Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

Cover......Page 1
Title......Page 2
Copyright......Page 3
The National Academies......Page 4
COMMITTEE ON OFFENSIVE INFORMATION WARFARE......Page 6
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD......Page 7
Preface......Page 8
THIS STUDY—FOCUS, APPROACH, AND PURPOSE......Page 10
ACKNOWLEDGMENTS......Page 14
Acknowledgment of Reviewers......Page 16
Contents......Page 18
What Is Cyberattack?......Page 24
Illustrative Applications of Cyberattack......Page 25
The Dynamics of Cyberconflict......Page 26
Overarching Findings......Page 27
Technical and Operational Findings......Page 28
Fostering a National Debate on Cyberattack......Page 29
Developing New Knowledge and Insight into a  
New Domain of Conflict......Page 30
1.1  WHAT IS CYBERATTACK AND WHY IS IT IMPORTANT?......Page 32
1.2  FOCUS OF AND MOTIVATION FOR THIS REPORT......Page 35
1.3  CYBERATTACK IN THE CONTEXT OF AN INFORMATION 
STRATEGY FOR THE UNITED STATES......Page 40
1.4  IMPORTANT CHARACTERISTICS OF  
CYBERATTACK AND CYBEREXPLOITATION......Page 42
1.6  THE LEGAL FRAMEWORK GOVERNING CYBERATTACK......Page 44
1.7  THE DYNAMICS OF CYBERCONFLICT......Page 45
1.8.1  Technologies as Instruments of U.S. National Policy......Page 47
Finding 1......Page 48
Finding  2......Page 49
Finding 3......Page 50
Finding 4......Page 51
Finding  5......Page 53
1.8.3  Legal and Ethical Findings......Page 54
Finding  6......Page 55
Finding 7......Page 59
Finding 8......Page 60
Finding 9......Page 62
Finding 11......Page 63
Finding 13......Page 66
Finding 14......Page 67
Finding 15......Page 68
Finding 16......Page 69
Finding 17......Page 70
Finding 19......Page 72
Finding 20......Page 74
Finding 21......Page 76
Finding 22......Page 77
1.9  RECOMMENDATIONS......Page 79
Recommendation 1......Page 80
Recommendation 2......Page 81
Recommendation 3......Page 82
Recommendation 4......Page 85
Recommendation 5......Page 88
Recommendation 6......Page 89
Recommendation 7......Page 91
Recommendation 8......Page 92
Recommendation 9......Page 93
Recommendation 10......Page 94
Recommendation 12......Page 96
1.10  CONCLUSION......Page 98
Part I: Framing and Basic Technology......Page 100
2 Technical and Operational Considerations in Cyberattack and Cyberexploitation......Page 102
2.1  IMPORTANT CHARACTERISTICS OF  
CYBERATTACK AND CYBEREXPLOITATION......Page 103
2.2.1  Information Technology and Infrastructure......Page 105
2.2.2.1  Vulnerabilities......Page 106
2.2.2.2  Access......Page 109
2.2.2.3  Payload......Page 111
2.2.4  Critical Periods of Cyberattack......Page 112
2.2.5  Approaches for Cyberattack......Page 114
2.2.5.1.1 botnets......Page 115
Security Penetrations......Page 119
Worms and Viruses......Page 120
Penetrations of and Denial-of-Serice Attacks on Wireless Networks......Page 121
Router Compromises......Page 122
Protocol Compromises......Page 123
2.2.5.2  Possible Approaches for Close-Access Cyberattacks......Page 124
Compromises of third-party security software......Page 126
2.2.5.3  Compromise of Operators, Users, and Service Providers......Page 127
2.2.6.1  Direct Propagation......Page 129
2.2.6.2  Indirect Propagation......Page 130
Productivity......Page 131
Funding......Page 132
2.3.1.1  Direct Effects......Page 133
Authenticity......Page 134
Aailability......Page 135
2.3.1.2  Indirect (and Unintended) Effects......Page 136
Destroy a network or a system connected to it......Page 137
Assume control of a network and/or modulate connectiity, priileges, or 
service......Page 138
2.3.3  Target Identification......Page 139
2.3.4  Intelligence Requirements and Preparation......Page 141
2.3.5  Effects Prediction and Damage Assessment......Page 144
2.3.6  Complexity, Information Requirements, and Uncertainty......Page 149
2.3.7  Rules of Engagement......Page 151
2.3.8.1  Command and Control—Basic Principles......Page 152
2.3.8.2  Illustrative Command and Control Technology for Cyberattack......Page 153
Coordination with the private sector......Page 155
2.3.10  A Rapidly Changing and Changeable Technology and 
Operational Environment for Cyberattack......Page 156
2.4  CHARACTERIZING AN INCOMING CYBERATTACK......Page 157
2.4.1  Tactical Warning and Attack Assessment......Page 158
2.4.2  Attribution......Page 161
Accuracy......Page 162
2.4.3  Intent......Page 164
2.5  ACTIVE DEFENSE FOR NEUTRALIZATION AS A  
PARTIALLY WORKED EXAMPLE......Page 165
2.6.1  Technical Similarities in and Differences  
Between Cyberattack and Cyberexploitation......Page 172
2.6.2  Possible Objectives of Cyberexploitation......Page 173
2.6.3  Approaches for Cyberexploitation......Page 175
2.6.4.1   The Fundamental Similarity Between Cyberattack and 
Cyberexploitation......Page 176
2.6.4.2  Target Identification and Intelligence Preparation......Page 177
2.6.4.3  Rules of Engagement and Command and Control......Page 178
2.7  HISTORICAL PRECEDENTS AND LESSONS......Page 179
Part II: Mission and Institutional Perspectives......Page 182
3.1  U.S. MILITARY DOCTRINE AND CYBERATTACK......Page 184
3.2  DEPARTMENT OF DEFENSE ORGANIzATION  
FOR CYBERATTACK......Page 188
3.3  RULES OF ENGAGEMENT......Page 190
3.4  SOME HISTORICAL PERSPECTIVE......Page 194
3.5.1  Cyberattack in Support of Defense, Exploitation, and  
Other Information Operations......Page 200
3.5.2  Cyberattack in Support of Traditional Military Operations......Page 202
3.5.3  Cyberattack in Support of Other Operations......Page 203
3.6  OPERATIONAL PLANNING......Page 205
3.7  HUMAN CAPITAL AND RESOURCES......Page 207
3.8  WEAPONS SYSTEMS ACqUISITION......Page 209
4.1.1  Governing Principles......Page 211
4.1.2  How Cyberexploitation Might Be Used to  
Support Intelligence Collection......Page 213
4.2.1  Governing Principles......Page 216
4.2.2  How Cyberattack Might Be Used in Covert Action......Page 218
4.3  POSSIBLE INTELLIGENCE COMMUNITY INTEREST IN 
CYBERATTACK AND CYBEREXPLOITATION......Page 221
5.1  CYBERATTACK AND DOMESTIC LAW ENFORCEMENT......Page 223
5.2.1  Possible Response Options for Private Parties  
Targeted by Cyberattack......Page 225
5.2.2  Self-defense by Private Parties......Page 227
5.2.3  Regulating Self-defense by Private Parties......Page 231
5.2.4  Negative Ramifications of Self-defense by Private Parties......Page 233
5.3  CYBEREXPLOITATION IN THE PRIVATE SECTOR......Page 235
5.4  THREAT NEUTRALIzATION ON BEHALF OF  
NON-MILITARY GOVERNMENT AGENCIES......Page 236
6.1  EXECUTIVE BRANCH......Page 237
6.1.1.1  The Need for Declaratory Policy......Page 238
6.1.1.2  Present Status......Page 239
6.1.1.3  Alternative Declaratory Policies......Page 241
6.1.2  Acquisition Policy......Page 243
6.1.3  Employment Policy......Page 246
6.1.4.1  Launching a Cyberattack......Page 252
6.1.4.2   Conducting Intelligence Preparation of the Battlefield to 
Support a Cyberattack......Page 253
6.2.1  Warmaking Powers......Page 255
6.2.2  Budget......Page 257
6.2.3  Oversight (and Notification)......Page 258
Part III: Intellectual Tools for Understanding and Thinking About Cyberattack......Page 260
7.1  THE BASIC FRAMEWORK......Page 262
7.2.1  The Law of Armed Conflict......Page 264
7.2.1.1  Jus ad Bellum......Page 265
7.2.1.2  Jus in Bello......Page 269
7.2.2  Applying the Law of Armed Conflict to Cyberattack......Page 273
7.2.2.1  Prior to the Outbreak of Hostilities—Applying Jus ad Bellum......Page 274
7.2.2.1.1  The Uncertainties in Identification and Attribution......Page 275
7.2.2.1.2  Criteria for Defining “Use of Force” and “Armed Attack”......Page 276
7.2.2.1.4  Distinctions between Economic Sanctions and blockades......Page 280
7.2.2.1.5  The De Facto Exception for Espionage......Page 282
7.2.2.2.1  Proportionality of Military Action......Page 285
7.2.2.2.3  Distinctions between Military and Civilian Personnel......Page 288
7.2.2.2.4  Neutrality in a Cyberattack......Page 291
7.2.2.2.6  An Operational Note—Jus in Bello in Practice......Page 294
7.2.2.3  A Summary of Applying LOAC to Cyberattack......Page 295
7.2.3.1  International Law and Non-state Actors—Terrorists......Page 296
7.2.3.3  International Law and Non-state Actors—Patriotic Hackers......Page 299
7.2.4  The Convention on Cybercrime......Page 300
7.2.5  Human Rights Law......Page 304
7.3  DOMESTIC LAW......Page 305
7.3.1  Covert Action and Military Activity......Page 306
7.3.2  Title III and the Foreign Intelligence Surveillance Act......Page 309
7.3.4  The Computer Fraud and Abuse Act and Other Federal Law......Page 311
7.3.6  Executive Order 12333 (United States Intelligence Activities)......Page 313
7.4  FOREIGN DOMESTIC LAW......Page 315
8.1  NUCLEAR WEAPONS AND NUCLEAR WAR......Page 316
8.2  SPACE......Page 319
8.3  BIOLOGICAL WEAPONS......Page 320
8.4  NON-LETHAL WEAPONS......Page 322
9.1  DETERRENCE AND CYBERCONFLICT......Page 325
9.2.1  Crisis Stability......Page 329
9.2.2.2  Preventing Cyberconflict from Transitioning to Physical Space......Page 331
9.2.3  Complications Introduced by Patriotic Hackers......Page 333
9.2.5  Termination of Cyberconflict......Page 334
9.2.7  Catalytic Cyberconflict......Page 335
9.3  CYBERCONFLICT BETWEEN THE UNITED STATES AND 
NON-STATE ACTORS......Page 336
9.4  THE POLITICAL SIDE OF ESCALATION......Page 338
10.1  REGULATORY REGIMES—BASIC PRINCIPLES......Page 341
10.2.1  Direct Approaches Based on Traditional Arms Control......Page 344
10.2.2  Indirect Approaches Based on  
Regulation of Non-military Domains......Page 349
10.3  FOREIGN PERSPECTIVES ON CYBERATTACK......Page 351
Appendixes......Page 358
COMMITTEE MEMBERS......Page 360
STAFF MEMBERS......Page 369
Appendix B: Meeting Participants and Other Contributors......Page 371
THE INVITA CASE......Page 373
THE ISRAELI TROJAN HORSE INDUSTRIAL ESPIONAGE CASE......Page 374
OPERATIONS “CYBERSLAM,” “BOTMASTER UNDERGROUND,” 
AND OTHER BOTNET CASES......Page 375
THE STAKKATO INTRUSIONS......Page 377
TJX FINANCIAL DATA THEFTS......Page 378
COMPUTER NETWORK ATTACK AND THE USE OF  
FORCE IN INTERNATIONAL LAW......Page 379
NEW TOOLS, NEW RULES: INTERNATIONAL LAW AND 
INFORMATION OPERATIONS......Page 381
SOFTWARE......Page 383
HARDWARE......Page 387
CONFIGURATION......Page 389