Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of CYBerattacK CapaBILITIes William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Editors Committee on Offensive Information Warfare Computer Science and Telecommunications Board Division on Engineering and Physical Sciences THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Gov- erning Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engi- neering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the MacArthur Foundation under award number 04-80965-000-GSS, the Microsoft Corporation under an unnumbered award, and the NRC Presidents’ Committee under an unnumbered award. Any opinions, findings, conclusions, or recommendations expressed in this pub- lication are those of the authors and do not necessarily reflect the views of the organizations that provided support for the project. International Standard Book Number-13: 978-0-309-13850-5 International Standard Book Number-10: 0-309-13850-7 Library of Congress Control Number: 2009930416 Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 (800) 624-6242 (202) 334-3313 (in the Washington metropolitan area) Internet: http://www.nap.edu Copyright 2009 by the National Academy of Sciences. All rights reserved. Printed in the United States of America The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal govern- ment on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the char- ter of the National Academy of Sciences, as a parallel organization of outstand- ing engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in pro- viding services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org Committee on OFFENSIVE INFORMATION WARFARE WILLIAM A. OWENS, AEA Holdings, Inc., Co-chair KENNETH W. DAM, University of Chicago, Co-chair THOMAS A. BERSON, Anagram Laboratories GERHARD CASPER, Stanford University DAVID D. CLARK, Massachusetts Institute of Technology RICHARD L. GARWIN, IBM Fellow Emeritus JACK L. GOLDSMITH III, Harvard Law School CARL G. O’BERRY, The Boeing Company JEROME H. SALTZER, Massachusetts Institute of Technology (retired) MARK SEIDEN, MSB Associates SARAH SEWALL, Harvard University WALTER B. SLOCOMBE, Caplin & Drysdale WILLIAM O. STUDEMAN, U.S. Navy (retired) MICHAEL A. VATIS, Steptoe & Johnson LLP Staff HERBERT S. LIN, Study Director KRISTEN BATCH, Associate Staff Officer (through August 2008) TED SCHMITT, Consultant JANICE SABUDA, Senior Project Assistant (through March 2008) ERIC WHITAKER, Senior Project Assistant COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chair PRITHVIRAJ BANERJEE, Hewlett Packard Company FREDERICK R. CHANG, University of Texas, Austin WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Almaden Research Center DEBORAH L. ESTRIN, University of California, Los Angeles KEVIN C. KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation RANDY H. KATZ, University of California, Berkeley JOHN E. KELLY III, IBM Research SARA KIESLER, Carnegie Mellon University JON KLEINBERG, Cornell University PETER LEE, Carnegie Mellon University TERESA H. MENG, Stanford University WILLIAM H. PRESS, University of Texas, Austin PRABHAKAR RAGHAVAN, Yahoo! Research DAVID E. SHAW, D.E. Shaw Research ALFRED Z. SPECTOR, Google, Inc. ROBERT F. SPROULL, Sun Microsystems, Inc. PETER SZOLOVITS, Massachusetts Institute of Technology ANDREW J. VITERBI, Viterbi Group, LLC PETER WEINBERGER, Google, Inc. JON EISENBERG, Director RENEE HAWKINS, Financial and Administrative Manager HERBERT S. LIN, Chief Scientist, CSTB LYNETTE I. MILLETT, Senior Program Officer NANCY GILLIS, Program Officer Enita A. williams, Associate Program Officer MORGAN R. MOTTO, Program Associate Shenae Bradley, Senior Program Assistant ERIC WHITAKER, Senior Program Assistant For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Wash- ington, DC 20001, call (202) 334-2605, or e-mail CSTB at [email protected]. i Preface Given the reality of a densely interconnected information society, much has been written about the possibility that adversaries of the United States such as terrorists or hostile nations might conduct very damag- ing cyberattacks against critical sectors of the U.S. economy and critical national infrastructure that depend on reliably functioning, secure com- puter systems and networks. For some years, the topic of cybersecurity has been an important part of the report portfolio of the National Research Council,1 and a great deal of national attention has been given, in public, to the problem of how to protect U.S. information technology systems and networks against such attacks—that is, how to defend these systems and networks in both military and non-military contexts.2 But, perhaps reflect- ing the common wisdom of the time, these efforts have focused almost exclusively on the cyberdefense side of the equation. The possibility that the United States might choose to engage in cyberattacks to serve its own national interests—in cyberdefense as well 1 An old but still quite relevant report on this topic is CSTB/National Research Council, Computers at Risk, National Academy Press, Washington, D.C., 1991; other relevant NRC reports include CSTB/NRC, Trust in Cyberspace, National Academy Press, Washington, D.C., 1999, and NRC, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007. 2 See, for example, National Research Council, Information Technology for Counter- terrorism, The National Academies Press, Washington, D.C., 2003; NRC, Cybersecurity Today and Tomorrow: Pay Now or Pay Later, The National Academies Press, Washington, D.C., 2002; and CSTB/NRC, Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, Washington, D.C., 1998. ii iii PREFACE as in other areas—is rarely discussed in public. One recent public hint of U.S. government interest in the topic can be found in the still-classi- fied Comprehensive National Cybersecurity Initiative (CNCI), which was adopted as national policy in January 2008 as part of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23). According to the director of national intelligence in February 2009, “The CNCI addresses current cybersecurity threats, anticipates future threats and technologies, and develops a framework for creating in partnership with the private sector an environment that no longer favors cyber intruders over defenders. The CNCI includes defen- sive, offensie [emphasis added], education, research and development, and counterintelligence elements.”3 Press reports indicated that the CNCI involves 12 components designed to protect computer networks and systems and to improve information technology processes and policies.4 These components included a program to reduce the number of connec- tions from federal agencies to external computer networks to 100 or fewer. The other 11 programs address intrusion detection; intrusion prevention; research and
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages390 Page
-
File Size-