Proceedings of a Workshop on Deterring Cyberattacks

In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation's important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures, it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. The first phase produced a letter report providing basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks. The second phase of the project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop. Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed.Table of ContentsFront MatterGroup 1 - Attribution and EconomicsIntroducing the Economics of Cybersecurity: Principles and Policy Options--Tyler MooreUntangling Attribution--David D. Clark and Susan LandauA Survey of Challenges in Attribution--W. Earl BoebertGroup 2 - Strategy, Policy, and DoctrineApplicability of Traditional Deterrence Concepts and Theory to the Cyber Realm--Patrick M. MorganCategorizing and Understanding Offensive Cyber Capabilities and Their Use--Gregory Rattray and Jason HealeyA Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains--Stephen J. LukasikPulling Punches in Cyberspace--Martin LibickiGroup 3 - Law and RegulationCyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts--Michael N. SchmittCyber Security and International Agreements--Abraham D. Sofaer, David Clark, and Whitfield DiffieThe Council of Europe Convention on Cybercrime--Michael A. VatisGroup 4 - PsychologyDecision Making Under Uncertainty--Rose McDermottGroup 5 - Organization of GovernmentThe Organization of the United States Government and Private Sector for Achieving Cyber Deterrence--Paul RosenzweigGroup 6 - Privacy and Civil LibertiesCivil Liberties and Privacy Implications of Policies to Prevent Cyberattacks--Robert GellmanGroup 7 - Contributed PapersTargeting Third-Party Collaboration--Geoff A. CohenThinking Through Active Defense in Cyberspace--Jay P. Kesan and Carol M. HayesAppendixesAppendix A: Reprinted Letter Report from the Committee on Deterring CyberattacksAppendix B: Workshop AgendaAppendix C: Biosketches of AuthorsAppendix D: Biosketches of Committee and Staff