Study Gauges U.S. Cyber Offense

Current Policy Seen as Ill-Formed, Undeveloped
Study Gauges U.S. Cyber Offense
The United States lacks a well-formed, developed and definitive policy and legal framework to use information technology as an offensive weapon, a new report from the National Research Council concludes.

As the government steps up its efforts to defend federal government information systems and networks and the nation's critical IT infrastructure, the government must establish a clear national policy on the use of cyberattack, according to the report, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.

"Cyberattack is too important a subject for the nation to be discussed only behind closed doors," the co-chairs of the committee that wrote the report said in a statement accompanying its release on Wednesday. They are retired Adm. William Owens, former vice chairman of the Joint Chiefs of Staff and former CEO of Nortel Corp., and Kenneth Dam, professor emeritus of law at the University of Chicago School of Law.

Often complex to plan and execute, cyberattacks are nonetheless relatively cheap because of the wide availability of technology, according to the report. Unlike the massive attention given to defending U.S. systems and networks, public debate over employing cyberattack as part of the nation's military and intelligence arsenal has hardly occurred. The policy and organizational issues raised by the use of cyberattack are significant, the report says, but "neither government nor society at large is organized or prepared to handle issues related to cyberattack, let alone to make broadly informed decisions."

An overarching find of the study is that secrecy has impeded widespread understanding and debate about the nature of the implications of a cyberattack conducted by the United States. "The consequences of a cyberattack may be both direct and indirect, and in some cases of interest, the indirect consequences of a cyberattack can far outweigh the direct consequences," the report states.

The study group recommends the federal government conduct a broad, unclassified national debate and discussion about cyberattack policy with active participation from Congress, the military and intelligence agencies.

The report says the U.S. could use cyberattack either defensively, in response to a cyberattack from another nation, or offensively to support military missions or covert actions. Deterring such attacks against the U.S. with the threat of an in-kind response has limited applicability, however; cyberattacks can be conducted anonymously or falsely attributed to another party relatively easily, making it difficult to reliably identify the originator of the attack.

Employing a cyberattack carries with it some implications that are unlike those associated with traditional physical warfare, the report says. The outcome is likely to be more uncertain, and there may be substantial impact on the private sector, which owns and operates much of the infrastructure through which the U.S. would conduct a cyberattack. The scale of such an attack can be enormous and difficult to localize. Blowback to the U.S. - effects on our own network systems - is possible, the report says.

Clear national policy regarding the use of cyberattack should be developed through open debate within the U.S. government and diplomatic discussion with other nations, the report says. American policy should be clear on why, when and how a cyberattack would be authorized, and require a periodic accounting of any attacks to be made to the executive branch and Congress.

"From a legal perspective, cyberattack should be judged by its effects rather than the method of attack; cyberwarfare should not be judged less harshly than physical warfare simply by virtue of the weapons employed," a summary of the report states.

This study was sponsored by the MacArthur Foundation, Microsoft and the National Research Council, which along with the National Academy of Sciences, National Academy of Engineering and Institute of Medicine make up the National Academies, private, institutions that provide advice under a congressional charter. The Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.