National Academyof Sciences •National Academy ofEngineering •Instituteof Medicine•National Research Council U.S. Acquisition and Use of Cyberattack Capabilities Technology, Policy, Law, and Ethics Regarding This booklet is based on the report This booklet is based on the report National ResearchCouncil Division onEngineeringandPhysicalSciences Computer ScienceandTelecommunications Board WarfareCommittee onOffensiveInformation William A. Owens,KennethW. S.Lin,editors Dam,andHerbert cyberexploitation and a cyberattack—a fact that may result in that party’s making incorrect or misin decisions. formed or incorrect making party’s that in result may that fact cyberattack—a a and cyberexploitation a between easily distinguish to able be not may party targeted a that mean often similarities technical These payload. the of nature the is cyberexploitation a from cyberattack a distinguishes what is, That cyber- executed. be A to payload the 2). in is (Box difference only the executed things—and three be same the requires to exploitation payload a and vulnerability, that to access vulnerability, a quires re cyberattack successful A significance. policy have similarities operational and technical some Still, attack andexploitationunderthe“attack”label. both lumps often usage common in which “cyberattack,” term the using debate public the of much to their objectives and in the policy and legal constructs surrounding them (Box 1). This contrast is relevant in differ they similarities, some share cyberexploitation and activity.cyberattack destructive Although a than rather activity intelligence-gathering an is which cyberexploitation, as same the not is Cyberattack policy, law, andethics. of improvised explosive devices. Such matters pose some important issues very that relate to technology, detonation the prevent to order in networks phone cell jam they when cyberattack in engage also cies warfare information means and/or with kinetic attacks, and may have done so in the past. Domestic law enforcement agen other with concert in perhaps cyberattacks, in engage to preparing actively are focusesontheuseofcyberattackasaninstrumentU.S.nationalpolicy.report forces TheU.S.armed or networks or the and/or information programs resident in or transiting these systems or networks. This Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems Background fororinpreparingthereport. information either ingathering unclassified basis, andtheauthoring committee didnot access classifiedinformation Foundation, Microsoft Corporation, and the National Research Council. It was conducted on an entirely Use of Cyberattack Capabilities. The project that resulted in by was the the supported report MacArthur Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and

NATIONALTHE

- - -

ACADEMIES Box 1—Cyberattack versus Cyberexploitation

Cyberexploitation, intelligence, Cyberattack, attack, computer exploitation, computer network network attack exploitation Approach and intent Degrade, disrupt, deny, destroy Achieve smallest intervention attacked infrastructure and consistent with desired operations systems/networks

Relevant domestic law U.S. Code Title 10 authorities U.S. Code Title 50 authorities and restrictions and restrictions

Operational agency U.S. Strategic Command (Joint National Security Agency Functional Component Command for Network Warfare)

Main advocate in the U.S. Air Force Director of National Intelligence U.S. government to date

Interactions with tactical Based on explicit inclusion Based on intelligence reporting military operations in battle plans Characterization of personnel Warfighters Intelligence community

Weapons for cyberattack have a number of char- that attribution is a time-consuming task. Shortening the acteristics that differentiate them from traditional ki- time for investigation may well increase the likelihood netic weapons. Compared to kinetic weapons, many of errors being made in a response (e.g., responding weapons for cyberattack: against the wrong machine or launching a response • Are easy to use with high degrees of anonymity that has large unintended effects). and with plausible deniability, making them well Illustrative Applications of Cyberattack suited for covert operations and for instigating conflict between other parties. Cyberattack can support military operations. For ex- ample, a cyberattack could disrupt command, con- • Are more uncertain in the outcomes they produce, trol, and communications; suppress air defenses; de- making it difficult to estimate deliberate and col- grade smart munitions and platforms; or undermine lateral damage. an adversary’s defense industrial base or its warfight- • Involve a much larger range of options and pos- ing capabilities. Cyberattack might be used to aug- sible outcomes, and may operate on time scales ment a kinetic attack or to enable such an attack to ranging from tenths of a second to years, and at succeed, or to defend a friendly computer system or spatial scales anywhere from “concentrated in a network by neutralizing the source of a cyberattack facility next door” to globally dispersed. conducted against it. • Are easily available to any interested party, rang- Cyberattack can also support covert action, which is ing from nation-states to disaffected teenagers. generally designed to influence governments, events, Cyberattack as a mode of conflict also raises many op- organizations, or persons in support of foreign poli- erational issues. For example, any large nation experi- cy in a manner that is not necessarily attributable to ences cyberattacks all of the time, and many of these the U.S. government. The range of possible cyberat- attacks are not being undertaken by an adversary na- tack options is very large; for example, a cyberat- tion. How will the United States know it is the subject of tack-based covert action might be used to influence a cyberattack deliberately launched by an adversary an election, instigate conflict between political - fac government? There is also a further tension between a tions, harass disfavored leaders or entities, or divert policy need for rapid response and the technical reality money.

 Computer Science and Telecommunications Board Box 2—Technical Aspects of Cyberattack A cyberattack requires access that allows the exploitation of a vulnerability to deliver a payload.

Access • A remote-access cyberattack is an attack that is launched at some distance from the adversary computer or network of interest. The canonical example of a remote access attack is that of an adversary computer attacked through the access path provided by the Internet, but other examples might include accessing an adversary computer through an attached dial-up modem or wireless network. • A close-access cyberattack is an attack on an adversary computer or network that takes place through the local installation of hardware or software functionality by nonadversary parties (e.g., covert agents, vendors) in close proximity to the computer or network of interest. Close access is a possibility anywhere in the supply chain of a system that will be deployed.

Exploitable Vulnerabilities • Software. Application or system software may have accidentally or deliberately introduced flaws whose use can subvert the intended purpose for which the software is designed. • Hardware. Vulnerabilities can also be found in any hardware element with computing or communica- tions capabilities, including microprocessors, microcontrollers, circuit boards, power supplies, peripher- als such as printers or scanners, storage devices, and communications equipment such as network cards. Tampering with such components may secretly alter the intended functionality of the component, or provide opportunities to introduce hostile software. • Seams between hardware and software. An example of such a seam might be the reprogrammable read-only memory of a computer (firmware) that can be improperly and clandestinely reprogrammed. • Communications channels. The communications channels between a system or network and the “out- side” world can be used by an attacker in many ways. An attacker can pretend to be an “authorized” user of the channel, jam it and thus deny its use to the adversary, or eavesdrop on it to obtain information intended by the adversary to be confidential. • Configuration. Most systems provide a variety of configuration options that users can set, based on their own security versus convenience tradeoffs. Because convenience is often valued more than security, many systems are—in practice—configured insecurely. • Users and operators. Authorized users and operators of a system or network can be tricked or black- mailed into doing the bidding of an attacker. • Service providers. Many computer installations rely on outside parties to provide computer-related ser- vices, such as maintenance or Internet service. An attacker may be able to persuade a service provider to take some special action on its behalf, such as installing attack software on a target computer.

Payload “Payload” is the term used to describe the things that can be done once a vulnerability has been exploited. For example, once a software agent (such as a virus) has entered a given computer, it can be programmed to do many things—reproducing and retransmitting itself, destroying files on the system, or altering files. A payload may have multiple capabilities when inserted into an adversary system, and a payload may be remotely updatable if a communications channel to the attacker is available.

National Research Council  The Legal Framework Governing The Dynamics of CyberConflict Cyberattack The escalatory dynamics of armed conflict are thought The committee’s view of the basic framework for the to be understood as the result of many years of think- legal analysis of cyberattack is based on the principle ing about the subject, but the dynamics of cyberwar that notions related to “use of force” and “armed at- are poorly understood. This report speculates on tack” (terms of special relevance to the Charter of the some of the factors that might influence the evolution United Nations) should be judged primarily by the of a cyberconflict. effects of an action rather than its modality. That is, For major nation-states with significant kinetic and the fact that an attack is carried out through the use of cyber capabilities at their disposal, among the impor- cyber weapons rather than kinetic weapons is far less tant issues regarding the dynamics of cyberconflict significant than the effects that result from such use, are the following: where “effects” are understood to include both direct and indirect effects. • Crisis stability. Traditionally, crisis stability refers to that condition in which neither side has incentives Furthermore, the committee believes that the principles to attack first. What, if any, are the requirements of the law of armed conflict and the UN Charter—in- on forces for cyberattack that meet this condition? cluding both law governing the legality of going to war (jus ad bellum) and law governing behavior dur- • Preventing a cyberconflict from escalating to phys- ing war (jus in bello)—do apply to cyberattack. ical space. • Knowing when a cyberconflict has been termi- • Prior to the outbreak of acknowledged armed nated. Against a background of ongoing cyber- conflict, if the effects (including both direct and attacks, how will nations previously engaged in indirect effects) produced by a cyberattack cyberattacks against each other know that such would, if produced by other means, constitute nationally initiated attacks have ceased? an armed attack in the sense of Article 51 of the UN Charter, the cyberattack would likely be Matters can be further complicated by the presence treated as an armed attack. Similarly, if a cy- of non-state actors, such as cyberterrorists, patriotic berattack has the same effects and is otherwise hackers, and criminal groups. Perhaps the most im- similar to governmentally initiated coercive or portant complication relates to identification of the harmful actions that are traditionally and gener- appropriate party against whom action might be tak- ally not treated as the “use of force” (e.g., eco- en and the related availability of cybertargets whose nomic sanctions, espionage, or covert actions destruction might cause pain or meaningful damage such as planting information or influencing elec- to the terrorist or criminal group. tions), such a cyberattack would likely not be Findings regarded as an action justifying a use of force in response. Overarching Findings • During acknowledged armed conflict (notably The policy and organizational issues raised when kinetic and other means are also being used by U.S. acquistion and use of cyberattack against the same target nation), cyberattack is capabilities are significant across a broad governed by all the standard law of armed conflict range of conflict scenarios, from small skir- (LOAC) criteria of jus in bello—military necessity, mishes with minor actors on the interna- proportionality, distinction, and so on. If the effects tional stage to all-out conflicts with adver- of a kinetic attack are such that the attack would saries capable of employing weapons of be ruled out on such grounds, a cyberattack that mass destruction. Outcomes of cyberattacks can would cause similar effects would also be ruled vary across an enormous range and they can affect out. military, intelligence, diplomatic, economic, and law At the same time, the legal analysis in any given situ- enforcement equities. ation involving cyberattack may be more uncertain The availability of cyberattack technologies because of its novelty relative to the use of kinetic for national purposes greatly expands the weapons, and new analytical work may be needed range of options available to U.S. policy to understand how LOAC principles and those of the makers as well as to policy makers of other UN Charter do or should apply to cyberweapons. nations. Some cyberattack technologies can be op- That is, some types of cyberattack are difficult to ana- erated reversibly or irreversibly; others can be used lyze within this traditional structure. in a lethal/destructive or a non-lethal/non-destructive

 Computer Science and Telecommunications Board manner. Many cyberattack technologies are inherent- ways, one consequence of which is that in today’s ly clandestine and often relatively inexpensive. Cyber- security environment, private parties have attack can be used for both offensive and defensive few useful alternatives for responding to a purposes, and can have both tactical and strategic severe cyberattack that arrives over a net- implications as well. And the underlying technology work such as the Internet. Cyberattack also is available everywhere in the world. poses challenges to existing ethical and hu- Nevertheless, today’s policy and legal frame- man rights regimes in an era in which the infor- work for guiding and regulating the U.S. mation-technology-enabled features of modern society use of cyberattack is ill-formed, undevel- may be essential to life as the citizens of that society oped, and highly uncertain. Most of the public know it. policy attention paid to cyberconflict focuses on the Policy Findings defense of friendly computer systems and networks against cyberattack. But the United States has no Enduring unilateral dominance in cyber- comprehensive publicly stated strategic national pol- space is neither realistic nor achievable icy outside the criminal framework concerning how by the United States. Cyberconflict is quite un- it will regard cyberattacks conducted on the United like the land, air, and maritime domains in which States or how it may use cyberattack in support of U.S. armed forces operate, largely because effec- U.S. interests. One reason for the ill-formed state of tive weapons of cyberattack are too inexpensive policy in this domain is the fact that secrecy has and easily available to be denied to any nation impeded widespread understanding and (or terrorist or other non-state actor for that mat- debate about the nature and implications ter), and much of the expertise needed to wield of U.S. cyberattack for military, intelligence, and them is widespread. law enforcement purposes. Secrecy has also meant In addition, the United States has much to lose a dearth of public scrutiny and congressional over- from unrestrained cyberattack capabilities sight and thus an increase in the likelihood that poli- that are proliferated worldwide because it cy will be formulated with narrow parochial or short- is highly dependent on the capabilities afforded by term interests foremost in mind. Non-governmental ubiquitous information technology in every sector, research and investigation regarding cyberattack both military and civilian. Moreover, comparing the have been inhibited as well. as-yet-unproven utility of U.S. cyberattack against its A technical point with deep and far-ranging implica- adversaries to the demonstrated growing dependence tions for all aspects of policy related to cyberattack is on information technology, it is reasonably clear that that the consequences of a cyberattack may as a general rule, it is far more important for the Unit- be both direct and indirect. Although cyber- ed States to be able to use information technology attacks are focused on computer systems or networks, freely in pursuit of its national interests than for it to be it is often the case that these systems and networks able to deny adversaries the use of their own systems control or influence other entities (people, kinetic and networks. However, this point does not rule out weapons, machinery, and so on)—and in some the possibility that cyberattacks by the United States cases of interest, the indirect consequences will be an appropriate and useful action under some of a cyberattack can far outweigh the direct circumstances. consequences and be far more significant than Deterrence of adversaries is the cornerstone of U.S. the direct consequences of destroying or damaging military strategy. However, deterrence of cyber- or disrupting the computer system or network initially attacks by the threat of in-kind response targeted. has limited applicability. Today’s information technology makes it very easy for adversaries to con- Legal/Ethical Findings duct anonymous cyberattacks—and even in the event The conceptual framework that underpins that new information technologies are developed the UN Charter on the use of force and with stronger authentication capabilities, a properly armed attack and today’s law of armed authenticated computer can still be improperly com- conflict provides a reasonable starting point promised by a third party. Thus, the perpetrator of a for an international legal regime to govern cyberattack may well be able to escape punishment cyberattack. However, those legal constructs or retaliation for his actions. Even if the attacker is fail to account for non-state actors and for known, an in-kind response to a cyberattack is unlikely the technical characteristics of some cyber- to succeed because the attacker is likely to be able to attacks. Domestic law is also inadequate in certain take steps to thwart such a response.

National Research Council  Options for responding to cyberattacks on Certain cyberattacks undertaken by the the United States span a broad range, and United States are likely to have significant include a mix of dynamic changes in defen- operational implications for the U.S. private sive postures, law enforcement actions, di- sector because the private sector owns and operates plomacy, cyberattacks, and kinetic attacks. much of the infrastructure through which a cyberattack The United States is in no way obligated to employ an might be transmitted and also has a significant stake in-kind response to a cyberattack, even if an in-kind in the continuing operation of that infrastructure. It is response may superficially seem the most obvious or not new that military decision makers must consider natural course. the impact of their decisions on civilian parties (for ex- ample, reducing the availability of Global Positioning Technical/Operational Findings System satellites could have a major impact on non- Although cyberattack technologies are a relatively military transportation), but in many or most of these new addition to the technologies of warfare, the instances, such impacts could be spatially localized. ease of cyberattack on many kinds of in- But spatial localization of cyberconflict may well be formation technology infrastructure targets impossible where the Internet is concerned, and the is increasing rather than decreasing. This is United States must be prepared to deal with the con- true for information technology targets in the United sequences should it take actions that provoke in-kind States, and is likely to be true for many other parties counterattack by an adversary. “Blowback” is also as well. This is not to say that cyberattack on cer- a concern, in the sense that actions taken to affect tain specific targets will not be very difficult—but on an adversary’s systems or networks may inadvertently average, the gap between the attacker’s capability and negatively affect the United States. to attack many vulnerable targets and the defender’s If and when the United States decides to inability to defend all of them is growing rather than launch a cyberattack, significant coordina- diminishing. tion among allied nations and a wide range Although the actual cyberattack capabilities of public and private entities may be nec- of the United States are highly classified, essary, depending on the scope and nature they are at least as powerful as those dem- of the cyberattack in question. Although cyber- onstrated by the most sophisticated cyber- attacks that are narrowly focused on highly specific attacks perpetrated by cybercriminals and objectives may not have much potential for interfer- are likely more powerful. Although they are ing with other ongoing cyber operations initiated by highly classified, knowledge of the lower bound of other parties, a sufficiently broad cyberattack might these capabilities is set by the most sophisticated indeed interfere. In such cases, it may be necessary cyberattacks known to have been perpetrated by to coordinate among a number of parties, including cybercriminals, and such attacks have been sophis- various U.S. government agencies and allied nations, ticated indeed. Although the fundamental base tech- all of which may have various cyber operations un- nologies available to the United States are likely to derway that might interfere with a U.S. cyberattack be more or less the same as those available to other on an adversary. In addition, these agencies and parties, the enormous resources available to the U.S. nations would likely benefit from the strengthening government compared to those of ordinary cyber- of their defensive postures that could occur with ad- criminals would suggest that U.S. cyberattack capa- vance notice of a possible in-kind response. The same bilities are more sophisticated than those of even the considerations apply to private sector operators of in- most talented cybercriminals. formation infrastructure that would be likely targets of an adversary’s in-kind response to a U.S. cyberattack As is true for air, sea, land, and space op- and for which advance notice of cyberattack would erations, the defensive or offensive intent be helpful in strengthening their defensive posture. motivating cyber operations in any given in- Finally, in the midst of an overt conflict with another stance may be difficult to infer. Cyberattacks, party, the United States will almost certainly have for example, can be undertaken for purposes of both to suppress the actions of “patriotic hackers” who offense and defense. However, the intent underlying launch cyberattacks on the adversary nation on their a cyberattack may be very difficult to discern because own initiative. Such actions might interfere tactically of the constant background of cyberattack activity ex- with operations planned by the U.S. government, and perienced by all computers connected to the Internet strategically they might be misinterpreted by the party and because of a dearth of historical experience with being attacked as intentional U.S. actions and thus nations or terrorists using cyberattack against the complicate the conduct of diplomatic actions. United States.

 Computer Science and Telecommunications Board Planners for any kind of attack, kinetic or cyber, must circumstances under which authorization take into account many uncertainties about the char- is necessary are at least as uncertain for acteristics of the target and the environment around cyberattack as for the use of other weap- it. Nevertheless, because the information needed for ons. The limits of that authority are the subject of a successful cyberattack (e.g., details of connections much dispute between the executive and legisla- between two systems) is often more difficult to obtain tive branches. However, cyberweapons raise par- through traditional methods such as remote photo re- ticularly difficult issues in this context (as do certain connaissance, the outcomes of many kinds of non-cyberweapons), because of the need for speed cyberattack are likely to be more uncertain in using such weapons (e.g., because of a target’s than outcomes for other kinds of attack. transience), the risk of unintended and unknown con- Greater intelligence efforts to resolve uncertainties sequences, and the lack of visibility of their use. are likely to be necessary to achieve levels of confi- dence equivalent to those that generally characterize Recommendations kinetic attacks. Fostering a National Debate on Cyberattack Early use of cyberattack may be easy to contemplate in a pre-conflict situation, and 1. The United States should establish a public na- so a greater degree of operational oversight tional policy regarding cyberattack for all sectors for cyberattack may be needed compared of government, including but not necessarily lim- to use of other options. It is not new that “small” ited to the Departments of Defense, State, Home- activities in a tense pre-conflict situation may have land Security, Treasury, and Commerce; the in- large consequences. But the operational footprint left telligence community; and law enforcement. The by cyberattack capabilities is small, a fact that tends senior leadership of these agencies should be to render activities related to this area less visible to involved in formulating this national policy. senior decision makers. Thus, senior leaders will need 2. The U.S. government should conduct a broad, un- to take special care to maintain situational awareness classified national debate and discussion about of their own forces under these circumstances as well cyberattack policy, ensuring that all parties—par- as awareness of adversary forces. ticularly Congress, the professional military and Lastly, developing appropriate rules of en- the intelligence agencies—are involved in discus- gagement for the use of cyberweapons is sions and are familiar with the issues. very difficult, and under some circumstances may 3. The U.S. government should work to find common be more difficult than developing rules for traditional ground with other nations regarding cyberattack. weapons. Such common ground should include better mu- tual understanding regarding various national Organizational Findings views of cyberattack, as well as measures to pro- Both the decision-making apparatus for cy- mote transparency and confidence building. berattack and the oversight mechanisms for that apparatus are inadequate today. Ade- Organizing the Decision-Making Apparatus of quate policy decision making and oversight require a the U.S. Government for Cyberattack sufficient base of technical knowledge relevant to the 4. The U.S. government should have a clear, trans- activities in question, an organizational structure that parent, and inclusive decision-making structure in enables decision making and oversight to take place, place to decide how, when, and why a cyber- and information about activities that are actually un- attack will be conducted. dertaken under the rubric of policy. But cyberattack is 5. The U.S. government should provide a periodic a relatively new addition to the menu of options that accounting of cyberattacks undertaken by the policy makers may exercise, and there are few prec- U.S. armed forces, federal law enforcement edents and little history to guide them today. Thus, it agencies, intelligence agencies, and any other is perhaps not surprising that an adequate organiza- agencies with authorities to conduct such attacks tional structure for making decisions and exercising in sufficient detail to provide decision makers with oversight has not emerged, and much of the informa- a more comprehensive understanding of these tion relevant to conducting oversight is unavailable. activities. Such a periodic accounting should be The U.S. Congress has a substantial role to made available both to senior decision makers play in authorizing the use of military force, in the executive branch and to the appropriate but the contours of that authority and the congressional leaders and committees.

National Research Council  Supporting Cyberattack Capabilities and COMMITTEE ON Offensive INFORMATION Policy WARFARE 6. U.S. policy makers should judge the policy, legal, WILLIAM A. OWENS, AEA Holdings, Inc., Co-chair and ethical significance of launching a cyber- KENNETH W. DAM, University of Chicago, Co-chair attack largely on the basis of both its likely direct THOMAS A. BERSON, Anagram Laboratories effects and its indirect effects. GERHARD CASPER, Stanford University 7. U.S. policy makers should apply the moral and DAVID D. CLARK, Massachusetts Institute of ethical principles underlying the law of armed Technology conflict to cyberattack even in situations that fall RICHARD L. GARWIN, IBM Fellow Emeritus short of actual armed conflict. JACK L. GOLDSMITH, Harvard Law School CARL G. O’BERRY, The Boeing Company 8. The United States should maintain and acquire JEROME H. SALTZER, Massachusetts Institute of effective cyberattack capabilities. Technology (retired) 9. The U.S. government should ensure that there are MARK SEIDEN, MSB Associates sufficient levels of personnel trained in all dimen- SARAH SEWALL, Harvard University sions of cyberattack, and that the senior leader- WALTER B. SLOCOMBE, Caplin and Drysdale ship of government has more than a nodding WILLIAM O. STUDEMAN, U.S. Navy (retired) acquaintance with such issues. MICHAEL A. VATIS, Steptoe & Johnson LLP 10. The U.S. government should consider the estab- Staff lishment of a government-based institutional struc- ture through which selected private sector entities Herbert S. Lin, Chief Scientist, CSTB and Study can seek immediate relief if they are the victims Director of cyberattack. Kristen Batch, Associate Staff Officer Ted Schmitt, Consultant Developing New Knowledge and Insight into a Janice Sabuda, Senior Project Assistant through New Domain of Conflict March 2008 11. The U.S. government should conduct high-level Eric Whitaker, Senior Project Assistant wargaming exercises to understand the dynam- ics and potential consequences of cyberconflict. Any opinions, findings, conclusions, or recommenda- 12. Foundations and government research funders tions expressed in this publication are those of the should support academic and think-tank inquiry authors and do not necessarily reflect the views of the into cyberconflict, just as they have supported organizations that provided support for the project. similar work on issues related to nuclear, biologi- cal, and chemical weapons. Details about obtaining printed copies of the report on which this brochure is based, together with more information about the Computer Science and Telecom- munications Board and its activities, can be found at http://www.cstb.org. The Computer Science and Telecommunications Board is a unit of the National Research Council that provides independent and in- formed assessments of computing, communications and public policy.

Copies of this booklet are available free of charge from the Computer Science and Telecommunications Board, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, www.cstb.org. Copyright 2009 by the National Academy of Sci- ences. All rights reserved. Printed in the United States of America

 Computer Science and Telecommunications Board