Report: U.S. needs clear policy on cyberattacks

The United States’ policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and the country needs a public national policy in that area that applies to sectors of government, according to a report released today by the National Research Council.

The report, from the council’s Committee on Offensive Information Warfare, said cyberattack capabilities greatly expand policymakers’ options and that an open discussion about the country's cyberattack policy was needed. The group said much of the public policy debate has focused on cyber defenses.

“We are of the opinion that the policy issues related to cyberattack are important enough to the nation to warrant serious public discussion — and I emphasize public discussion — about its significance and place in the U.S. policy toolkit,” Kenneth Dam, a co-chairman of the committee and a professor at the University of Chicago law school, said at a news conference.

The group also recommended that the government maintain and acquire effective cyberattack capabilities and conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyber conflict. The government should also support academic research on the topic, the committee said.

The report draws a distinction between cyberattacks, the intentional alteration disruption or destruction of adversary computer systems or networks, and cyber exploitation. Cyber exploitation, the group said, generally does not try to disturb the normal functions of a system, but instead focuses on obtaining information from the system.

The committee said legal analysis of cyberattacks should focus on the direct and indirect effects of an attack, rather than how it is carried out. The group also said policymakers should judge the direct and indirect consequences of cyberattack when making decisions.

The committee found the law of armed conflict and the United Nations’ Charter to be applicable to cyberattacks, and said that the U.S. should work to reach agreements with other nations regarding cyberattacks. However, the council said the situation is complicated by difficulty in attributing cyberattacks to nation states and that it was unrealistic to expect the U.S. to unilaterally dominate cyberspace.

The council also encouraged the government to consider establishing a structure through which an industry can seek immediate help if it comes under cyberattack.

The report recommended that the government have a clear, transparent and inclusive structure for making decisions on whether to launch a cyberattack. The government should also do a periodic accounting of cyberattacks undertaken by the military and agencies with the results available to senior decision-makers.

The study was sponsored by the MacArthur Foundation, Microsoft Corp. and the NRC. The report used only unclassified materials and the authors didn't confer with the officials conducting the Obama administration’s review of cybersecurity policy, the NRC said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.