NRC report deals with policy issues of the United States mounting cyberattacks on bad guys, other countries.
Two weeks ago I wrote about methods by which law enforcement could cyber-target individual miscreants. Since then, the National Research Council (NRC) of the National Academies of Science has published a report on a whole different scale of cybertargeting: It deals with policy issues of the United States mounting cyberattacks on groups of cyberterrorists or on countries.
As is generally the case with NRC reports, the one titled "Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities" is very well balanced. It is the product of a 14-person committee, including people of diverse backgrounds and interests. The statement of the committee's task starts: "The National Research Council will appoint an ad hoc committee to examine policy dimensions and legal/ethical implications of offensive information warfare." This report, which is readable, though laboriously, on the Web does not provide a road map on how to conduct cyberwarfare. Instead, it examines the "many questions and issues" associated with the officially sanctioned use of cyberattacks.
The report presents 22 findings and makes 12 specific recommendations.The findings include the obvious -- that "private parties have few useful alternatives for responding to a severe cyber attack" -- to the hidden, that "both the decision-making apparatus for cyber attack and the oversight mechanisms for that apparatus are inadequate today." The recommendations are not all ones that most governments would much like because they address the need to "conduct a broad, unclassified national debate and discussion on cyberattack policy," and that policymakers "should apply the moral and ethical principles underlying the law of armed conflict to cyberattack." Talking about military techniques and strategies in public is just not done.
On the defensive side, some discussion seems to be happening. The National Journal magazine is reporting that the United States is developing a Defense Industrial Base initiative in which the government tries to help companies better protect their -- and sometimes government -- information, such as the plans for the Joint Strike Fighter.
One problem with cyberattacks is that there is little government-specific about them. A handful of hackers can put together as powerful an attack using a botnet as a government can with all its might and money. That is, unless the government has the cooperation of a major software company (see Purina Paranoid Chow?) or, as I talked about two weeks ago, antivirus companies.
Barring such arrangements, which clearly not all governments could have, the folks making money off spam (see "Spamalytics: An Empirical Analysis of Spam Marketing Conversion" ) have reason to hack into our computers and turn them into zombies to do their bidding. Any government-managed cyberattack system would have to have some of the same characteristics of the spammers' approach -- at least the hacking and subverting parts. Of course, attacks could not just come from a few machines because they could be easily blocked, so a government-blessed attack could look a whole lot like one from a bad guy. The dialogue that the NRC report calls for will need to explain how they are different.
Disclaimer: Students at a number of Harvard schools, including business and law, are taught to try to differentiate between actions that may look the same but are not. But as far as I know, none of them has provided an opinion on a description of a good cyberattack.