Report: U.S. needs clear policy on cyberattacks

The United States’ policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and the country needs a public national policy in that area that applies to sectors of government, according to a report released today by the National Research Council.

The report, from the council’s Committee on Offensive Information Warfare, said cyberattack capabilities greatly expand policymakers’ options and that an open discussion about the country's cyberattack policy was needed. The group said much of the public policy debate has focused on cyber defenses.

“We are of the opinion that the policy issues related to cyberattack are important enough to the nation to warrant serious public discussion — and I emphasize public discussion — about its significance and place in the U.S. policy toolkit,” Kenneth Dam, a co-chairman of the committee and a professor at the University of Chicago law school, said at a news conference.

The group also recommended that the government maintain and acquire effective cyberattack capabilities and conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyber conflict. The government should also support academic research on the topic, the committee said.

The report draws a distinction between cyberattacks, the intentional alteration disruption or destruction of adversary computer systems or networks, and cyber exploitation. Cyber exploitation, the group said, generally does not try to disturb the normal functions of a system, but instead focuses on obtaining information from the system.

The committee said legal analysis of cyberattacks should focus on the direct and indirect effects of an attack, rather than how it is carried out. The group also said policymakers should judge the direct and indirect consequences of cyberattack when making decisions.

The committee found the law of armed conflict and the United Nations’ Charter to be applicable to cyberattacks, and said that the U.S. should work to reach agreements with other nations regarding cyberattacks. However, the council said the situation is complicated by difficulty in attributing cyberattacks to nation states and that it was unrealistic to expect the U.S. to unilaterally dominate cyberspace.

The council also encouraged the government to consider establishing a structure through which an industry can seek immediate help if it comes under cyberattack.

The report recommended that the government have a clear, transparent and inclusive structure for making decisions on whether to launch a cyberattack. The government should also do a periodic accounting of cyberattacks undertaken by the military and agencies with the results available to senior decision-makers.

The study was sponsored by the MacArthur Foundation, Microsoft Corp. and the NRC. The report used only unclassified materials and the authors didn't confer with the officials conducting the Obama administration’s review of cybersecurity policy, the NRC said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

Reader comments

Mon, May 4, 2009

RE Student of Man: Not so sure- we certainly shouldn't post details of our weaknesses, but letting our adversaries know what retaliation to expect when they mess with us is appropriate. Think back to the Cold War's Mutually Assured Destruction: you nuke us, we nuke you back with interest & penalties.

Thu, Apr 30, 2009 Student of Man

So when did military action become a public comment necessity. I strongly doubt these individuals have all the facts and i, for one, have a tendancy to rely more on the opinions and capabilities of those with direct intel and resources to act than some lawyer trying to make a name for his little committee. This trend of posting all of the USA's supposed vulnerabilities and weaknesses is bordering on dangerous. The arguement that "the bad people already know" carries very little weight with me. Of course the "knee deep in evil" people already know, but it is socially irresponsible to educate every individual as to these issues. It does not provide any positive effects and only serves to be used for political grandstanding, irresponsable journalism and public fear.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above