The National Academies Press

Currently Skimming:

1 Overview, Findings, and Recommendations
Pages 9-76

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 9... ... Even more importantly, the movements and actions of military forces are increasingly coordinated through computer-based networks that allow information and common pictures of the battlefield to be shared. Logistics are entirely dependent on computer-based scheduling and optimization. Read the entire page →
From page 10... ... Such an action is exemplified by a computer virus that searches the hard disk of any infected computer and e-mails to the hostile party all files containing a credit card number. Collectively, both forms of hostile action are termed "cyber offensive operations," or simply, "cyber offense." In this report, because the distinction between them is often important, the two forms of hostile action are given individual designators and somewhat expanded definitions: • Cyberattack refers to the use of deliberate actions -- perhaps over an extended period of time -- to alter, disrupt, deceive, degrade, or destroy An Assessment of International Legal Issues in Information Operations, 2nd edition, De partment of Defense, Office of General Counsel, November 1999. Read the entire page →
From page 11... ... But in practice, the destruction of or damage to an adversary computer or network could be accomplished by kinetic as well as cyber actions. Thus, as acknowledged by the Department of Defense, a planner contemplating the destruction of an adversary computer or network should think about both cyberattack and kinetic attack options. Read the entire page →
From page 12... ... Intelligence government to date Interactions with Based on explicit Based on intelligence reporting tactical military inclusion in battle plans operations Characterization Warfighters Intelligence community of personnel 1 Discussion of these terms and concepts can be found in Chapters 2, 3, and 4. 2 Covert action involving cyberattack would fall under Title 50 authorities. Read the entire page →
From page 13... ... . In addition, cyberattack is conceivably a tool that law enforcement agencies or even the private sector might wish to use under some circumstances (discussed in Chapter 5) Read the entire page →
From page 14... ... (It is perhaps emblematic of the state of discussion today that there is no standard and widely accepted term that denotes attacks on computer systems and networks.) For example: • The term "information operations" was used by the Joint Chiefs of Staff in 1998 to denote "actions taken to affect adversary information and information systems while defending one's own information and information systems." Infor mation operations were characterized as offensive or defensive, where "offensive information operations" were conducted to affect adversary decision makers and achieve or promote specific objectives. Read the entire page →
From page 15... ... 1 This description of the various terms is derived in part from Davis Brown, "A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict," Harvard International Law Journal, 47(1) :179-221, Winter 2006. Read the entire page →
From page 16... ... But Ruritania may regard such a probe as a hostile action by Zendia against it, because such probes can be used to develop information useful in a cyberattack. The inadequacy of passive defense suggests that the national debate over cybersecurity necessarily includes a consideration of attack options for defensive purposes. Read the entire page →
From page 17... ... The committee makes this gun-related analogy not to address any particular policy issue related to private or criminal or even police usage of guns, but to point out that policy and legal issues inevitably flow from the use of offensive weapons by "good guys." 1.3 Cyberattack in the Context of an Information Strategy for the United States U.S. military forces have made great progress in developing and implementing plans for joint integrated operations in the conventional Read the entire page →
From page 18... ... Espionage can be a precursor to a denial-of-service attack, while denial of service can be used to facilitate espionage by forcing one's adversary to use an insecure mode of communication. And information operations are themselves only one aspect of what might be called an information strategy for pursuing U.S. Read the entire page →
From page 19... ... activities; imagery and mapping operations; data and information mining; and special operations forces. 1.4 Important Characteristics of Cyberattack and Cyberexploitation As noted above, cyberattack refers to actions -- perhaps taken over an extended period of time -- to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks. Read the entire page →
From page 20... ... Cyberattacks can involve a much larger range of options than most traditional military operations, and because they are fundamentally about an attack's secondary and tertiary effects, there are many more possible outcome paths whose analysis often requires highly specialized knowledge. The time scales on which cyberattacks operate can range from tenths of a second to years, and the spatial scales may be anywhere from "concentrated in a facility next door" to globally dispersed. Read the entire page →
From page 21... ... And the range of possible options is very large, so that cyberattack-based operations might be set in motion to influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money. Such operations can fall into the category of covert action, which by law is defined as political, economic, propaganda, or paramilitary activities and is usually designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. Read the entire page →
From page 22... ... When the law of armed conflict was first articulated, only nation-states had the ability to wage war. Because cyberattack weapons are inexpensive and easily available, non-state actors (e.g., terrorist groups, organized crime) Read the entire page →
From page 23... ... How can a modestly scoped cyberattack conducted by a government be differentiated from the background cyberattacks that are going on all of the time? • The complicating presence of non-state actors. Read the entire page →
From page 24... ... government, like all governments, has multiple loci for policy formation, such consistency is not always found in national policy. • Decision-making mechanisms for implementing policy guidance in an operational sense regarding the actual use of the capabilities available. Read the entire page →
From page 25... ... Regarding cyberattack, consider that the World Wide Web was invented in the early 1990s and personal computers went mainstream for the general public less than 30 years ago with the introduction of the IBM PC in 1981. Over a billion people use cell phones today, 10 and wireless services are growing exponentially. Read the entire page →
From page 26... ... In other words, the state of policy formation regarding cyberattack is still in its infancy compared to policy regarding most other weapons, even though the availability and proliferation of cyberattack technologies is a technological watershed. And it is the committee's belief that the issues surrounding cyberattack extend far beyond the traditional responsibilities of the Department of Defense and the intelligence community and touch national interests such as diplomacy and foreign relations, law enforcement, and commerce and trade. Read the entire page →
From page 27... ... In addition, cyberattack technologies have a largely clandestine character and are relatively inexpensive. These characteristics -- flexibility, clandestine nature, and low cost -- can be helpful in many applications by the military, intelligence, and law enforcement communities. Read the entire page →
From page 28... ... , the specifics of applying the principles to cyberattack are sometimes uncertain. These points illustrate the lack of a shared conceptual understanding about the full spectrum of issues regarding cyberattack among all of the stakeholders -- military, intelligence, law enforcement authorities, and the private sector. Read the entire page →
From page 29... ... Yet this is precisely what is implied by the current regime of secrecy surrounding cyberattack -- DOD/intelligence community personnel in other assignments have no reasonable opportunity to be exposed to the basic policy issues involved in cyberattack (because they have no "need to know" in their current duty assignments) , and they are expected to be in a position to make sound policy judgments when they fill their cyberattack billets. Read the entire page →
From page 30... ... . Direct or immediate effects are effects on the computer system or network attacked. Read the entire page →
From page 31... ... . 1.8.3 Legal and Ethical Findings Much of today's current thinking about how to engage in armed conflict originated a century ago, and thus it is not surprising that today's international law -- and especially the law of armed conflict -- may not be entirely adequate to handle all of the implications of cyberattack technologies that have emerged only in the last few decades. Read the entire page →
From page 32... ... We have reason to believe that data was stolen from a database used for visitors to the Laboratory."3 domestic law -- this too has lagged behind the times in coming to terms with the implications of new cyberattack technologies. Finding 6: The conceptual framework that underpins the UN Charter on the use of force and armed attack and today's law of armed conflict provides a reasonable starting point for an inter national legal regime to govern cyberattack. Read the entire page →
From page 33... ... The committee believes that the conceptual framework that underpins the UN Charter and today's law of armed conflict regarding the use of force and armed attack is generally consistent with the notion that the effects of an action rather than the modality of that action are the primary measure in judging its legality under the UN Charter or LOAC. Prior to an acknowledged armed conflict, the legal status of any military activity is judged by its effects (regardless of the means) Read the entire page →
From page 34... ... are entirely capable of engaging in armed conflict, as are individuals acting on their own with putatively "patriotic" motivations -- and the lines between state, non-state, and individual attackers are unclear in a legal regime that focuses primarily on LOAC on the one hand and national criminal laws on the other. International agreements, such as the Convention on Cybercrime (Section 7.2.4) Read the entire page →
From page 35... ... Because LOAC and the UN Charter presume not only nation-states in conflict but also that the specific nation-states involved are known to all, the difficulty of attributing a cyberattack in its early stages to a particular actor, which may be a state or a non-state actor, remains a major challenge to the current legal regime. Thus, the United States may know that it has suffered an "armed attack" or been the target of a "use of force," but it may take a long time to determine the party or parties responsible. Read the entire page →
From page 36... ... With respect to the second option, law enforcement authorities may not be able to respond effectively on a time scale that will prevent significant immediate harm to the victim, although arrest and prosecution might provide a possible venue for restitution. That is, there appears to be no government agency that has the legal authorization to perform a "harm cessation" function apart from the arrest-and-prosecute mode. Read the entire page →
From page 37... ... As noted in Chapter 7, the laws of armed conflict are based on two Read the entire page →
From page 38... ... For example, the argumentation for Finding 6 noted the complications introduced into today's legal regime by the dual-use nature of today's information technology infrastructure. This dual-use nature also complicates ethical judgments that have traditionally been based on the notion of separating civilian and military assets, and the need for making such judgment may well be relevant in situations short of acknowledged armed conflict in which LOAC is held to apply. Read the entire page →
From page 39... ... armed forces operate, and enduring unilateral dominance 14 According to the Joint Chiefs of Staff, joint force commanders are called upon to "seek superiority early in air, land, maritime, and space domains and the information environment to prepare the operational area and information environment and to accomplish the mission as rapidly as possible." Joint Publication 3-0, Joint Operations, February 13, 2008, available at http://www.dtic.mil/doctrine/jel/new_pubs/jp3_0.pdf. 15 In addition, another nation may impose by decree cybersecurity measures on all information technology used by that nation or it may impose and enforce a strong separation between the information and information technology infrastructures for military and civilian use. Read the entire page →
From page 40... ... military strategy. Deterrence seeks to promote stability by persuading an adversary to refrain from taking aggressive actions against U.S. Read the entire page →
From page 41... ... computer systems and networks promote deterrence by denial, but for a host of reasons described in Chapter 2 and in other reports,16 the gap between defensive capabilities and the adversarial cyberattack threat is large and growing today. Deterrence by punishment is more likely to be an effective strategy against nations that are highly dependent on information technology, because such nations have a much larger number of potential targets that can be attacked. Read the entire page →
From page 42... ... If an access path is available to the adversary, it may be reasonable to use attack capabilities to neutralize an incoming cyberattack even if the identity of the adversary is not known. By developing capabilities to deny the adversary a successful cyberattack, the United States might be able to deter adversaries from launching at least certain kinds of cyberattack against the United States. Read the entire page →
From page 43... ... But it is important to understand that the United States has a multitude of options for responding to any given cyberattack, depending on its scope and character; these options include a mix of dynamic changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks. Put differently, the United States is in no way obligated to employ an in-kind response to a cyberattack, even if an in-kind response may superficially seem most obvious or natural. Read the entire page →
From page 44... ... 19 See, for example, National Research Council, Information Technology for Counterterror ism: Immediate Actions and Future Possibilities, The National Academies Press, Washington, D.C., 2003; and National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007. Read the entire page →
From page 45... ... . Nor are they likely to adhere to either the letter or spirit of the laws of armed conflict in conducting their cyberattacks, which suggests that their planning is likely to be simpler and face fewer constraints (e.g., they can avoid the need to minimize collateral damage) Read the entire page →
From page 46... ... And both perceptions would have some factual basis. Furthermore, and as noted in Section 9.2.2, it may be more difficult to discern or assess intent when cyberattack is involved than when traditional military forces are involved. Read the entire page →
From page 47... ... Although cyberattacks that are narrowly focused on highly specific objectives may not have much potential for interfering with other ongoing cyber operations initiated by other parties, a sufficiently broad cyberattack might indeed interfere. In such cases, it may be necessary to Read the entire page →
From page 48... ... disposal (e.g., through law enforcement authorities seeking to enforce the Computer Fraud and Abuse Act against these patriotic hackers) and would have to anticipate in its planning the actions that were not discouraged. Read the entire page →
From page 49... ... But greater intelligence efforts to resolve uncertainties are likely to be necessary to achieve levels of confidence equivalent to those that generally characterize kinetic attacks -- and such efforts may in some cases take long enough to render the use of cyberattack moot. Finding 19: Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and so a greater degree of operational Read the entire page →
From page 50... ... decision makers -- only that should covert action be determined to be desirable and in the national interest, policy makers are likely to be drawn to cyberattack as a preferred methodology for implementing such action. Accordingly, all of those responsible for exercising oversight over covert actions up the entire 21 For example, during the Cuban Missile Crisis, a U-2 reconnaissance aircraft on a "routine air sampling mission" over Alaska went off course and flew into Soviet airspace. Read the entire page →
From page 51... ... As an illustration of the complexity of developing ROEs in a specific situation involving cyberattack, consider some of the issues in developing, in advance, military ROEs for active threat neutralization -- under what circumstances governed by what authority might a counter-cyberattack be launched to neutralize an immediate or ongoing threat? Read the entire page →
From page 52... ... • What level of impact (among other factors) must an incoming cyberattack threat achieve in order to justify an active threat neutralization? Read the entire page →
From page 53... ... For example, the authority needed to launch an active threat neutralization may depend on the identity of the attacker -- perhaps local authority would be needed if the attacker were a teenager in Zendia, but perhaps the personal authority of the commander of U.S. Strategic Command would be needed if the attacker were the 418th Zendian Information Operations Brigade. Read the entire page →
From page 54... ... To illustrate the committee's concerns, consider the delegation of authority to the commander of the U.S. Strategic Command for conducting an active threat neutralization (a limited and specific form of active defense) Read the entire page →
From page 55... ... military forces is disputed as it has been in recent U.S. history, consider the conundrums that could accompany the use of weapons that are for all practical purposes covert and whose "deployments" would be entirely invisible to the public or even to most uniformed military personnel. Read the entire page →
From page 56... ... Finally, the committee calls special attention to the fact that congressional concerns about asserting authority over the use of military forces are generally at their maximum when U.S. military forces are placed directly in harm's way -- that is, when U.S. Read the entire page →
From page 57... ... As the committee has been unable to find any such statement of declaratory policy, it concurs with and reiterates this call. At a minimum, such a policy would involve the DOD, the intelligence community, and law enforcement agencies, and would address the following questions: • For what purposes does the United States maintain a capability for cyberattack? Read the entire page →
From page 58... ... The DHS and law enforcement agencies are included because tracing the ultimate source of an incoming cyberattack often requires the investigator to penetrate intermediate nodes, capture the relevant traffic, and then analyze it to determine the next node in the chain. Law enforcement authorities are also responsible for aspects of preventing or prosecuting cybercrime. Read the entire page →
From page 59... ... It is therefore important for the United States to begin to find common ground on this topic with allies, neutrals, and potential adversaries. In this context, "common ground" is not a euphemism for treaties or arms control agreements regarding cyberattack. Read the entire page →
From page 60... ... And policy makers must be able to discuss issues related to cyberattack in an informed manner, without having to learn about them in the middle of a cyber crisis. As an example of such consultation, NATO established in March 2008 the Cyber Defence Management Authority, which will manage cyberdefense across all NATO's communication and information systems and could support individual allies in defending against cyberattacks upon request.23 One press report indicates that "the Authority will also develop and propose standards and procedures for national and NATO cyberdefence organisations to prevent, detect, and deter attacks," but will focus on defense "whether an attack comes from state, criminal or other sources."24 Similar efforts to reach common understandings regarding cyberattack (and on the relationship of cyberattack to cyberdefense) Read the entire page →
From page 61... ... . Much of the difficulty of adhering to the framework of the law of armed conflict in the context of cyberattack arises from the difficulty of distinguishing between valid military targets and other entities that are specially protected or are possible victims of collateral damage. Read the entire page →
From page 62... ... At a minimum, it would appear that the Departments of Defense, State, and Homeland Security, and the law enforcement and intelligence communities would have to be involved in coming to terms with issues, such as advance coordination of a U.S. cyberattack that might lead to a cyberattack on the United States or to a determination that exploitation of adversary computers should (or should not) Read the entire page →
From page 63... ... . The findings and reporting process is often disliked by incumbent administrations, because it constrains an administration's ability to act freely and quickly and runs the risk of leaks that may reveal the existence of a covert action. Read the entire page →
From page 64... ... Whether this description of the flow of authority in fact characterizes current rules of engagement for STRATCOM's authority to conduct response actions is not known to the committee. A third example of the need for an inclusive decision-making struc 25 These other methods may include dropping connections, closing ports, asking Internet service providers to shut down nodes identified as being sources of the attack, diverting attack traffic to other locations, changing IP addresses, and so on. Read the entire page →
From page 65... ... armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more com prehensive understanding of these activities. Such an accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees. Read the entire page →
From page 66... ... It is the committee's recommendation that a reportable cyberattack be defined as one that was initiated with the intent of altering, disrupting, deceiving, degrading, or destroying adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks immediately or in the future. For example, reasonable people might disagree over whether cyberexploitations should also be included, but the goal is for responsible senior decision makers to have a reasonably comprehensive view of the cyberattackrelated activities of the U.S. Read the entire page →
From page 67... ... military forces are engaged in traditional tactical armed conflict and except in extraordinary circumstances, there is no reason that any non-LOAC restrictions should be placed on the use of cyberattack vis-à-vis any other tactical military option. Thus, if a given tactical operation calls for attacking a certain target, LOAC questions about necessity, proportionality, and distinction must be asked about the use of cyberattack, the use of special operations troops, and the use of a cruise missile -- and attacks that do not satisfy LOAC constraints may not be used. Read the entire page →
From page 68... ... to cyberattack even if the use of cyberattack is contemplated for situations that fall short of actual armed conflict. The application of these principles would be particularly relevant in two situations: • Covert actions involving cyberattack. Read the entire page →
From page 69... ... For those instances in which the use of cyberattack is warranted, the United States should have at its disposal the most effective and flexible cyberattack technologies and supporting infrastructure possible -- systems that can operate on the time scales required, with the necessary command and control (including selfdestruct when necessary and appropriate) , guided by the best possible intelligence information, with a high probability of mission success and a low risk of collateral damage. Read the entire page →
From page 70... ... Understanding policy related to cyberattack requires expertise in defense, intelligence, law enforcement, and homeland security, and in diplomacy, foreign relations, and international law. In short, the prospect of cyberconflict requires that considerable attention be given to professionalization of the involved workforce. Read the entire page →
From page 71... ... government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack. As suggested in Finding 7, the United States lacks mechanisms for responding effectively to prevent further harm if a private sector entity is subjected to a cyberattack. Read the entire page →
From page 72... ... Such improvements are a necessary precondition if active threat neutralization is to be a viable policy option. • International agreements that bind signatories to respond quickly with law enforcement actions to suppress cyberattacks emanating from their territory, with failure to do so entitling the target of the cyberattack to seek threat neutralization in response if it is located in a signatory nation. Read the entire page →
From page 73... ... government to consider what can be done to help private sector entities cope with the undeniable inadequacies of passive defense as things currently stand. 1.9.4 Developing New Knowledge and Insight into a New Domain of Conflict Recommendation 11: The U.S. Read the entire page →
From page 74... ... • How might cyberattack be used to support information operations such as propaganda? • What are the relative advantages and disadvantages of different declaratory policies regarding cyberattack? Read the entire page →
From page 75... ... What were the ramifications of responding? 1.10 Conclusion Cyberattack technologies bring to the forefront of policy a wide range of possibilities in many dimensions: They raise many new policy issues, they provide many more options for operational commanders, and they complicate existing legal regimes to a considerable extent. Read the entire page →

From page 9...

... Even more importantly, the movements and actions of military forces are increasingly coordinated through computer-based networks that allow information and common pictures of the battlefield to be shared. Logistics are entirely dependent on computer-based scheduling and optimization.

1 Overview, Findings, and Recommendations Pages 9-76

1 Overview, Findings, and Recommendations
Pages 9-76