The report, entitled "Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities," said a number of challenges lie ahead, including developing rules for the use of cyberweapons, coordinating allied nations and public and private entities, determining the outcome of cyberattacks on enemies and dealing with the possible “significant” operational implications a cyberattack could have on the U.S. private sector.
The report concluded that a national debate about cyberattack policy should be fostered, and the U.S. government should organize the decision-marking process for engaging in a cyberattack.
“If this is a weapon like any other, the use has to be authorized," James Lewis, director of Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), told SCMagazineUS.com on Thursday. "It can't be that someone wakes up in a bad mood and decides to launch a cyberattack."
Lewis said that the current cyberattack decision-making process is not adequate and has inappropriately involved lawyers instead of coming up with a clear policy.
“You don't need lawyers involved in military operations," he said, adding that a chain of command must be determined.
The government should conduct an unclassified national debate about cyberattack policy, being sure to involve Congress, the military, intelligence agencies, senior leaders and with international officials, the report concluded. The result should be a national cyberattack policy for all sectors of government including the U.S. Department of Defense, Homeland Security and State.
Lewis said that there must be more public discussion about U.S. cyberstrategy, much in the same way leaders have discussed the possible use of nuclear weapons.
The report recommended that the United States maintain and acquire cyberattack capabilities, which should be factored into policy and budgeting. The government also should ensure more individuals are trained in cyberattack methods. In addition, the government should consider establishing an institutional structure for entities to seek immediate relief in the event of a cyberattack against the nation.
Phil Neray, vice president of strategy at database security company Guardium, told SCMagazineUS.com Thursday that cyberattack policy is needed because of the changing nature of war. Because cyberattacks can be launched at a distance anonymously, it is conceivable that a foreign nation would launch a cyberattack instead of a more traditional attack. And for, private entities, it would be difficult to know how to respond to such an attack or how to enlist the government's help, he said.
The report was an effort by technology experts, scientists, researchers and policymakers brought together by NAS for the first time in 2006. Authors of the report include Adm. William Owens, former vice chairman of the joint chiefs of staff; Kenneth Dam, former deputy secretary in the U.S. Department of Treasury and William Studeman, former deputy director of the Central Intelligence Agency. The project committee also included individuals from Microsoft, Intel, Google and a number of U.S. universities.