Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

Focusing on the use of cyberattack as an instrument of U.S. national policy, this boor explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic.

Cyberattacks–actions intended to damage adversary computer systems or networks–can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues.

Contents
SYNOPSIS
1 OVERVIEW, FINDINGS, AND RECOMMENDATIONS
1.1 What Is Cyberattack and Why Is It Important?
1.2 Focus of and Motivation for This Report
1.3 Cyberattack in the Context of an Information Strategy for the United States
1.4 Important Characteristics of Cyberattack and Cyberexploitation
1.5 Illustrative Applications of Cyberattack
1.6 The Legal Framework Governing Cyberattack
1.7 The Dynamics of Cyberconflict
1.8 Findings
1.8.1 Technologies as Instruments of U.S. National Policy
1.8.2 Overarching Findings
1.8.3 Legal and Ethical Findings
1.8.4 Policy Findings
1.8.5 Technical and Operational Findings
1.8.6 Organizational Findings
1.9 Recommendations
1.9.1 Fostering a National Debate on Cyberattack
1.9.2 Organizing the Decision-Making Apparatus of the U.S. Government for Cyberattack
1.9.3 Supporting Cyberattack Capabilities and Policy
1.9.4 Developing New Knowledge and Insight into a New Domain of Conflict
1.10 Conclusion
PART I Framing and Basic Technology
2 TECHNICAL AND OPERATIONAL CONSIDERATIONS IN CYBERATTACK AND CYBEREXPLOITATION
2.1 Important Characteristics of Cyberattack and Cyberexploitation
2.2 The Basic Technology of Cyberattack
2.2.1 Information Technology and Infrastructure
2.2.2 Vulnerability, Access, and Payload
2.2.3 Scale and Precision
2.2.4 Critical Periods of Cyberattack
2.2.5 Approaches for Cyberattack
2.2.6 Propagating a Large-Scale Cyber Offensive Action
2.2.7 Economics
2.3 Operational Considerations
2.3.1 The Effects of Cyberattack
2.3.2 Possible Objectives of Cyberattack
2.3.3 Target Identification
2.3.4 Intelligence Requirements and Preparation
2.3.5 Effects Prediction and Damage Assessment
2.3.6 Complexity, Information Requirements, and Uncertainty
2.3.7 Rules of Engagement
2.3.8 Command and Control
2.3.9 Coordination of Cyberattack Activities with Other Institutional Entities
2.3.10 A Rapidly Changing and Changeable Technology and Operational Environment for Cyberattack
2.4 Characterizing an Incoming Cyberattack
2.4.1 Tactical Warning and Attack Assessment
2.4.2 Attribution
2.4.3 Intent
2.5 Active Defense for Neutralization as a Partially Worked Example
2.6 Technical and Operational Considerations for Cyberexploitation
2.6.1 Technical Similarities in and Differences Between Cyberattack and Cyberexploitation
2.6.2 Possible Objectives of Cyberexploitation
2.6.3 Approaches for Cyberexploitation
2.6.4 Some Operational Considerations for Cyberexploitation
2.7 Historical Precedents and Lessons
PART II Mission and Institutional Perspectives
3 A MILITARY PERSPECTIVE ON CYBERATTACK
3.1 U.S. Military Doctrine and Cyberattack
3.2 Department of Defense Organization for Cyberattack
3.3 Rules of Engagement
3.4 Some Historical Perspective
3.5 Cyberattack in Support of Military Operations—Some Hypothetical Examples
3.5.1 Cyberattack in Support of Defense, Exploitation, and Other Information Operations
3.5.2 Cyberattack in Support of Traditional Military Operations
3.5.3 Cyberattack in Support of Other Operations
3.6 Operational Planning
3.7 Human Capital and Resources
3.8 Weapons Systems Acquisition
4 AN INTELLIGENCE COMMUNITY PERSPECTIVE ON CYBERATTACK AND CYBEREXPLOITATION
4.1 Intelligence Collection and Analysis
4.1.1 Governing Principles
4.1.2 How Cyberexploitation Might Be Used to Support Intelligence Collection
4.2 Covert Action
4.2.1 Governing Principles
4.2.2 How Cyberattack Might Be Used in Covert Action
4.3 Possible Intelligence Community Interest in Cyberattack and Cyberexploitation
5 Perspectives on Cyberattack Outside National Security
5.1 Cyberattack and Domestic Law Enforcement
5.2 Threat Neutralization in the Private Sector
5.2.1 Possible Response Options for Private Parties Targeted by Cyberattack
5.2.2 Self-defense by Private Parties
5.2.3 Regulating Self-defense by Private Parties
5.2.4 Negative Ramifications of Self-defense by Private Parties
5.3 Cyberexploitation in the Private Sector
5.4 Threat Neutralization on Behalf of Non-military Government Agencies
6 Decision Making and Oversight
6.1 Executive Branch
6.1.1 Declaratory Policy
6.1.2 Acquisition Policy
6.1.3 Employment Policy
6.1.4 Operational Oversight
6.2 Legislative Branch
6.2.1 Warmaking Powers
6.2.2 Budget
6.2.3 Oversight (and Notification)
PART III Intellectual Tools for Understanding and Thinking About Cyberattack
7 Legal and Ethical Perspectives on Cyberattack
7.1 The Basic Framework
7.2 International Law
7.2.1 The Law of Armed Conflict
7.2.2 Applying the Law of Armed Conflict to Cyberattack
7.2.3 International Law and Non-state Actors
7.2.4 The Convention on Cybercrime
7.2.5 Human Rights Law
7.2.6 Reciprocity
7.3 Domestic Law
7.3.1 Covert Action and Military Activity
7.3.2 Title III and the Foreign Intelligence Surveillance Act
7.3.3 Posse Comitatus
7.3.4 The Computer Fraud and Abuse Act and Other Federal Law
7.3.5 The War Powers Resolution
7.3.6 Executive Order 12333 (United States Intelligence Activities)
7.4 Foreign Domestic Law
8 Insights from Related Areas
8.1 Nuclear Weapons and Nuclear War
8.2 Space
8.3 Biological Weapons
8.4 Non-lethal Weapons
9 Speculations on the Dynamics of Cyberconflict
9.1 Deterrence and Cyberconflict
9.2 Escalatory Dynamics of Cyberconflict Between Nation-States
9.2.1 Crisis Stability
9.2.2 Escalation Control and Management
9.2.3 Complications Introduced by Patriotic Hackers
9.2.4 Incentives for Self-restraint in Escalation
9.2.5 Termination of Cyberconflict
9.2.6 The Role of Transparency
9.2.7 Catalytic Cyberconflict
9.3 Cyberconflict Between the United States and Non-state Actors
9.4 The Political Side of Escalation
10 Alternative Futures
10.1 Regulatory Regimes—Basic Principles
10.2 Regulatory Regimes for Cyberattack
10.2.1 Direct Approaches Based on Traditional Arms Control
10.2.2 Indirect Approaches Based on Regulation of Non-military Domains
10.3 Foreign Perspectives on Cyberattack
APPENDIXES
A Biographies of Committee Members and Staff
B Meeting Participants and Other Contributors
C Illustrative Criminal Cyberattacks
D Views on the Use of Force in Cyberspace
E Technical Vulnerabilities Targeted by Cyber Offensive Actions