Technology, policy, law, and ethics regarding U.S. acquisition and use of cyberattack capabilities

The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, little has been written about the use of cyberattack as an instrument of U.S. policy. Cyberattacks-actions intended to damage adversary computer systems or networks-can be used for a variety of military purposes. But they also have application to certain missions of the intelligence community, such as covert action. They may be useful for certain domestic law enforcement purposes, and some analysts believe that they might be useful for certain private sector entities who are themselves under cyberattack. This report considers all of these applications from an integrated perspective that ties together technology, policy, legal, and ethical issues. Focusing on the use of cyberattack as an instrument of U.S. national policy, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities explores important characteristics of cyberattack. It describes the current international and domestic legal structure as it might apply to cyberattack, and considers analogies to other domains of conflict to develop relevant insights. Of special interest to the military, intelligence, law enforcement, and homeland security communities, this report is also an essential point of departure for nongovernmental researchers interested in this rarely discussed topic. Table of Contents Front Matter Synopsis 1 Overview, Findings, and Recommendations Part I: Framing and Basic Technology 2 Technical and Operational Considerations in Cyberattack and Cyberexploitation Part II: Mission and Institutional Perspectives 3 A Military Perspective on Cyberattack 4 An Intelligence Community Perspective on Cyberattack and Cyberexploitation 5 Perspectives on Cyberattack Outside National Security 6 Decision Making and Oversight Part III: Intellectual Tools for Understanding and Thinking About Cyberattack 7 Legal and Ethical Perspectives on Cyberattack 8 Insights from Related Areas 9 Speculations on the Dynamics of Cyberconflict 10 Alternative Futures Appendixes Appendix A: Biographies of Committee Members and Staff Appendix B: Meeting Participants and Other Contributors Appendix C: Illustrative Criminal Cyberattacks Appendix D: Views on the Use of Force in Cyberspace Appendix E: Technical Vulnerabilities Targeted by Cyber Offensive Actions

• 1 Front Matter
• 2 Synopsis
• 3 1 Overview, Findings, and Recommendations
• 4 Part I: Framing and Basic Technology
• 5 2 Technical and Operational Considerations in Cyberattack and Cyberexploitation
• 6 Part II: Mission and Institutional Perspectives
• 7 3 A Military Perspective on Cyberattack
• 8 4 An Intelligence Community Perspective on Cyberattack and Cyberexploitation
• 9 5 Perspectives on Cyberattack Outside National Security
• 10 6 Decision Making and Oversight
• 11 Part III: Intellectual Tools for Understanding and Thinking About Cyberattack
• 12 7 Legal and Ethical Perspectives on Cyberattack
• 13 8 Insights from Related Areas
• 14 9 Speculations on the Dynamics of Cyberconflict
• 15 10 Alternative Futures
• 16 Appendixes
• 17 Appendix A: Biographies of Committee Members and Staff
• 18 Appendix B: Meeting Participants and Other Contributors
• 19 Appendix C: Illustrative Criminal Cyberattacks
• 20 Appendix D: Views on the Use of Force in Cyberspace
• 21 Appendix E: Technical Vulnerabilities Targeted by Cyber Offensive Actions