Skip to main content

Currently Skimming:

Appendix A: Reprinted Letter Report from the Committee on Deterring Cyberattacks
Pages 345-374

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 345...
... This phase will include a committee meeting and a workshop to discuss draft papers, with authors finalizing the papers following the workshop. This letter report satisfies the deliverable requirement of the first phase of the project by providing basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S.
From page 346...
... 3 The discussion in this section is based on Chapter 1, NRC, technology, Policy, law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009; and Chapter 2, NRC, toward a Safer and more Secure Cyberspace, 2007.
From page 347...
... To promote and enhance the cybersecurity of 5 Chapter 1, NRC, technology, Policy, law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities , 2009.
From page 348...
... Policy makers understandably aspire to a goal of preventing cyberattacks (and cyber exploitations as well) , but most importantly to a goal of preventing serious cyberattacks -- cyberattacks that have a disabling or a crippling effect on critical societal functions on a national scale (e.g., military mission readiness, air traffic control, financial services, provision of electric power)
From page 349...
... 8 The discussion in Section 2.2 is based on Chapter 9, NRC, technology, Policy, law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, 2009.
From page 350...
... 11 See NRC, technology, Policy, law, and Ethics Regarding Acquisition and Use of U.S. Cyberattack Capabilities , 2009, page 142.
From page 351...
... Identification of the distinctive radiological signatures of potential adversaries' nuclear weapons is also believed to have taken place. The nuclear deterrence paradigm also presumes unitary actors, nominally governments of nationstates -- that is, it presumes that the nuclear forces of a nation are under the control of the relevant gov ernment, and that they would be used only in accordance with the decisions of national leaders.
From page 352...
... The United States maintains a global network of satellites that are capable of detecting and locating nuclear explosions in the air and on the ground, and a network of seismic sensors that provide additional information to localize nuclear explosions. Most importantly, a nuclear explosion would occur against the very quiet background of zero nuclear explosions happening over time.
From page 353...
... A credible deterrent threat need not be limited to a response in kind -- the United States has a wide variety of options for responding to any given cyberattack, depending on its scope and character; these options include a mix of changes in defense postures, law enforcement actions, diplomacy, economic actions, cyberattacks, and kinetic attacks.14 13 See, for example, Ariana Eunjung Cha and Ellen Nakashima, "Google China Cyberattack Part of Vast Espionage Campaign, Experts Say," washington Post, January 14, 2010. 14 Chapter 1, NRC, technology, Policy, law, and Ethics Regarding Acquisition and Use of U.S.
From page 354...
... Additionally, the extension of a credible nuclear deterrent to allies has been an important nonpro liferation tool that has removed incentives for allies to develop and deploy nuclear forces. For the use of cyber weapons, the United States has no declaratory policy, although the DOD Information Operations Roadmap of 2003 stated that "the USG should have a declaratory policy on the use of cyberspace for offensive cyber operations."16 Lastly, a "credible threat" may be based on the phenomenon of blowback, which refers to a bad consequence affecting the instigator of a particular action.
From page 355...
... Active defense may also be an option. Active defense against an incoming cyberattack calls for an operation, usually a cyber operation, that can be used to neutralize that incoming attack.
From page 356...
... If responsibility can be attributed to a known actor, the range of possibilities for response becomes much larger. For example, if a nation-state can be identified as being responsible, anything of value to that state can be attacked, using any available means.17 Indeed, options for responding to cyberattacks span a broad range and include a mix of changes in defensive postures, law enforcement actions, diplo macy, economic actions, and kinetic attacks, as well as cyberattacks.18 Further, if individual/personal responsibility can be ascertained (or narrowed to a sufficiently small group of individuals)
From page 357...
... cyberattack capabili ties contribute to deterring hostile adversary actions outside cyberspace. In this context, pre-emption to eliminate an adversary's cyberattack capabilities does not seem likely or plausible, although U.S.
From page 358...
... Options for responding to cyberattacks on the United States span a broad range and include a mix of changes in defensive postures, law enforcement actions, diplomacy, cyberattacks, and kinetic attacks, and there is no reason that a retaliatory cyberattack would necessarily be favored over a retaliatory kinetic attack. There is also a broad range of conflict scenarios to which cyberdeterrence may be applicable.
From page 359...
... An answer in the affirmative will raise the question of whether granting private sector entities the right to engage in active defense as a response to cyberattacks directed at them would enhance or detract from cyberdeterrence. 2.3 International Regimes That Limit or Require Certain behaviors The preceding discussion suggests that at the very least, classical deterrence theory (as construed for deterring nuclear attacks on the United States)
From page 360...
... Agreements to eschew certain kinds of cyberat tack under certain circumstances could have value in reducing the likelihood of kinetic conflict in those cases in which such cyberattacks are a necessary prelude to a kinetic attack. Limitations on cyber targeting (e.g., no cyberattacks on civilian targets; requirements that military computers be explicitly identified; no first use of cyberattack on a large scale; or no attacks on certain classes of targets, such as national power grids, financial markets or institutions, or air traffic control systems)
From page 361...
... On the other hand, U.S. policy makers and analysts have not seriously explored the utility and feasibility of international regimes that deny the legitimacy of cyberattacks on critical infrastructure assets, such as power grids, financial markets, and air traffic control systems.
From page 362...
... Suggestions are often made to create a parallel Internet (call it an SAI, for strongly authenticated Internet) that would provide much stronger authentication of users than is required on today's Internet and would in other ways provide a much more secure environment.22 If important facilities, such as power grids and financial institutions, migrated to an SAI, accountability for misbehavior would be much greater (because of the lack of anonymity)
From page 363...
... It is an open question whether such an approach might enhance cybersecurity internationally, whether or not it excludes any direct application or restriction on the national security activities of signatories. 2.4 Domestic Regimes to Promote Cybersecurity Law enforcement regimes to prosecute cyber criminals are not the only ones possible to help promote cybersecurity.
From page 364...
... from conducting cyberattacks that have a disabling or a crippling effect on critical societal functions on a national scale (e.g., military mission readiness, air traffic control, financial services, pro vision of electric power)
From page 365...
... 24. How might cyber operations and capabilities contribute to national military operations at the strategic and tactical levels, particularly in conjunction with other capabilities (e.g., cyberattacks aimed at disabling an opponent's defensive systems might be part of a larger operation)
From page 366...
... How and to what extent, if at all, is an effective international legal regime for dealing with cyber crime a necessary component of a cyberdeterrence strategy?
From page 367...
... What is the likely impact of U.S. actions and policy regarding the acquisition and use of its own cyberattack capabilities on the courses of action of potential adversaries?
From page 368...
... , actor capacities and resources, and which targets require protection beyond that afforded by passive defenses and law enforcement (e.g., military and intelligence assets, critical infrastructure, and so on)
From page 369...
... Stephen Dycus, a professor at Vermont Law School, teaches and writes about national security and the law, water rights, and wills and trusts. The courses he has taught at Vermont Law School include International Public Law, National Security Law, Estates, Property, and Water Law.
From page 370...
... Dycus also served as a reviewer of the recent NRC report technology, Policy, law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.
From page 371...
... cyberattack policy (technology, Policy, law, and Ethics Regarding Acquisition and Use of U.S. Cyberattack Capabilities )
From page 372...
... Prior to her work at the Academies, she served as a senior project assistant in education technology at the National School Boards Association.
From page 373...
... Berson, Anagram Laboratories Catherine Kelleher, Brown University Dan Schutzer, Financial Services Technology Consortium Jeffrey Smith, Arnold and Porter, Inc. William A


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.