U.S. needs transparent policies for carrying out cyberattacks

The notion that the federal government needs to create an arsenal of cyberattack capabilities to help defend U.S. interests in cyberspace is gaining considerable support as concerns heighten about online security threats aimed at critical infrastructure targets. But the U.S. has no clear legal or policy framework governing the development and use of such capabilities, the National Research Council warned in a report released Wednesday.

Slideshow: 10 of the Worst Moments in Network Security History

The 322-page report, which was written by a panel of scientists and policy advisers at the NRC, is the first to offer a comprehensive analysis of the complex issues that can arise when cyberspace becomes a battleground between adversaries. Its release follows recent reports about intrusions by foreign cyberspies into the U.S power grid and military systems.

The NRC's report said that the U.S. needs to have the option of using cyberattacks in order to better safeguard its IT assets and to augment or enable traditional methods of warfare. The availability of cyberattack capabilities could also increase the range of options available to U.S. policy makers when dealing with conflict scenarios ranging from minor skirmishes to an "all-out" war involving nuclear-armed nations, according to the NRC, a nonprofit institution that is part of the National Academies.

But first, the NRC advised, federal officials should establish a national policy regarding the use of cyberattacks for all sectors of the government. It added that the policy should be based on input from Congress, the military and intelligence agencies and that there should be an unclassified public debate about the policy. "The U.S. government should have a clear, transparent and inclusive decision-making structure in place to decide how, when and why a cyberattack will be conducted," the NRC said.

The report makes a distinction between a cyberattack designed to deliberately alter, disrupt, degrade or destroy computer systems and data, and what the NRC described as cyber-exploitation efforts involving intelligence-gathering activities.

Although the U.S. military and domestic law enforcement agencies are actively preparing for the possible launch of cyberattacks, there have been few real attempts to understand the issues that would be raised by such attacks, said Kenneth Dam, a professor at the University of Chicago School of Law and co-chair of the NRC committee that wrote the new report.

"We found that the current policy and legal framework regulating use of cyberattacks by the United States is ill-formed, undeveloped and highly uncertain," Dam said at a press conference on Wednesday. A veil of secrecy has "impeded understanding and debate," he said, adding that the issues involved "are important enough to warrant serious public discussion about [cyberattack's] place in the U.S. policy tool-kit."

The need for such transparency stems from the complex legal, policy and ethical questions surrounding cyberattacks, according to the NRC.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.