Read Full Report
Date: April 29, 2009
Contacts: Rebecca Alvania, Media Relations Officer
Alison Burnette, Media Relations Assistant
Office of News and Public Information
202-334-2138; e-mail <firstname.lastname@example.org>
for immediate release
Greater Transparency Needed in Development of U.S. Policy on Cyberattack
WASHINGTON -- The current policy and legal framework regulating use of cyberattack by the United States is ill-formed, undeveloped, and highly uncertain, says a new report from the National Research Council. The United States should establish clear national policy on the use of cyberattack, while also continuing to develop its technological capabilities in this area. The U.S. policy should be informed by open national debate on the technological, policy, legal, and ethical issues of cyberwarfare, said the committee that wrote the report.
"Cyberattack is too important a subject for the nation to be discussed only behind closed doors," said Adm. William Owens, former vice chairman of the Joint Chiefs of Staff and former vice chairman and CEO of Nortel Corp., and Kenneth Dam, Max Pam Professor Emeritus of American and Foreign Law at the University of Chicago School of Law, who co-chaired the committee.
Cyberattacks -- actions taken against computer systems or networks -- are often complex to plan and execute but relatively inexpensive, and the technology needed is widely available. Defenses against such attacks are discussed, but questions on the potential for, and the ramifications of, the United States' use of cyberattack as a component of its military and intelligence arsenal have not been the subject of much public debate. Although the policy and organizational issues raised by the use of cyberattack are significant, the report says, "neither government nor society at large is organized or prepared to handle issues related to cyberattack, let alone to make broadly informed decisions."
The U.S. could use cyberattack either defensively, in response to a cyberattack from another nation, or offensively to support military missions or covert actions, the report says. Deterring such attacks against the U.S. with the threat of an in-kind response has limited applicability, however; cyberattacks can be conducted anonymously or falsely attributed to another party relatively easily, making it difficult to reliably identify the originator of the attack.
Employing a cyberattack carries with it some implications that are unlike those associated with traditional physical warfare, the report says. The outcome is likely to be more uncertain, and there may be substantial impact on the private sector, which owns and operates much of the infrastructure through which the U.S. would conduct a cyberattack. The scale of such an attack can be enormous and difficult to localize. "Blowback" to the U.S. -- effects on our own network systems -- is possible.
Clear national policy regarding the use of cyberattack should be developed through open debate within the U.S. government and diplomatic discussion with other nations, the report says. The U.S. policy should make it clear why, when, and how a cyberattack would be authorized, and require a periodic accounting of any attacks that are conducted, to be made available to the executive branch and to Congress.
From a legal perspective, cyberattack should be judged by its effects rather than the method of attack; cyberwarfare should not be judged less harshly than physical warfare simply by virtue of the weapons employed. The Law of Armed Conflict (LOAC), an international law regulating conduct during war, should apply to cyberattack. However, there are aspects of cyberwarfare that will not fit neatly within this structure. LOAC was designed to regulate conflict between nations, but cyberweapons can easily be used by non-state groups, making issues such as determining appropriate targets for military retaliation difficult to address. Additional legal constructs will be needed to govern cyberattacks, and the framework of LOAC and the U.N. Charter on the use of armed force would be an appropriate starting point, the report says.
This study was sponsored by the MacArthur Foundation, Microsoft Corp., and the National Research Council. The National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council make up the National Academies. They are private, nonprofit institutions that provide science, technology, and health policy advice under a congressional charter. The Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. A committee roster follows.
Copies of Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities are available from the National Academies Press; tel. 202-334-3313 or 1-800-624-6242 or on the Internet at http://www.nap.edu. Reporters may obtain a copy from the Office of News and Public Information (contacts listed above). In addition, a podcast of the public briefing held to release this report is available at http://national-academies.org/podcast.
# # #
[ This news release and report are available at http://national-academies.org ]
NATIONAL RESEARCH COUNCIL
Division on Engineering and Physical Sciences
Computer Science and Telecommunications Board
Committee on Offensive Information Warfare
Kenneth W. Dam (co-chair)
Senior Lecturer and Max Pam Professor Emeritus of American and Foreign Law
School of Law
University of Chicago
William Owens (co-chair)
Chairman and CEO
AEA Holdings, Inc.; and
U.S. Department of the Navy (retired)
La Jolla, Calif.
Thomas A. Berson
Palo Alto, Calif.
President Emeritus and Peter and Helen Bing Professor in Undergraduate Education
David D. Clark1
Senior Research Scientist
Computer Science and Artificial Intelligence Laboratory
Massachusetts Institute of Technology
Richard L. Garwin1, 2, 3
IBM Fellow Emeritus
IBM Thomas J. Watson Research Center
Yorktown Heights, N.Y.
University of Wisconsin
Jack L. Goldsmith III
Harvard Law School
Carl G. O'Berry
Vice President of Strategic Architecture
Boeing Co.; and
U.S. Air Force (retired)
Jerome H. Saltzer1
Department of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
San Mateo, Calif.
Carr Center for Human Rights Policy
John F. Kennedy School of Government
Walter B. Slocombe
Caplin and Drysdale
William O. Studeman
Vice President and Deputy General Manager for Intelligence and Information Superiority
Northrop Grumman Mission Systems
Michael A. Vatis
Steptoe and Johnson, LLP
New York City
RESEARCH COUNCIL STAFF
2 Member, National Academy of Sciences
3 Member, Institute of Medicine