Report: U.S. needs policy for attacking foreign networks
The U.S. government lacks adequate rules of engagement for attacking the computer networks of adversaries, creating huge legal and policy questions that must be addressed, including the role that Congress should play in authorizing such use of force, according to a new report released today.
"Today's policy and legal framework for guiding and regulating the U.S. use of cyberattack is ill-formed, undeveloped, and highly uncertain," concludes the 322-page report, issued by the National Research Council, a congressionally chartered nonpartisan research group. "The U.S. government should have a clear, transparent, and inclusive decision-making structure in place to decide how, when, and why a cyberattack will be conducted," the report recommends.
Much has been written and said about the efforts undertaken by the U.S. government to protect domestic information networks from cyberattacks. But the government has the power to go on the offense in cyberspace to infiltrate, deter or defeat the capabilities of adversaries. Indeed, the classified Comprehensive National Cybersecurity Initiative, launched in 2008, includes an offensive component. But the potential for, and possible consequences of, the United States using cyberattack capabilities as part of its military and intelligence arsenal has not been the subject of much public debate, the report said.
Former Navy Adm. William Owens, former vice chairman of the Joint Chiefs of Staff, said the issue requires a review at the highest levels of the government of the policy and legal implications of cyberattack. Owens, who co-chaired the committee that put together the report, said there is not a single office in the executive branch or in Congress where the matter is addressed.
"This is a very complicated capability that we are developing quite rapidly now," he said today.
The report said the rules of engagement for cyberattacks are inadequate. "A cyberattack conducted for offensive purposes may well require authorization from higher levels of command than would a technically similar cyberattack conducted for defensive purposes," the report states. "The adversary might not react at all to a cyberattack, or it might react with nuclear weapons."
The report also said Congress has a substantial role to play in authorizing the use of military force, but the contours of that authority and the circumstances under which authorization is necessary are uncertain.
"If the necessity of congressional authorization for the use of traditional U.S. military forces is disputed as it has been in recent U.S. history, consider the conundrums that could accompany the use of weapons that are for all practical purposes covert and whose 'deployments' would be entirely invisible to the public or even to most uniformed military personnel," the report states.
The report calls into question whether a president should have to get congressional approval in order to launch a cyberattack.