Report: U.S. needs clear policy on cyberattacks

The United States’ policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and the country needs a public national policy in that area that applies to sectors of government, according to a report released today by the National Research Council.

The report, from the council’s Committee on Offensive Information Warfare, said cyberattack capabilities greatly expand policymakers’ options and that an open discussion about the country's cyberattack policy was needed. The group said much of the public policy debate has focused on cyber defenses.

“We are of the opinion that the policy issues related to cyberattack are important enough to the nation to warrant serious public discussion — and I emphasize public discussion — about its significance and place in the U.S. policy toolkit,” Kenneth Dam, a co-chairman of the committee and a professor at the University of Chicago law school, said at a news conference.

The group also recommended that the government maintain and acquire effective cyberattack capabilities and conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyber conflict. The government should also support academic research on the topic, the committee said.

The report draws a distinction between cyberattacks, the intentional alteration disruption or destruction of adversary computer systems or networks, and cyber exploitation. Cyber exploitation, the group said, generally does not try to disturb the normal functions of a system, but instead focuses on obtaining information from the system.

The committee said legal analysis of cyberattacks should focus on the direct and indirect effects of an attack, rather than how it is carried out. The group also said policymakers should judge the direct and indirect consequences of cyberattack when making decisions.

The committee found the law of armed conflict and the United Nations’ Charter to be applicable to cyberattacks, and said that the U.S. should work to reach agreements with other nations regarding cyberattacks. However, the council said the situation is complicated by difficulty in attributing cyberattacks to nation states and that it was unrealistic to expect the U.S. to unilaterally dominate cyberspace.

The council also encouraged the government to consider establishing a structure through which an industry can seek immediate help if it comes under cyberattack.

The report recommended that the government have a clear, transparent and inclusive structure for making decisions on whether to launch a cyberattack. The government should also do a periodic accounting of cyberattacks undertaken by the military and agencies with the results available to senior decision-makers.

The study was sponsored by the MacArthur Foundation, Microsoft Corp. and the NRC. The report used only unclassified materials and the authors didn't confer with the officials conducting the Obama administration’s review of cybersecurity policy, the NRC said.