Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Proceedings of a WorkshoP on deterring cyberattacks Informing Strategies and Developing Options for U.S. Policy Committee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Policy and Global Affairs Division 

THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee that oversaw this project were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the Office of the Director of National Intelligence under award number HHM402-05-D0011, DO #12. Any opinions, findings, conclusions, or recommendations expressed in this publica - tion are those of the authors and do not necessarily reflect the views of the organization that provided support for the project. International Standard Book Number-13: 978-0-309-16035-3 International Standard Book Number-10: 0-309-16035-9 Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 (800) 624-6242 (202) 334-3313 (in the Washington metropolitan area) Internet: http://www.nap.edu Copyright 2010 by the National Academy of Sciences. All rights reserved. Printed in the United States of America 

The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org 



COMMITTEE ON DETERRINg CybERATTACkS: INFORMINg STRATEgIES AND DEvELOPINg OPTIONS FOR u.S. POLICy JOHN D. STEINBRUNER, University of Maryland, Chair STEVEN M. BELLOVIN, Columbia University STEPHEN DYCUS, Vermont Law School SUE ECKERT, Brown University JACK L. GOLDSMITH III, Harvard Law School ROBERT JERVIS, Columbia University JAN M. LODAL, Lodal and Company PHILIP VENABLES, Goldman Sachs Staff HERBERT S. LIN, Study Director and Chief Scientist, Computer Science and Telecommunications Board TOM ARRISON, Senior Program Officer, Policy and Global Affairs Division VIRGINIA BACON TALATI, Associate Program Officer  

COMPuTER SCIENCE AND TELECOMMuNICATIONS bOARD ROBERT F. SPROULL, Oracle, Chair PRITHVIRAJ BANERJEE, Hewlett Packard Company STEVEN M. BELLOVIN, Columbia University WILLIAM J. DALLY, NVIDIA Corporation and Stanford University SEYMOUR E. GOODMAN, Georgia Institute of Technology JOHN E. KELLY III, IBM JON M. KLEINBERG, Cornell University ROBERT E. KRAUT, Carnegie Mellon University SUSAN LANDAU, privacyink.org DAVID E. LIDDLE, U.S. Venture Partners WILLIAM H. PRESS, University of Texas PRABHAKAR RAGHAVAN, Yahoo! Research DAVID E. SHAW, Columbia University ALFRED Z. SPECTOR, Google, Inc. JOHN A. SWAINSON, Swainson Analysis Services, Inc. PETER SZOLOVITS, Massachusetts Institute of Technology PETER J. WEINBERGER, Google, Inc. ERNEST J. WILSON III, University of Southern California Staff JON EISENBERG, Director RENEE HAWKINS, Financial and Administrative Manager HERBERT S. LIN, Chief Scientist, CSTB LYNETTE I. MILLETT, Senior Program Officer EMILY ANN MEYER, Program Officer ENITA A. WILLIAMS, Associate Program Officer VIRGINIA BACON TALATI, Program Associate SHENAE BRADLEY, Senior Program Assistant ERIC WHITAKER, Senior Program Assistant For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu. i 

Preface In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation’s important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures (that is, measures taken unilaterally by an organization to increase the resistance of an information technology system or network to attack), it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council (NRC) undertook a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government (see Box P.1 for the statement of task). In the first phase, the Committee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. policy produced a letter report, released in March 2010 and reprinted in Appendix A of this volume, that provided basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks. The second phase of this project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop. In addition to commissioning papers, the NRC sponsored a prize competition for papers that addressed one or more of the questions raised in the letter report. Two of these papers were singled out for recognition as noted on p. xii in the Contents and have been included in Group 7 of this volume. Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee. Under NRC guidelines for conducting workshops, workshop activities do not seek consensus, and proceedings (such as the present volume) cannot be said to represent an NRC view on the subject at hand. Furthermore, indi - vidual members of the committee may agree or disagree with the findings, conclusions, or analysis of ii 

iii PREFACE Box P.1 Statement of Task An ad hoc committee will oversee a two-phase activity to foster a broad, multidisciplinary exami- nation of deterrence strategies and their possible utility to the U.S. government in its policies toward preventing cyberattacks. In the first phase, the committee will prepare a letter report identifying the key issues and questions that merit examination. In the second phase, the committee will engage experts to prepare papers that address key issues and questions, including those posed in the letter report. The papers will be compiled in a National Research Council publication and/or published by appropriate journals. This phase will include a committee meeting and a public workshop to discuss draft papers, with authors finalizing the papers following the workshop. any given paper in this volume, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed. The meeting agenda and biosketches of the speakers are provided in Appendixes B and C, respec - tively. Appendix D provides biosketches of the committee and staff. 

Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of the papers contained in this volume: Amitai Aviram, University of Illinois Robert Axelrod, University of Michigan William Banks, Syracuse University David Elliott, Stanford University Anita Jones, University of Virginia Cheryl Koopman, Stanford University Ronald Lee, Arnold & Porter, LLP Joseph Nye, Harvard University Francesco Parisi, University of Minnesota Joel Reidenberg, Fordham University Jerome Saltzer, Massachusetts Institute of Technology John Savage, Brown University Dan Schutzer, Financial Services Technology Consortium Walter Slocombe, Caplin & Drysdale Jack Snyder, Columbia University Joel Trachtman, Tufts University Jenell Trigg, Lerman Senter, PLLC Although the reviewers listed above have provided many constructive comments and sug- gestions, they were not asked to endorse the views presented in any of these commissioned and ix 

x ACknowlEdgmEnt oF REviEwERS contributed papers, nor did they see the final draft of any of these papers prior to publication. The review of this report was overseen by Liz Panos, DEPS Report Review Officer. She was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of the commissioned and contributed papers in this volume rests entirely with the individual author(s). 

Contents group 1—Attribution and Economics Introducing the Economics of Cybersecurity: Principles and Policy Options 3 tyler moore Untangling Attribution 25 daid d. Clark and Susan landau A Survey of Challenges in Attribution 41 w. Earl Boebert group 2—Strategy, Policy, and Doctrine Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm 55 Patrick m. morgan Categorizing and Understanding Offensive Cyber Capabilities and Their Use 77 gregory Rattray and Jason Healey A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible 99 Declaratory Policies for These Domains Stephen J. lukasik Pulling Punches in Cyberspace 123 martin libicki group 3—Law and Regulation Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, 151 and Armed Conflicts michael n. Schmitt xi 

xii ContEntS Cyber Security and International Agreements 179 Abraham d. Sofaer, daid Clark, and whitfield diffie The Council of Europe Convention on Cybercrime 207 michael A. vatis group 4—Psychology Decision Making Under Uncertainty 227 Rose mcdermott group 5—Organization of government The Organization of the United States Government and Private Sector for Achieving 245 Cyber Deterrence Paul Rosenzweig group 6—Privacy And Civil Liberties Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks 273 Robert gellman group 7—Contributed Papers Targeting Third-Party Collaboration1 313 geoff A. Cohen Thinking Through Active Defense in Cyberspace2 327 Jay P. kesan and Carol m. Hayes Appendixes A Reprinted Letter Report from the Committee on Deterring Cyberattacks 345 B Workshop Agenda 375 C Biosketches of Authors 377 D Biosketches of Committee and Staff 385 1This paper was awarded First Prize in the National Research Council’s Prize Competition for Cyberdeterrence Research and Scholarship “for original first steps in addressing the problem of third-party contributors to cyberinsecurity.” 2This paper was awarded Honorable Mention in the National Research Council’s Prize Competition for Cyberdeterrence Re - search and Scholarship “for raising important issues regarding active defense in cyberspace.”