|
06.09
NRC Report
Urges Clear U.S. Policy on Use of Cyberattack,
Along With Continuing Development of
Cyberwarfare Capabilities
By Barton
Reppert
A new National Research Council
(NRC) report says the United States should
establish clear national policy on resorting to
cyberattack, while at the same time continuing
to develop cyberwarfare capabilities in this
sensitive area.
“Today’s policy and legal
framework for guiding and regulating the U.S.
use of cyberattack is ill-formed, undeveloped
and highly uncertain,” the report says,
contending that “the U.S. Government should have
a clear, transparent and inclusive
decision-making structure in place to decide
how, when and why a cyberattack will be
conducted.”
The National Research Council is
the principal operating agency of the National
Academy of Sciences and the National Academy of
Engineering. The report, entitled “Technology,
Policy, Law and Ethics Regarding U.S.
Acquisition and Use of Cyberattack
Capabilities,” is available from the
National Academies
Press.
The report, released on 29
April, was prepared by a 14-member NRC Committee
on Offensive Information Warfare. It addresses
in an unusually frank and open manner issues
which previously had most often been highly
classified.
“Cyberattack is too important a
subject for the nation to be discussed only
behind closed doors,” said a joint statement by
the co-chairmen of the study committee — retired
Admiral William Owens, former vice chairman of
the Joint Chiefs of Staff and chairman and CEO
of AEA Holdings Inc., and Kenneth W. Dam,
professor emeritus of American and foreign law,
University of Chicago School of Law.
Cyberattack refers to deliberate
actions to alter, disrupt, deceive, degrade or
destroy computer systems or networks or the
information and/or programs resident in or
transiting these systems or networks.
James A. Lewis, director of the
Technology and Public Policy Program at the
Center for Strategic and International Studies,
Washington, D.C., commented that “it’s a good
report, it’s very thorough and it covers a lot
of ground. The National Academies always do to a
solid job.”
Lewis added: “The one thing
that’s important is that we’re already doing
this stuff. But we’re engaging in offensive
operations ahead of having a policy or a
doctrine. That’s probably not a good idea.”
Under the rubric of “overarching
findings,” it asserted that “the policy and
organizational issues raised by U.S. acquisition
and use of cyberattack capabilities are
significant across a broad range of conflict
scenarios, from small skirmishes with minor
actors on the international stage to all-out
conflicts with adversaries capable of employing
weapons of mass destruction. Outcomes of
cyberattacks vary across an enormous range and
they can affect military, intelligence,
diplomatic, economic and law-enforcement
equities.”
The report also observed that
“the availability of cyberattack technologies
for national purposes greatly expands the range
of options available to U.S. policy makers as
well as to policy makers of other nations. . .
Cyberattack can be used for both offensive and
defensive purposes, and can have both tactical
and strategic implications as well. And the
technology is available everywhere in the
world.”
With regard to
technical/operational findings, the NRC study
noted that “the ease of cyberattack on many
kinds of information technology infrastructure
targets is increasing rather than decreasing.”
It added: “Although the actual cyberattack
capabilities of the United States are highly
classified, they are at least as powerful as
those demonstrated by the most sophisticated
cyberattacks perpetrated by cybercriminals and
are likely more powerful.”
The report also said that “if
and when the United States decides to launch a
cyberattack, significant coordination among
allied nations and a wide range of public and
private entities may be necessary, depending on
the scope and nature of the cyberattack in
question.”
On organizational matters, the
NRC report found that “both the decision-making
apparatus for cyberattack and the oversight
mechanisms for that apparatus are inadequate
today. . . The U.S. Congress has a substantial
role to play in authorizing the use of military
force, but the contours of that authority and
the circumstances under which authorization is
necessary are at least as uncertain for
cyberattack as for the use of other weapons.”
With regard to bolstering U.S.
capabilities, the report said: “The United
States should maintain and acquire effective
cyberattack capabilities. The U.S. Government
should ensure that there are sufficient levels
of personnel trained in all dimensions of
cyberattack, and that the senior leadership of
government has more than a nodding acquaintance
with such issues.”
In addition, it recommended that
“the U.S. Government should conduct high-level
wargaming exercises to understand the dynamics
and potential consequences of cyberattack.”
Russell J. Lefevre, 2008
president of IEEE-USA, commented that the NRC
report — together with other developments
including President Barack Obama’s announcement
on 29 May that he was establishing a new office
at the White House to be headed by a
“Cybersecurity Coordinator” — “indicate the
importance of IEEE technology to one of the
highest concerns of the United States and the
world.”
“Many [IEEE] Societies and
Councils address aspects of the issues,” he
said. “Two important conferences are the
Intelligence and Security Informatics Conference
sponsored by the
Intelligent Transportation Systems Society and
the International Symposium on Engineering
Secure Software and Systems sponsored by the
Computer Society Technical Council on Software
Engineering. Those members interested in U.S.
policy can join the IEEE-USA Critical
Infrastructure Protection Committee.”
Lefevre added: “It is apparent
that IEEE members are on the leading edge of the
technology issues in this extremely important
arena.”
Doug Taggart, chairman of the
IEEE-USA Committee on Communications Policy,
said with regard to the NRC cyberattack report
that his committee “has not yet reviewed the
report from the perspective of commenting on the
findings and recommendations.”
He added that “CCP has not
addressed policy issues linked to cyberwarfare,
but it is an area that must be looked at in the
future. (I am somewhat biased in stating this
because in my own area of work I am concerned
about cyberwarfare issues related to civilian
GPS.)”
Marc T. Apter, chairman of the
Critical Infrastructure Protection Committee,
said when asked about the panel’s activities
related to cybersecurity and cyberwarfare: “The
CIPC has drafted a critical infrastructure
protection position paper, and it is being
circulated within IEEE-USA for comments, before
it goes to the IEEE-USA board for approval. At
the same time, CIPC is preparing a group of
white papers on specific and narrow critical
infrastructure protection issues, for use when
anyone deals with any branch of government or
the media.”
Barton Reppert is a freelance
science and technology writer specializing in
S&T policy coverage. He previously worked for 18
years as a reporter and editor with The
Associated Press in Washington, New York and
Moscow.
Comments on this article may be submitted to
todaysengineer@ieee.org.
|
E-mail
this page to a friend
