, Lawrence T. Greenberg, Seymour E. Goodman, and Kevin J. Soo Hoo, Information Warfare and International Law, National Defense University Press, 1998; Michael Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Columbia Journal of Transnational Law 37:885-937, 1999; Christopher C. Joyner and Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework,” European Journal of International Law 12(5):825-865, 2001; Jason Barkham, “Information Warfare and International Law on the Use of Force,” New York University International Law and Politics 34:57-113, 2001; Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict,” Harvard International Law Journal 47(1):179-221, Winter 2006; Duncan B. Hollis, “New Tools, New Rules: International Law and Information Operations,” pp. 59-72 in Ideas as Weapons: Influence and Perception in Modern Warfare, G. David and T. McKeldin, eds., Potomac Books Inc., 2009.
OCR for page R9
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities the first studies to address the strategic implications of cyberattack was published by the RAND Corporation in 1996 (Strategic Information Warfare: A New Face of War).6 A later study covering the same topic in much more detail was published as Strategic Warfare in Cyberspace.7 A flurry of writing began to appear in the professional military literature in the late 1990s and early 2000s, but little or nothing can be found in this body of literature since around 2002 or 2003. THIS STUDY—FOCUS, APPROACH, AND PURPOSE Most of the writing to date has not brought together information technology experts who are knowledgeable in detail about what can and cannot be done from a technical standpoint with senior individuals who have policy experience, nor has it addressed the topic in an interdisciplinary manner that integrates expertise from the disciplines and fields that are relevant to the subject. The National Research Council undertook the present study (Box P.1) believing in the value of an integrated treatment that would help shed much-needed light on various important dimensions of cyberattack (and secondarily on the topic of cyberexploitation, a term that refers to the penetration of adversary computers and networks to obtain information for intelligence purposes). Such a treatment would provide a point of departure for others so that a broad variety of independent intellectual perspectives can be brought to bear on it. The Committee on Offensive Information Warfare first met in July 2006 and five times subsequently. Its earlier meetings were devoted primarily to briefings on a variety of topics related to cyberattack, and later meetings were devoted primarily to committee deliberations. The authoring committee did not receive classified information in the course of this study. What is sensitive about cyberattack is generally the fact of U.S. interest in a specific technology for cyberattack (rather than the nature of that technology itself); fragile and sensitive operational details that are not specific to the technologies themselves (e.g., the existence of a covert operative in a specific foreign country or a particular vulnerability); or capabilities and intentions of specific adversaries. None of these specific areas are particularly relevant to a study that focuses on the articulation of an intellectual framework for thinking about cyberattack. It is important to delineate the scope of what this report does and 6 Roger C. Molander, Andrew S. Riddile, and Peter A. Wilson, Strategic Information Warfare: A New Face of War, National Defense Research Institute, RAND, Washington, D.C., 1996, available at http://www.rand.org/pubs/monograph_reports/2005/MR661.pdf. 7 Gregory J. Rattray, Strategic Warfare in Cyberspace, MIT Press, Cambridge, Mass., 2001.
OCR for page R10
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities BOX P.1 Statement of Task The National Research Council will appoint an ad hoc committee to examine policy dimensions and legal/ethical implications of offensive information warfare, informed by expert perspectives on and knowledge of the underlying technologies. These policy dimensions include but are not limited to factors that differentiate between cyberattack as a law enforcement matter versus cyberattack as a national security matter, the extent to which the U.S. Department of Defense is constrained from acting in response to cyberattack of uncertain origin, appropriate definitions of concepts such as “force” or “armed attack” as they apply to different forms of offensive information warfare, the standards of proof required to establish the origin of a cyberattack, the nature and extent of actions that the United States may take unilaterally against a foreign cyberattacker, the possible utility of offensive information warfare as a mode of attack that is different from kinetic or physical attack, the nature and extent to which offensive information warfare may be a part of conventional military operations, and the extent to which a nation undertaking offensive information warfare may increase the likelihood that it would be attacked in response, either similarly or dissimilarly. Project products will be directed at policy makers and researchers, the former so that decision making can occur in a more informed manner and the latter so that other independent researchers will have a firm base on which to ground their own work. does not do. This report does not provide a detailed explication of U.S. policy and practice regarding cyberattack or cyberexploitation, nor does it describe cyberattack/cyberexploitation capabilities available to the U.S. government. Instead, it provides a framework for understanding cyberattack that describes the basic technologies of cyberattack and cyberexploitation, articulates basic principles of what cyberattack and cyberexploitation might do, and discusses some of the policy goals that these actions might serve. It addresses some of the legal and ethical considerations that such uses might entail, and it suggests some analytical tools that might be useful for thinking about cyberattack from a policy perspective. It includes a number of findings and recommendations. Just as other areas of national security have benefited from a vigorous public airing of issues, the authoring committee hopes that this report will stimulate debate and discussion on cyberattack as an instrument of national policy at the nexus of technology, policy, law, ethics, and national security both inside and outside government and thus bring to bear on these knotty issues the best intellectual thought and consideration. A historical analogy might be drawn to the study of nuclear issues. In many ways, today’s state of affairs regarding public discourse on
OCR for page R11
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities cyberattack is analogous to the nuclear debate of 50 years ago. At that time, nuclear policy issues were veiled in secrecy, and there was little public debate about them. Herman Kahn’s books (On Thermonuclear War, Thinking the Unthinkable) were the first that addressed in the open literature what it might mean to fight a nuclear war. These seminal pieces did much to raise the public profile of these issues and stimulated an enormous amount of subsequent work outside government that has had a real impact on nuclear policy. From our perspective as the co-chairs of this study, the topic of cyberattack is so important across a multitude of national interests—not just defense or even just national security—that it deserves robust and open discussion and debate, both among thoughtful professionals in the policy, military, intelligence, law enforcement, and legal fields and among security practitioners in the private sector. But for such discussion and debate to be productive, they must be based on some common foundation of information about the topic at hand. Thus, the report’s role in providing education and background is in our view its most important function. It is because of the potential relevance of cyberattack across a broad spectrum of national interests that it was necessary to constitute a study committee whose members had very diverse backgrounds and many different perspectives on various aspects of cyberattack. The committee assembled for this project included individuals with expertise in networking, computer security, large-scale computer systems and architecture, national security and defense policy, intelligence and military operations, international law governing war and conflict, human rights, international relations and diplomacy, constitutional law and civil liberties, and domestic law enforcement as it relates to cybersecurity. Nonetheless, no one person had all of the necessary expertise across all relevant areas, and the committee expended considerable effort to bring all of its members to a common (if basic) level of understanding in these areas. The committee was by design highly heterogeneous and interdisciplinary, a characteristic intended to promote discussion and synergy among its members. As for the two co-chairs, one of us (Owens) has extensive military experience and the other (Dam) has extensive experience in foreign affairs—and both of us have served in the private sector. We hope that a second function of this report is to help establish the awareness needed in the elected government (executive and legislative) for making good decisions and providing proper oversight of capabilities for cyberattack. As the report points out, the U.S. government does not appear to be well organized to manage these capabilities, either in an employment sense (when and under what circumstances a particular kind of cyberattack should be used) or in an acquisition sense (how to obtain capabilities for cyberattack). Many of the report’s findings and recom-
OCR for page R12
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities mendations focus on taking some first steps for better organization of the government in this regard. How will the presentation and analysis in this report endure over time? The question is natural given the inevitability of changes in the technological and global environment. Based on historical experience, it is highly likely that in a decade the technological substrate underlying information technology applications will be very different by one, two, or three orders of magnitude in a number of dimensions—processor power, cost, bandwidth, storage, and so on. Deployments of information technology will be more pervasive. Connectivity among individuals, embedded computers, and organizations is likely to increase dramatically, and myriad applications that are entirely unimagined now will be commonplace. The importance of the Internet (or its follow-on) to society will be greater as well. The global environment is also likely to be substantially different, although how it will be different cannot be predicted in the same way that Moore’s law predicts circuit densities. Many analysts of international affairs predict a rise in the significance of actors not tied or only loosely tied to nation-states, or of adversaries that do not share U.S. or Western values or legal traditions with respect to the conduct of conflict. Few portions of the report are tied explicitly to current technologies, although a genuine breakthrough in technologies to support non-cooperative high-precision attribution of attacks to bad actors in cyberspace would have significant implications for several findings in this report. A rise in the non-state actor cyberthreat would be significant as well—and although the committee has attempted to grapple with that issue in its analysis, it would be the first to admit that a great deal more work is needed in that area. Thus, it is the committee’s hope that the framework established in this report for understanding cyberattack will endure for some time to come. As this report goes into final publication in July 2009, a number of significant events have occurred. For example, on May 29, 2009, the Obama White House released its 60-day review of cybersecurity policy (Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure8), a document that is essentially silent on the offensive dimension of cybersecurity. On June 23, Secretary of Defense Robert Gates directed the establishment of the U.S. Cyber Command, a sub-unified command subordinate to U.S. Strategic Command and responsible for military cyberspace operations.9 8 See http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf. 9 Siobhan Gorman and Yochi Dreazen, “Military Command Is Created for Cyber Security,” Wall Street Journal, June 24, 2009, available at http://online.wsj.com/article/SB124579956278644449.html.
OCR for page R13
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities ACKNOWLEDGMENTS This study could not have been undertaken without the financial support of the MacArthur Foundation and the Microsoft Corporation, both of which recognized the potential legal, policy, and ethical significance of new technologies for cyberattack. The National Research Council itself also provided some funding for this project. The complexity of the issues explored in this report meant that the committee had much to learn from its briefers. The committee is grateful to many individuals: For briefings on cyberattack technologies, Steven Bellovin of Columbia University and William Howard, independent consultant; For briefings on operational dimensions of cyberattack, Patrick D. Allen of General Dynamics Advanced Information Systems, Lt. Gen. Bill Donahue, U.S. Air Force (retired), and Sam Gardiner, U.S. Air Force (retired); For briefings on the various legal dimensions of cyberattack and cyberexploitation, Thomas Wingfield of the Potomac Institute, LTC Eric Jensen of the Office of the Judge Advocate General, U.S. Army, Joe Dhillon of the McGeorge School of Law at the University of the Pacific, Jeff Smith (former CIA General Counsel), Jim Dempsey of the Center for Democracy and Technology, Richard Salgado of Yahoo!, Eugene Volokh of the UCLA School of Law, and Robert Weisberg and Helen Stacy of the Stanford University Law School; For briefings on the ethics of cyberattack, Jeff McMahan of Rutgers University and Father J. Bryan Hehir of Harvard University; For briefings on current DOD perspectives on cyberattack, Admiral Elizabeth Hight of the JTFGNO, LTC Forrest Hare of the U.S. Air Force, and Dr. Linton Wells of the Department of Defense; For briefings on policy issues regarding non-lethal weapons, David Koplow of Georgetown University; For briefings on private sector perspectives, Rod Wallace of Nortel, Milo Medin of M2Z Networks, Jeffrey I. Schiller of MIT, and Naveen Jain of Intelius; For a briefing on deterrence theory as it might be applied to cyberattack, Thomas Schelling of the University of Maryland; and For a variety of independent perspectives on the subject of cyberattack, Stephen Cambone (former Undersecretary of Defense for Intelligence), James N. Miller, Jr. (former Deputy Assistant Secretary of Defense for Requirements, Plans, and Counterproliferation), Dan Kuehl of the National Defense University, Stuart Starr of the Center for Technology and National Security Policy at the National Defense University, K.A. Taipale of the Center for Advanced Studies in Science and Technology
OCR for page R14
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Policy, Neal Pollard of Georgetown University and the National Counterterrorism Center, and Dorothy E. Denning of the Naval Postgraduate School. Throughout the study, the committee’s complex and challenging technical and political discussions encompassed a wide range of thought and perspectives offered by those who appeared before the committee, the committee itself, and participants in the review process. In addition, from the CSTB staff, we thank Ted Schmitt, Kristen Batch, and David Padgham for substantial research assistance, and Janice Sabuda and Eric Whitaker for administrative support. Lastly, this report would not have been possible without the leadership and stamina of Herb Lin, whose organizational skills, leadership of the staff, and thoughtful, complete agendas for committee discussion exceeded the excellent standards established by the National Academies. Both of us are indebted to Herb for his counsel, his policy and technical knowledge, his ability to find “just the right wording” for contentious areas, and for the character and chemistry he has shown us in our personal dealings. The National Research Council is fortunate to have leaders of Herb Lin’s quality. This study and we co-chairs have benefited greatly from his deep involvement. Kenneth W. Dam and William A. Owens, Co-chairs Committee on Offensive Information Warfare
OCR for page R15
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: Matt Blaze, University of Pennsylvania, W. Earl Boebert, Sandia National Laboratories (retired), Lewis M. Branscomb, Independent Consultant, La Jolla, California, Jogindar (Joe) Dhillon, State of California, Stephen Dycus, Vermont Law School, Michael Froomkin, University of Miami School of Law, Dan Geer, Geer Risk Services, Ronald Lee, Arnold and Porter, Martin Libicki, RAND Corporation, James McCarthy, USAF Academy, John McLaughlin, Johns Hopkins University, Richard Mies, SAIC, Gregory Rattray, Independent Consultant, San Antonio, Texas,
OCR for page R16
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Abe Sofaer, Stanford University, Eugene Spafford, Purdue University, Phil Venables, Goldman Sachs & Co., Peter Weinberger, Google, Inc., and Marc J. Zwillinger, Sonnenschein Nath & Rosenthal. Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by William H. Press, University of Texas at Austin, and Eugene Volokh, University of California at Los Angeles. Appointed by the National Research Council, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.
OCR for page R17
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Contents SYNOPSIS 1 1 OVERVIEW, FINDINGS, AND RECOMMENDATIONS 9 1.1 What Is Cyberattack and Why Is It Important?, 9 1.2 Focus of and Motivation for This Report, 12 1.3 Cyberattack in the Context of an Information Strategy for the United States, 17 1.4 Important Characteristics of Cyberattack and Cyberexploitation, 19 1.5 Illustrative Applications of Cyberattack, 21 1.6 The Legal Framework Governing Cyberattack, 21 1.7 The Dynamics of Cyberconflict, 22 1.8 Findings, 24 1.8.1 Technologies as Instruments of U.S. National Policy, 24 1.8.2 Overarching Findings, 25 1.8.3 Legal and Ethical Findings, 31 1.8.4 Policy Findings, 39 1.8.5 Technical and Operational Findings, 43 1.8.6 Organizational Findings, 53 1.9 Recommendations, 56 1.9.1 Fostering a National Debate on Cyberattack, 57 1.9.2 Organizing the Decision-Making Apparatus of the U.S. Government for Cyberattack, 62 1.9.3 Supporting Cyberattack Capabilities and Policy, 66
OCR for page R18
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 1.9.4 Developing New Knowledge and Insight into a New Domain of Conflict, 73 1.10 Conclusion, 75 PART I FRAMING AND BASIC TECHNOLOGY 2 TECHNICAL AND OPERATIONAL CONSIDERATIONS IN CYBERATTACK AND CYBEREXPLOITATION 79 2.1 Important Characteristics of Cyberattack and Cyberexploitation, 80 2.2 The Basic Technology of Cyberattack, 82 2.2.1 Information Technology and Infrastructure, 82 2.2.2 Vulnerability, Access, and Payload, 83 2.2.3 Scale and Precision, 89 2.2.4 Critical Periods of Cyberattack, 89 2.2.5 Approaches for Cyberattack, 91 2.2.6 Propagating a Large-Scale Cyber Offensive Action, 106 2.2.7 Economics, 108 2.3 Operational Considerations, 110 2.3.1 The Effects of Cyberattack, 110 2.3.2 Possible Objectives of Cyberattack, 114 2.3.3 Target Identification, 116 2.3.4 Intelligence Requirements and Preparation, 118 2.3.5 Effects Prediction and Damage Assessment, 121 2.3.6 Complexity, Information Requirements, and Uncertainty, 126 2.3.7 Rules of Engagement, 128 2.3.8 Command and Control, 129 2.3.9 Coordination of Cyberattack Activities with Other Institutional Entities, 132 2.3.10 A Rapidly Changing and Changeable Technology and Operational Environment for Cyberattack, 133 2.4 Characterizing an Incoming Cyberattack, 134 2.4.1 Tactical Warning and Attack Assessment, 135 2.4.2 Attribution, 138 2.4.3 Intent, 141 2.5 Active Defense for Neutralization as a Partially Worked Example, 142
OCR for page R19
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 2.6 Technical and Operational Considerations for Cyberexploitation, 149 2.6.1 Technical Similarities in and Differences Between Cyberattack and Cyberexploitation, 149 2.6.2 Possible Objectives of Cyberexploitation, 150 2.6.3 Approaches for Cyberexploitation, 152 2.6.4 Some Operational Considerations for Cyberexploitation, 153 2.7 Historical Precedents and Lessons, 156 PART II MISSION AND INSTITUTIONAL PERSPECTIVES 3 A MILITARY PERSPECTIVE ON CYBERATTACK 161 3.1 U.S. Military Doctrine and Cyberattack, 161 3.2 Department of Defense Organization for Cyberattack, 165 3.3 Rules of Engagement, 167 3.4 Some Historical Perspective, 171 3.5 Cyberattack in Support of Military Operations—Some Hypothetical Examples, 177 3.5.1 Cyberattack in Support of Defense, Exploitation, and Other Information Operations, 177 3.5.2 Cyberattack in Support of Traditional Military Operations, 179 3.5.3 Cyberattack in Support of Other Operations, 180 3.6 Operational Planning, 182 3.7 Human Capital and Resources, 184 3.8 Weapons Systems Acquisition, 186 4 AN INTELLIGENCE COMMUNITY PERSPECTIVE ON CYBERATTACK AND CYBEREXPLOITATION 188 4.1 Intelligence Collection and Analysis, 188 4.1.1 Governing Principles, 188 4.1.2 How Cyberexploitation Might Be Used to Support Intelligence Collection, 190 4.2 Covert Action, 193 4.2.1 Governing Principles, 193 4.2.2 How Cyberattack Might Be Used in Covert Action, 195 4.3 Possible Intelligence Community Interest in Cyberattack an Cyberexploitation, 198
OCR for page R20
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 5 PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 200 5.1 Cyberattack and Domestic Law Enforcement, 200 5.2 Threat Neutralization in the Private Sector, 202 5.2.1 Possible Response Options for Private Parties Targeted by Cyberattack, 202 5.2.2 Self-defense by Private Parties, 204 5.2.3 Regulating Self-defense by Private Parties, 208 5.2.4 Negative Ramifications of Self-defense by Private Parties, 210 5.3 Cyberexploitation in the Private Sector, 212 5.4 Threat Neutralization on Behalf of Non-military Government Agencies, 213 6 DECISION MAKING AND OVERSIGHT 214 6.1 Executive Branch, 214 6.1.1 Declaratory Policy, 215 6.1.2 Acquisition Policy, 220 6.1.3 Employment Policy, 223 6.1.4 Operational Oversight, 229 6.2 Legislative Branch, 232 6.2.1 Warmaking Powers, 232 6.2.2 Budget, 234 6.2.3 Oversight (and Notification), 235 PART III INTELLECTUAL TOOLS FOR UNDERSTANDING AND THINKING ABOUT CYBERATTACK 7 LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 239 7.1 The Basic Framework, 239 7.2 International Law, 241 7.2.1 The Law of Armed Conflict, 241 7.2.2 Applying the Law of Armed Conflict to Cyberattack, 250 7.2.3 International Law and Non-state Actors, 273 7.2.4 The Convention on Cybercrime, 277 7.2.5 Human Rights Law, 281 7.2.6 Reciprocity, 282
OCR for page R21
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 7.3 Domestic Law, 282 7.3.1 Covert Action and Military Activity, 283 7.3.2 Title III and the Foreign Intelligence Surveillance Act, 286 7.3.3 Posse Comitatus, 288 7.3.4 The Computer Fraud and Abuse Act and Other Federal Law, 288 7.3.5 The War Powers Resolution, 290 7.3.6 Executive Order 12333 (United States Intelligence Activities), 290 7.4 Foreign Domestic Law, 292 8 INSIGHTS FROM RELATED AREAS 293 8.1 Nuclear Weapons and Nuclear War, 293 8.2 Space, 296 8.3 Biological Weapons, 297 8.4 Non-lethal Weapons, 299 9 SPECULATIONS ON THE DYNAMICS OF CYBERCONFLICT 302 9.1 Deterrence and Cyberconflict, 302 9.2 Escalatory Dynamics of Cyberconflict Between Nation-States, 306 9.2.1 Crisis Stability, 306 9.2.2 Escalation Control and Management, 308 9.2.3 Complications Introduced by Patriotic Hackers, 310 9.2.4 Incentives for Self-restraint in Escalation, 311 9.2.5 Termination of Cyberconflict, 311 9.2.6 The Role of Transparency, 312 9.2.7 Catalytic Cyberconflict, 312 9.3 Cyberconflict Between the United States and Non-state Actors, 313 9.4 The Political Side of Escalation, 315 10 ALTERNATIVE FUTURES 318 10.1 Regulatory Regimes—Basic Principles, 318 10.2 Regulatory Regimes for Cyberattack, 321 10.2.1 Direct Approaches Based on Traditional Arms Control, 321 10.2.2 Indirect Approaches Based on Regulation of Non-military Domains, 326 10.3 Foreign Perspectives on Cyberattack, 328
OCR for page R22
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities APPENDIXES A Biographies of Committee Members and Staff 337 B Meeting Participants and Other Contributors 348 C Illustrative Criminal Cyberattacks 350 D Views on the Use of Force in Cyberspace 356 E Technical Vulnerabilities Targeted by Cyber Offensive Actions 360