> home
> About
> Contact Us
> Editorial Info
> IEEE-USA

06.09

NRC Report Urges Clear U.S. Policy on Use of Cyberattack, Along With Continuing Development of Cyberwarfare Capabilities

By Barton Reppert

A new National Research Council (NRC) report says the United States should establish clear national policy on resorting to cyberattack, while at the same time continuing to develop cyberwarfare capabilities in this sensitive area.

“Today’s policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped and highly uncertain,” the report says, contending that “the U.S. Government should have a clear, transparent and inclusive decision-making structure in place to decide how, when and why a cyberattack will be conducted.”

The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. The report, entitled “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” is available from the National Academies Press.

The report, released on 29 April, was prepared by a 14-member NRC Committee on Offensive Information Warfare. It addresses in an unusually frank and open manner issues which previously had most often been highly classified.

“Cyberattack is too important a subject for the nation to be discussed only behind closed doors,” said a joint statement by the co-chairmen of the study committee — retired Admiral William Owens, former vice chairman of the Joint Chiefs of Staff and chairman and CEO of AEA Holdings Inc., and Kenneth W. Dam, professor emeritus of American and foreign law, University of Chicago School of Law.

Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.

James A. Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, Washington, D.C., commented that “it’s a good report, it’s very thorough and it covers a lot of ground. The National Academies always do to a solid job.”

Lewis added: “The one thing that’s important is that we’re already doing this stuff. But we’re engaging in offensive operations ahead of having a policy or a doctrine. That’s probably not a good idea.”

Under the rubric of “overarching findings,” it asserted that “the policy and organizational issues raised by U.S. acquisition and use of cyberattack capabilities are significant across a broad range of conflict scenarios, from small skirmishes with minor actors on the international stage to all-out conflicts with adversaries capable of employing weapons of mass destruction. Outcomes of cyberattacks vary across an enormous range and they can affect military, intelligence, diplomatic, economic and law-enforcement equities.”

The report also observed that “the availability of cyberattack technologies for national purposes greatly expands the range of options available to U.S. policy makers as well as to policy makers of other nations. . . Cyberattack can be used for both offensive and defensive purposes, and can have both tactical and strategic implications as well. And the technology is available everywhere in the world.”

With regard to technical/operational findings, the NRC study noted that “the ease of cyberattack on many kinds of information technology infrastructure targets is increasing rather than decreasing.” It added: “Although the actual cyberattack capabilities of the United States are highly classified, they are at least as powerful as those demonstrated by the most sophisticated cyberattacks perpetrated by cybercriminals and are likely more powerful.”

The report also said that “if and when the United States decides to launch a cyberattack, significant coordination among allied nations and a wide range of public and private entities may be necessary, depending on the scope and nature of the cyberattack in question.”

On organizational matters, the NRC report found that “both the decision-making apparatus for cyberattack and the oversight mechanisms for that apparatus are inadequate today. . . The U.S. Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are at least as uncertain for cyberattack as for the use of other weapons.”

With regard to bolstering U.S. capabilities, the report said: “The United States should maintain and acquire effective cyberattack capabilities. The U.S. Government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leadership of government has more than a nodding acquaintance with such issues.”

In addition, it recommended that “the U.S. Government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberattack.”

Russell J. Lefevre, 2008 president of IEEE-USA, commented that the NRC report — together with other developments including President Barack Obama’s announcement on 29 May that he was establishing a new office at the White House to be headed by a “Cybersecurity Coordinator” — “indicate the importance of IEEE technology to one of the highest concerns of the United States and the world.”

“Many [IEEE] Societies and Councils address aspects of the issues,” he said. “Two important conferences are the Intelligence and Security Informatics Conference sponsored by the Intelligent Transportation Systems Society and the International Symposium on Engineering Secure Software and Systems sponsored by the Computer Society Technical Council on Software Engineering. Those members interested in U.S. policy can join the IEEE-USA Critical Infrastructure Protection Committee.”

Lefevre added: “It is apparent that IEEE members are on the leading edge of the technology issues in this extremely important arena.”

Doug Taggart, chairman of the IEEE-USA Committee on Communications Policy, said with regard to the NRC cyberattack report that his committee “has not yet reviewed the report from the perspective of commenting on the findings and recommendations.”

He added that “CCP has not addressed policy issues linked to cyberwarfare, but it is an area that must be looked at in the future. (I am somewhat biased in stating this because in my own area of work I am concerned about cyberwarfare issues related to civilian GPS.)”

Marc T. Apter, chairman of the Critical Infrastructure Protection Committee, said when asked about the panel’s activities related to cybersecurity and cyberwarfare: “The CIPC has drafted a critical infrastructure protection position paper, and it is being circulated within IEEE-USA for comments, before it goes to the IEEE-USA board for approval. At the same time, CIPC is preparing a group of white papers on specific and narrow critical infrastructure protection issues, for use when anyone deals with any branch of government or the media.”

Barton Reppert is a freelance science and technology writer specializing in S&T policy coverage. He previously worked for 18 years as a reporter and editor with The Associated Press in Washington, New York and Moscow.

Comments on this article may be submitted to todaysengineer@ieee.org.