Skip to main content

Currently Skimming:

6 Decision Making and Oversight
Pages 214-236

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 214...
... That is, the committee found that nuclear history and policy are useful points of departure -- framing notions and metaphorical checklists -- for understanding policy regarding cyberattack but not that the conclusions that emerge from nuclear policy and history are directly applicable.  Robert S
From page 215...
... Declaratory policy is not necessarily linked only to the use of nuclear weapons. In 1969, the United States renounced first use of lethal or incapacitating chemical agents and weapons and unconditionally renounced all methods of biological warfare. In 1997, the United States ratified the Chemical Weapons Convention, which prohibits the signatories from using lethal chemical weapons under any circumstances.
From page 216...
... If, for example, the declaratory policy states that a nation will not use weapon X, and its armed forces do not train to use weapon X, and its military doctrine does not contemplate the use of weapon X, that nation may well be ill-prepared to use weapon X in practice even if its leaders decide to act in violation of the stated declaratory policy. 6.1.1.2  Present Status For the use of cyberweapons, the United States has no declaratory policy, although the DOD Information Operations Roadmap of 2003 stated that "the USG should have a declaratory policy on the use of cyberspace for offensive cyber operations." The 2006 National Military Strategy for Cyberspace Operations indicates that "as a war-fighting domain .
From page 217...
... The United States acquires cyberattack capabilities as part of its overall deterrent posture, which is based on full spectrum dominance -- the abil ity to control any situation or defeat any adversary across the range of military operations. Cyberattack capabilities provide the U.S.
From page 218...
... interests, the United States will unilaterally refrain from conducting against nations cyberattacks that would have the potential for causing widespread societal devastation and chaos. Accordingly, the United States will refrain from conducting cyberattacks against a nation's electric power grids and financial  Joint Chiefs of Staff, The National Military Strategy of the United States of America, 2004, available at http://www.strategicstudiesinstitute.army.mil/pdffiles/nms2004.pdf.
From page 219...
... renunciation of biological weapons contributed to stigmatizing use of such weapons by any nation. The benefit to the United States if such stigmatization occurred would be a lower likelihood that it would experience such an attack.
From page 220...
... Much has been written about the drivers of military acquisition, and a key driver that emerges from these writings is the anticipation that an adversary has or will acquire a particular military capability to which the nation must respond quickly by itself acquiring a similar or countering capability. Acquisition policy addresses issues such as how much should be spent on weapons of various kinds, how many of what kind should be acquired on what timetable, and what the characteristics of these weapons should be. A statement of acquisition policy regarding nuclear weapons might say something like "the United States must deploy in the next 2 decades 500 land-based new ICBMs with 10 nuclear warheads apiece,  See, for example, Stephen Rosen, Chapter 7, "What Is the Enemy Building?
From page 221...
... for cyberattack differs in important ways from acquiring ordinary weapons, raising a number of issues for the acquisition process. For example, the rapid pace of information technology change places great stress on acquisition processes for cyberattack capabilities (and for cyberdefense as well)
From page 222...
... . Programs for acquiring cyberattack capabilities and tools are likely to cost far less than these amounts.
From page 223...
... Acquisition policy should also address the issue of the proper balance of resource allocation. The absolute budget sums involved in acquiring cyberattack capabilities are relatively small, as noted in Chapter 2.
From page 224...
... What targets might or might not be appropriate for cyberattack and under what circumstances would this be so? From what can be determined from public statements, the DOD believes that cyberattack has military utility, and thus the use of cyberattack is subject to constraints imposed by the law of armed conflict.
From page 225...
... In addition, if forces in the field lose confidence in the authoritativeness of commands from their national command authority, they may resort to following standing orders issued before the conflict began -- and such orders may well instruct these forces to act in more destructive ways than they otherwise would. These considerations are particularly important if the adversary has nuclear weapons and if the cyberattack cannot differentiate between command and control systems for the adversary's conventional and nuclear forces.
From page 226...
... A number of important questions arise in this context -- the large amount of intelligence information likely to be needed for such options, the timeliness of information collected to support preplanned options, and indeed the actual value of prompt cyber response under various circumstances. A third important issue is ensuring that cyberattack activities are sufficiently visible to higher authorities, including the political leadership.
From page 227...
... , and in such a balance, adversary cyberattacks-AUIPD will obviously seem to be much more effective than those of the United States. A third important factor contributing to this perception is the fact 11 Public reports indicate that this initiative has 12 components intended to reduce to 100 or fewer the number of connections from federal agencies to external computer networks, and to make other improvements in intrusion detection, intrusion prevention, research and development, situational awareness, cyber counterintelligence, classified network security, cyber education and training, implementation of information security technologies, deterrence strategies, global supply chain security, and public/private collaboration.
From page 228...
... for economic purposes. Under traditional international law, espionage -- for whatever purpose -- is not banned, and thus the first possibility suggests a need to revise the current international legal regime with respect to the propriety of state-sponsored economic espionage.
From page 229...
... From time to time these mechanisms are unsuccessful in informing senior decision makers, and it is often because the individual ordering the execution of that mission did not believe that such an order required consultation with higher authority. In a cyberattack context, oversight issues arise at two stages -- at the actual launch of a cyberattack and in activities designed for intelligence preparation of the battlefield to support a cyberattack.
From page 230...
... On the other hand, the risks of error or inadvertent escalation are generally regarded as greatest when humans are not in the decision-making loop. Despite periodic calls for the nuclear command and control system to be automated so as to ensure that retaliation would take place in the event of a Soviet nuclear attack, the United States has always relied on humans (the President and the National Command Authority)
From page 231...
... The essential problem is that the boundaries of its national airspace provide almost no time for its air defense forces to react should the airplane turn out to have immediate hostile intent. Even if it is known to be unarmed, it is most likely to be a reconnaissance airplane collecting information that could be useful in the event that an air strike was launched against that nation.
From page 232...
... Constitution authorizes the Congress to "declare war" and gives Congress numerous powers over the military, including the powers to "raise and support armies," to "provide and maintain a navy," and to "make rules for the government and regulation of the land and naval forces." Article II, Section 2 gives the President the "executive power" and provides that he "shall be commander in chief of the Army and Navy of the United States." At the time the Constitution was written, the primary purpose of national armed forces was to fight wars, and these provisions were intended to give Congress primary responsibility for the decision to initiate war, and to give the President the primary responsibility for the conduct of war.14 Over time, as the international powers and responsibilities of the United States have grown, and as the standing U.S. armed forces have grown, the President has asserted more and more authority to initiate armed conflicts in the absence of authorization from Congress.
From page 233...
... in numbers which substantially enlarge United States Armed Forces equipped for combat [who are] already located in a foreign nation," and requires the President to "terminate any such use of armed forces" within 60 days (subject to a one-time 30-day extension)
From page 234...
... But just as important is the fact that the funding for the development and deployment of cyberattack capabilities is both minuscule and deliberately obscured in unclassified budget justifications. For example, in the FY 2008 DOD budget request, one request for the "demonstration of offensive cyber operations technologies allowing attack and exploitation of adversary information systems" by the Air Force is contained in a program element component of $8.012 million; the program element is entitled "Advanced Technology Development," and the component "Battlespace Information Exchange."18 A second request for developing cyber operations technologies is contained in a program element of $11.85 million for FY 2008; this program element is entitled "Applied Research on Command, Control, and Communications."19 A reasonable observation is that development and demonstration of cyberattack capabilities are distributed over multiple program elements, 18 See http://www.dtic.mil/descriptivesum/Y2008/AirForce/0603789F.pdf.
From page 235...
... Certain DOD operations have also been subject to a notification requirement. Section 1208 of the FY 2005 Defense Authorization Act gave the secretary of defense the authority to expend up to $25 million in any fiscal year to "provide support to foreign forces, irregular forces, groups, or individuals engaged in supporting or facilitating ongoing military operations by United States special operations forces to combat terrorism." In the event that these funds were used, the secretary of defense was required to notify the congressional defense committees expeditiously and in writing, and in any event in not less than 48 hours, of the use of such authority with respect to that operation.
From page 236...
... 236 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES number of applications made for orders and extensions of orders approving electronic surveillance under the Foreign Intelligence Surveillance Act, and the total number of such orders and extensions either granted, modified, or denied.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.