Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Panel calls for national dialog on gov't cyberattacks

The U.S. government lacks a comprehensive policy about cyberattacks, a group says

The U.S. needs to engage in a national dialog about its government's use of cyberattacks against other nations, and the government lacks a comprehensive policy about how and when it will engage in cyberwarfare, a new study says.

The U.S. government also lacks a person or office to coordinate cyberattacks, and agencies making attacks should regularly brief the U.S. Congress about their efforts, said the report, from a panel of military, diplomatic, legal and IT security experts assembled by the National Research Council, a nonprofit organization that provides policy advice to the U.S. government.

The U.S. government's current policy and legal framework on the use of cyberattacks is "ill-informed, undeveloped and highly uncertain," the report said. The U.S. government has no comprehensive policy on how to respond to cyberattacks or how it will use cyberattacks, said the report, released Wednesday.

The U.S. military is developing cyberwarfare capabilities and may have already used them, and U.S. intelligence agencies also have the ability to penetrate computer networks, said Kenneth Dam, a former law professor who has in the past held senior positions in the U.S. Departments of Treasury and State. But those capabilities have been developed largely without public discussion about when cyberattacks are appropriate, he said.

The secrecy surrounding U.S. cyberattack capabilities has impeded debate about the legal and ethical issues associated with cyberattacks and the consequences of such attacks, Dam said.

In many cases, a cyberattack will have a much larger effect than a destroyed computer or network, added William Owens, a retired Navy admiral and former CEO of Nortel Networks. An attack on some computers could cause the electric grid to shut down or a pipeline to stop working, causing widespread problems in the targeted country, he said.

"When you attack a computer, it's not just attacking a computer, it's obviously attacking everything that computer serves," Owens said.

Representatives of the U.S. Air Force and the U.S. Director of National Intelligence, two organizations involved in cyberattacks and defense, didn't immediately respond to a request for comment on the report.

The U.S. government doesn't seem to have a policy about when it will use cyberattacks and what response it will take when another country attacks its computer networks, Owens said. That's why public debate is needed, he added.

Cheap tools for attacking computer networks are easily available, and it's likely that the U.S. government will continue to face serious cyberattacks well into the future, Owens added. "Enduring unilateral dominance of cyberspace is neither realistic or achievable by the United States," he said.

The report distinguishes between cyberattacks and cyberexploitation. It defines cyberattacks as efforts intended to damage or cripple computers and networks, while cyberexploitation is a stealthy effort intended to compromise information held on computers. The report largely focuses on cyberattacks.

In recent years, many media reports have pointed to cyberattacks coming from China or Russia. Earlier this month, China denied reports that it has installed malware on the U.S. electrical grid designed to shut it down.

The National Research Council report doesn't point fingers at specific countries, but it calls for the U.S. government to have a stated policy about how it will respond to attacks. However, it's often difficult to identify where attacks are coming from or whether a foreign government was involved, Dam said.

Recent attacks attributed to China and Russia appear to come from college students wearing "slippers and pajamas," not from foreign militaries, said John Jiang, CTO at Xana, a cybersecurity vendor based in Reston, Virginia. It would be difficult for the U.S. to counterattack in those cases, said Jiang, who was in the audience for the announcement of the report.

Dam agreed, but said it's easy for nations to hire private "patriotic hackers" to carry out cyberattacks.

The offensive cybercapabilities of the U.S. government also came up during a hearing before the U.S. Senate Homeland Security and Governmental Affairs Committee Tuesday. Senator Roland Burris, an Illinois Democrat, asked a panel of cybersecurity experts whether the U.S. had the ability to respond to cyberattacks with its own attacks.

"It most likely seems like we are on the defensive in all of this," Burris said. "Are we in this country doing anything on the offense?"

The U.S. government has significant offensive capabilities, but is also a major target, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, a Washington, D.C., think tank.

"We have offensive capabilities that are among the best in the world," Lewis said. "The problem is what I would call asymmetric vulnerability. We're a target-rich environment. So even though we're as good as our opponents, they have more stuff to shoot at."

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CyberSecurity, National Research, Nortel, Nortel Networks, Roland
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cyber attacks, security
Latest Blog Posts
Whitepapers
  • Workshifting: How IT is Changing the Way Business is Done
    While workshifting delivers powerful benefits, from increased productivity and improved cost-efficiency for both business and IT, to improved recruitment and retention, to business continuity and security, it also poses significant challenges for IT. The following discussion examines the forces driving the rapid rise of workshifting, the forms it can take, the IT challenges that must be addressed to enable it, the technologies now available to unlock its full value and the resulting benefits for the business.
    Learn more »
  • HP ePrint Enterprise mobile printing solution
    The merger of mobile devices and cloud services has become one of the most significant enablers of business productivity and innovation in the past decade. We now hold the power of communicating and computing in the palms of our hands, nearly anywhere business or life takes us. However, one key business process has eluded the mobility movement: printing. Even the most technically enabled business travelers find themselves hunting down print services while on the road and interrupting IT managers when visiting a branch office simply to print a document. But finally, a truly mobile print experience is available—helping enterprises to drive business productivity further. Read more.
    Learn more »
  • Optimizing Data Quality in the Enterprise - How to Tackle Your Bad Information
    Data quality – the measure of data accuracy, completeness, and consistency across a business – has become the core focus of information management efforts among many of today’s organizations. Problems with data quality continue to plague corporations of all types and sizes. In this paper, we will discuss some techniques companies can implement to enhance data quality across the entire enterprise. We will also highlight data quality management solutions, which provide businesses with the ability to effectively and economically enhance the correctness, completeness, and consistency of information in each and every system within their technology infrastructure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments