U.S. needs transparent policies for carrying out cyberattacks

National Research Council says current rules on attacks are 'undeveloped and highly uncertain'

The notion that the federal government needs to create an arsenal of cyberattack capabilities to help defend U.S. interests in cyberspace is gaining considerable support as concerns heighten about online security threats aimed at critical infrastructure targets. But the U.S. has no clear legal or policy framework governing the development and use of such capabilities, the National Research Council warned in a report released Wednesday.

Slideshow: 10 of the Worst Moments in Network Security History

The 322-page report, which was written by a panel of scientists and policy advisers at the NRC, is the first to offer a comprehensive analysis of the complex issues that can arise when cyberspace becomes a battleground between adversaries. Its release follows recent reports about intrusions by foreign cyberspies into the U.S power grid and military systems.

The NRC's report said that the U.S. needs to have the option of using cyberattacks in order to better safeguard its IT assets and to augment or enable traditional methods of warfare. The availability of cyberattack capabilities could also increase the range of options available to U.S. policy makers when dealing with conflict scenarios ranging from minor skirmishes to an "all-out" war involving nuclear-armed nations, according to the NRC, a nonprofit institution that is part of the National Academies.

But first, the NRC advised, federal officials should establish a national policy regarding the use of cyberattacks for all sectors of the government. It added that the policy should be based on input from Congress, the military and intelligence agencies and that there should be an unclassified public debate about the policy. "The U.S. government should have a clear, transparent and inclusive decision-making structure in place to decide how, when and why a cyberattack will be conducted," the NRC said.

The report makes a distinction between a cyberattack designed to deliberately alter, disrupt, degrade or destroy computer systems and data, and what the NRC described as cyber-exploitation efforts involving intelligence-gathering activities.

Although the U.S. military and domestic law enforcement agencies are actively preparing for the possible launch of cyberattacks, there have been few real attempts to understand the issues that would be raised by such attacks, said Kenneth Dam, a professor at the University of Chicago School of Law and co-chair of the NRC committee that wrote the new report.

"We found that the current policy and legal framework regulating use of cyberattacks by the United States is ill-formed, undeveloped and highly uncertain," Dam said at a press conference on Wednesday. A veil of secrecy has "impeded understanding and debate," he said, adding that the issues involved "are important enough to warrant serious public discussion about [cyberattack's] place in the U.S. policy tool-kit."

The need for such transparency stems from the complex legal, policy and ethical questions surrounding cyberattacks, according to the NRC.

For instance, the source of an online attack can be hard to identify. Unlike in a nation-vs.-nation conflict on an actual battlefield, cyberattacks can be launched by individuals, organized groups, governments or people acting on the behalf of a country. They can be triggered from almost anywhere and be carried out in a completely anonymous fashion or made to appear like they were the work of someone else. Often, it's easy to mistake cyber-exploitation for cyberwar and to escalate the response to an intelligence-gathering exploit into a full-fledged attack, the NRC noted.

In addition, the tools needed to carry out such attacks are relatively inexpensive, and the required technical expertise is easily available worldwide, according to the NRC. As a result, "enduring unilateral dominance in cyberspace is neither realistic nor achievable by the United States," Adm. William Owens, former vice chairman of the Joint Chiefs of Staff and one of the report's authors, said at Wednesday's press conference.

Given those complexities, it's vital that the U.S. develop and articulate a policy that clearly spells out how the government might respond to a cyberattack on communications networks, the power grid or other critical-infrastructure systems, the NRC concluded in its report.

The authors also called on the federal government to conduct "high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict." And, they wrote, "U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict."

This story, "U.S. needs transparent policies for carrying out cyberattacks" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.