Proceedings of a Workshop on Deterring Cyberattacks

In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation's important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures, it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. The first phase produced a letter report providing basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks. The second phase of the project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop. Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed. Table of Contents Front Matter Group 1 - Attribution and Economics Introducing the Economics of Cybersecurity: Principles and Policy Options--Tyler Moore Untangling Attribution--David D. Clark and Susan Landau A Survey of Challenges in Attribution--W. Earl Boebert Group 2 - Strategy, Policy, and Doctrine Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm--Patrick M. Morgan Categorizing and Understanding Offensive Cyber Capabilities and Their Use--Gregory Rattray and Jason Healey A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains--Stephen J. Lukasik Pulling Punches in Cyberspace--Martin Libicki Group 3 - Law and Regulation Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts--Michael N. Schmitt Cyber Security and International Agreements--Abraham D. Sofaer, David Clark, and Whitfield Diffie The Council of Europe Convention on Cybercrime--Michael A. Vatis Group 4 - Psychology Decision Making Under Uncertainty--Rose McDermott Group 5 - Organization of Government The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence--Paul Rosenzweig Group 6 - Privacy and Civil Liberties Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks--Robert Gellman Group 7 - Contributed Papers Targeting Third-Party Collaboration--Geoff A. Cohen Thinking Through Active Defense in Cyberspace--Jay P. Kesan and Carol M. Hayes Appendixes Appendix A: Reprinted Letter Report from the Committee on Deterring Cyberattacks Appendix B: Workshop Agenda Appendix C: Biosketches of Authors Appendix D: Biosketches of Committee and Staff