By Cliff Montgomery – Apr. 4th, 2010
“The current policy and legal framework regulating use of cyber-attack by the United States is ill-formed, undeveloped, and highly uncertain,” according to a press release discussing a National Research Council report issued last year.
The National Research Council (NRC) is “part of a private, non-profit institution that provides science, technology and health policy advice under a congressional charter signed by President Abraham Lincoln” in 1863, declares the NRC’s mission statement.
Though the Council’s findings are nearly a year old, they remain important today. The introduction to the NRC report summary plainly states why this is so:
“Although there is a substantial literature on the potential impact of a cyber-attack on the societal infrastructure of the United States, little has been written about the use of cyber-attack as an instrument of U.S. policy.”
At least until the creation of this study.
Below, the American Spark quotes major portions of the report summary:
“Cyber-attack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”
“The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyber-attack on the societal infrastructure of the United States, little has been written about the use of cyber-attack as an instrument of U.S. policy.”
“The U.S. armed forces are actively preparing to engage in cyber-attacks, perhaps in concert with other information warfare means and/or with kinetic attacks, and may have done so in the past.
“Domestic law enforcement agencies also engage in cyber-attack when they jam cell phone networks in order to prevent the detonation of improvised explosive devices.
“Such matters pose some very important issues that relate to technology, policy, law, and ethics. This report provides an intellectual framework for thinking about cyber-attack and understanding these issues.
“A first point is that cyber-attack must be clearly distinguished from cyber-exploitation, which is an intelligence- gathering activity rather than a destructive activity. Although much of the technology underlying cyber- exploitation is similar to that of cyber-attack, cyber-attack and cyber-exploitation are conducted for entirely different purposes. (This contrast is relevant to much of the public debate using the term ‘cyber-attack’, which in common usage often lumps both attack and exploitation under the ‘attack’ label.)
“Second, weapons for cyber-attack have a number of characteristics that differentiate them from traditional kinetic weapons. Compared to kinetic weapons, many weapons for cyber-attack:
- Are easy to use with high degrees of anonymity and with plausible deniability, making them well suited for covert operations and for instigating conflict between other parties
- Are more uncertain in the outcomes they produce, making it difficult to estimate deliberate and collateral damage, and
- Involve a much larger range of options and possible outcomes, and may operate on time scales ranging from tenths of a second to years, and at spatial scales anywhere from ‘concentrated in a facility next door’ to globally dispersed.
“Third, cyber-attack as a mode of conflict raises many operational issues.
“For example, given that any large nation experiences cyber-attacks continuously, how will the United States know it is the subject of a cyber-attack deliberately launched by an adversary government?
“There is also a further tension between a policy need for rapid response and the technical reality that attribution is a time-consuming task.
“Shortening the time for investigation may well increase the likelihood of errors being made in a response (e.g., responding against the wrong machine or launching a response that has large unintended effects).
Illustrative Applications of Cyber-Attack
“Cyber-attack can support military operations. For example, a cyber-attack could disrupt adversary command, control, and communications, [as well as] suppress air defenses, degrade smart munitions and platforms, or attack war- fighting or war-making infrastructure (the defense industrial base).
“Cyber-attack might be used to augment or to enable some other kinetic attack to succeed, or to defend a friendly computer system or network by neutralizing the source of a cyber-attack conducted against it.
“Cyber-attack can also support covert action, which is designed to influence governments, events, organizations, or persons in support of foreign policy in a manner that is not necessarily attributable to the U.S. government.
“The range of possible cyber-attack options is very large, and so cyber-attack-based covert action might be used, for example, to influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money.
Illustrative Applications of Cyber-Exploitation
“For intelligence gathering, cyber-exploitation of an adversary’s computer systems might yield valuable information. For example, U.S. intelligence agencies might learn useful information about an adversary’s intentions and capabilities from a penetration of its classified government networks. Alternatively, they might obtain useful economic information from penetrating the computer systems of a competing nation’s major industrial firms.”
