Group calls for formal cyberattack policy

The United States’ policy and legal framework regarding launching cyberattacks is “ill-informed, undeveloped and highly uncertain” and the country needs a public national policy in that area that applies to sectors of government, according to a report released Wednesday by the National Research Council.

The report, from the council’s Committee on Offensive Information Warfare, said cyberattack capabilities greatly expand policymakers’ options and that an open discussion about the country's cyberattack policy was needed. The group said much of the public policy debate has focused on cyber defenses.

“We are of the opinion that the policy issues related to cyberattack are important enough to the nation to warrant serious public discussion — and I emphasize public discussion — about its significance and place in the U.S. policy toolkit,” Kenneth Dam, a co-chairman of the committee and a professor at the University of Chicago law school, said at a news conference.

The group also recommended that the government maintain and acquire effective cyberattack capabilities and conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyber conflict. The government should also support academic research on the topic, the committee said.

The report draws a distinction between cyberattacks, the intentional alteration disruption or destruction of adversary computer systems or networks, and cyber exploitation. Cyber exploitation, the group said, generally does not try to disturb the normal functions of a system, but instead focuses on obtaining information from the system.

The committee said legal analysis of cyberattacks should focus on the direct and indirect effects of an attack, rather than how it is carried out. The group also said policymakers should judge the direct and indirect consequences of cyberattack when making decisions.

The committee found the law of armed conflict and the United Nations’ Charter to be applicable to cyberattacks, and said that the U.S. should work to reach agreements with other nations regarding cyberattacks. However, the council said the situation is complicated by difficulty in attributing cyberattacks to nation states and that it was unrealistic to expect the U.S. to unilaterally dominate cyberspace.

The council also encouraged the government to consider establishing a structure through which an industry can seek immediate help if it comes under cyberattack.

The report recommended that the government have a clear, transparent and inclusive structure for making decisions on whether to launch a cyberattack. The government should also do a periodic accounting of cyberattacks undertaken by the military and agencies with the results available to senior decision-makers.

The study was sponsored by the MacArthur Foundation, Microsoft Corp. and the NRC. The report used only unclassified materials and the authors didn't confer with the officials conducting the Obama administration’s review of cybersecurity policy, the NRC said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More

  • PROJECT 38 PODCAST

    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.