Proceedings of the Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options
The following summaries of papers were contributed by authors, who were asked for their three to four most important points of their papers.
Papers by Topic:
Group 1 - Attribution and Economics
Introducing the Economics of Cybersecurity: Principles and Policy Options - Tyler Moore
- Many of the problems plaguing cybersecurity are economic in nature, and modest interventions that align stakeholder incentives and correct market failures can significantly improve our nation’s cybersecurity posture.
- Engage ISPs in the malware-remediation process by offering exemption from liability for the harm caused by their customers’ infected machines in exchange for assisting with the cleanup. Split the costs of cleanup between ISPs, software firms, and the government, and publish infection reports on data.gov to encourage better measurement and accounting of these harms.
- Better data on security incidents is needed to motivate more optimal levels of private-sector cybersecurity investment. To that end, collect aggregated reports of online banking incidents and losses from banks and publish aggregated statistics on data.gov.
Untangling Attribution - David Clark and Susan Landau
- The occasions when attribution at the level of an individual person is useful are very limited.
- Multi-stage attacks, which require tracing a chain of attribution across several machines, are a major issue in attribution today.
- A prime problem for the research community is the issue of dealing with multi-stage attacks. This should be of central attention to network researchers, rather than (for example) the problem of designing highly robust top-down identity schemes.
- IP addresses are more useful than sometimes thought as a basis for various kinds of attribution, if you want another conclusion.
A Survey of Challenges in Attribution - W. Earl Boebert
- The Internet contains intrinsic features and extrinsic services which support anonymity and inhibit forensic attribution of cyberattacks, and this situation is expected to worsen over time.
- Even if perfect forensic-based attribution were achieved, it would not have a significant deterrent effect in the majority cases where major disruptive cyberattacks are contemplated by parties hostile to the United States.
- Alternatives to forensic-based attribution include counterattack (“hack back”) and sustained, aggressive covert intelligence gathering and subversion of potential attackers. Such methods promise a greater deterrent effect than forensic-based attribution. The obstacles to these methods are primarily nontechnical.
Group 2 - Strategy, Policy, and Doctrine
Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm - Patrick M. Morgan
- We are fortunate in still being in the early stages of devising responses to the cyberattack threat, and hopefully this means we will avoid the kinds of mistakes early in the Cold War in responding frantically at that point to the Soviet bloc threat - responses that included excessive development of our nuclear weapons arsenal, the adoption of an insupportable basic nuclear strategy, the excessive readiness to use nuclear weapons early in any conflict, etc.
- We must be particularly concerned about the possibility of a strategic surprise first-strike cyberattack in the long run, since it is unclear whether such capabilities in cyberspace will ever be developed but they might be, and because such an attack would be extremely difficult to detect in advance and thus sensitivity to the possibility of one would lead to all sorts of high-alert, potentially overreactive, postures on the part of the US (and a possible opponent) - the worst sort of situation for keeping deterrence stable and noted as such in the study of deterrence during the Cold War.
- The need for international cooperation to deal with the cyberattack threat because cyberspace is a transnational resource, intended not to be threatening but to be helpful, liberating, etc. - it creates a high level of interdependence and therefore dealing with threats that emerge out of it must be approched in a multilateral, cooperative fashion. It involves a greater level of interdependence than that experienced by the antagonists during the Cold War which led them to develop many elaborate arms control measures. But it is like the kind of interdependence and international cooperation that is now being used or pursued to deal with international terrorism, global warming, international epidemics, etc. and thus is well within our capacities.
Categorizing and Understanding Offensive Cyber Capabilities and Their Use - Gregory Rattray and Jason Healey
- Offensive cyber operations can be characterized in many ways. For example, they may be overt, covert or somewhere in between; or the attacker and defender can both be national militaries, or neither, or can be a group with many different kinds of relationships.
- Many of these forms of offensive operations (perhaps even most) have yet been seen and it is likely that the future of conflict in cyberspace may be very different from the past.
- The battles of the cyber future may not be “cyber Pearl Harbors” or “digital 9/11s” but may be more analogous to a force-on-force Battle of Britain, a massive support to kinetic operations like the Battle of St Mihiel, or be a long hard slog over years like the war in Vietnam.
A Framework for Thinking about Cyber Conflict and Cyber Deterrence with Possible Declatory Policies for these Domain - Stephen J. Lukasik
- Paper sets up a set of long range security goals, through suggesting eleven unilateral U.S. declarations to initiate the processes for the protection of the cyber commons. These declarations are based on the accepted structure of sovereign states as the mechanism to propagate these objectives through eventual international agreements.
- These declarations assign to each sovereign jurisdiction the responsibility for eliminating the distribution of malware and the capturing of computers for use as botnets within its jurisdiction, and the responsibility for attaching a state label to each packet leaving its jurisdiction.
- It attaches to each state allowing harmful packets to leave its jurisdiction potential complicity for any harm suffered by a recipient of those packets. It calls for adjudication of disputes arising from such allegations using appropriate international mechanisms recognized by the parties to such disputes.
- In this regard, the declarations imply that attack attribution need only go sufficiently deep as to identify the sovereign entities that allowed packets causing harm to leave their jurisdiction. But by holding "innocent" transit states complicit requires all states to inspect packets coming into their jurisdiction for potential harm, and by implication, to reject them.
Pulling Punches in Cyberspace - Martin Libicki
- The laws of war do not map very well into cyberspace because of the potentially large differences between what operations were intended to do, what they actually do, and what they have been perceived to do.
- Several of the factors that should convince a state to pull its punches in cyberspace -- the difficulty of reconciling operations with a state's narrative, the fear of escalation, the occasional need to take back an action -- apply in the physical world, but are strongly influenced by the many ambiguities of cyberspace operations.
- A sub rosa response to an attack of uncertain effect and attribution has much to recommend it, but it means abjuring attacks on many types of targets; reliance on it can promote a certain lack of accountability among operators.
Group 3 - Law and Regulation
Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts - Michael N. Schmitt
- The law governing when a cyber operation is a violation of the prohibition of the use of force in the UN Charter and customary international law is unclear. Thus policy looms large, especially as one may not be able to accurately predict whether other States will deem an action a violation.
- The law governing when a State may respond kinetically in self-defense pursuant to Article 51 of the Charter and customary international law is relatively clear –the attack must caused (or be intended to cause) death, injury, or damage to property before such a response is lawful. However, States are unlikely to accept this limit in the face of a cyber operation which does not have such consequences when directed against critical assets. Thus, expect the law to evolve as State expectations and attitudes crystallize.
- The law of armed conflict is generally adequate to handle cyber operation mounted during on-going hostilities. The major point of contention surrounds whether an attack directed against the civilian population or civilian objects is unlawful if it does not injure or kill civilians or damage civilian property. In the view of the author, such ops are lawful.
Cyber Security and International Cooperation - Abraham Sofaer, David Clark, and Whitfield Diffie
- Cyber insecurity is an important and costly problem that is inherently transnational, adversely affecting all users worldwide, and caused by many major players, including the US.
- No single state (or group of like-minded states) will be able to deal effectively with all the major aspects of cyber insecurity through defensive and/or offensive measures.
- International cooperation is likely to contribute to enhancing cyber security in some though not all areas of current concern, through agreements that avoid attempts to regulate inappropriate areas (espionage and aspects of warfare), seek objectives and utilize methods consistent with US political and privacy values, and maintains current, private, professional standard-setting activity rather than transferring such functions to government officials, national or international.
The Council of Europe Convention on Cybercrime - Michael A. Vatis
- The Council of Europe's Cybercrime Convention has been an effective tool for fostering international cooperation on investigations involving computers and digital evidence. Because of the Convention, more countries have passed substantive laws addressing cybercrime and improved their cyber investigation capabilities, and parties to the Convention assist each other more rapidly and frequently.
- The principal shortcomings of the Convention are its narrow membership (mostly European countries and the United States; Russia and China are not parties) and the lack of an enforcement mechanism if a country refuses to lend assistance when requested.
- The Convention therefore could be made more effective by increasing its membership and by imposing costs of some sort on states that refuse cooperation without a legitimate, credible reason. While getting parties to agree to impose any kind of sanctions on uncooperative states seems unrealistic, public exposure of a state's lack of cooperation might have some salutary effect. Moreover, the U.S. could announce that, in the case of highly damaging attacks, it reserves the right to engage in unilateral self-help (such as cross-border searches of computers, or perhaps even counter-attacks on computers responsible for the attacks on computers in the U.S.) when the country from which the attacks appear to be emanating refuses to cooperate and provides no legitimate, credible reason.
Group 4 - Psychology
Decision Making Under Uncertainty - Rose McDermott
- Psychological factors are a critical part of understanding the perception of threat, and the kinds of systematic biases that can influence decision makers when they contemplate how to respond.
- Overconfidence presents a pervasive and endemic problem for decision makers with regard to attribution in particular.
- The anonymous nature of cyberspace and the speed with which processes of social contagion can spread information like a virus highlights the fact that deterrence no longer offers a viable strategic response for the uncertainty which characterizes this domain; rather, analogies drawn from the spread of infectious disease provides a more helpful model in thinking about designing more effective response strategies.
Group 5 - Organization of Government
The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence - Paul Rosenzweig
- The potential US government responses to a cyber incident span the whole of government and are not limited to cyber responses
- Private sector cybersecurity suffers from the “tragedy of the commons” so some form of collective response is essential
- Global supply chain security is weak and a significant threat from hardware intrusions has yet to be systematically addressed
- Policy makers should consider formalizing public-private cybersecurity cooperation through a publicly-chartered non-profit governmental corporation akin to the American Red Cross.
Group 6 - Privacy and Civil Liberties
Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks - Robert Gellman
- The civil liberties and privacy implications of potential policies and processes to prevent cyberattacks raise a host of unbounded, complex, difficult, and contested legal and constitutional issues.
- Cyberattack prevention activities will at times make use of the surveillance authority given to the federal government, and the law of surveillance is famously complex. One particularly important element is the absence of a constitutionally recognized expectation of privacy in an individual’s records held by a third party. The growing importance of third party storage on the Internet along with the technological obsolescence of many privacy statutes increases the tension between communications privacy and cyberattack prevention activities based on surveillance.
- Anonymity on the Internet is a feature prized by many Internet users, often for different reasons. A general constitutional right to anonymity has not been clearly defined, and conflicts are likely to arise between cyberattack prevention activities that attempt to identify users and the interests of those who seek anonymity for whistleblowing, political, or other purposes.
- The Privacy Act of 1974, the main information privacy law applicable to the federal government, implements fair information practice principles. The Act, which applies to intelligence and law enforcement agencies, strikes a balance between competing objectives by allowing a partial exemption for those agencies. Similar exemptions would likely be available for cyberattack prevention activities.
- Licensing of computer users, computers, or computer software is a possible response to cyberattack prevention needs. The United States has experience in licensing people and equipment in a way that generally balances due process interests of individuals with the needs of the government to function. However, a governmentally established identification or authorization prerequisite to general Internet access would be controversial. The authority of the federal government under the Commerce Cause is likely to clash with First Amendment interests, with much depending on the specific details of any regulatory scheme.
Group 7 - Contributed Papers
Targeting Third Party Collaboration - Geoff Cohen
- Existing cybercrime against US private and public interests is a more pressing threat than future "cyberwar."
- Successful cyberattacks can only occur with the (possibly unwitting) collaboration of many US-based third-party infrastructure providers, such as ISPs, network operators, certification authorities, hosting providers, name registrars, and private individuals.
- Law and policy need to be adjusted to encourage/enforce more aggressive monitoring, notification, and resolution of computer security issues, across all third party participants.
Thinking Through Active Defense in Cyberspace - Jay P. Kesan and Carol M. Hayes
- Is active defense technologically feasible?: Active defense technology exists, and has been steadily improving in accuracy, but may need further improvements before an active defense system can be implemented.
- When would active defense be appropriate?: Given various legal and practical considerations, active defense is likely most suited as a response to Denial of Service attacks.
- Who should be in control of active defense?: For the purpose of consistency in implementation and to avoid escalation problems, the government should oversee active defense rather than having each firm responsible for making case-by-case decisions about cyber counterstrikes. Legal concerns and alternatives are also discussed, as well as a potential process for an active defense program.
- How to protect innocent third parties?: Liability rules should also be in place in order to protect oblivious intermediaries whose systems are inadvertently harmed by cyber counterstrikes aimed at an attacker who had compromised the intermediary systems.
Note: Although the authors were selected and the papers reviewed by the committee, the individually authored papers do not reflect consensus views of the committee. Under NRC guidelines for conducting workshops, workshop activities do not seek consensus, and proceedings (such as the present volume) cannot be said to represent an NRC view on the subject at hand. Furthermore, individuals members of the committee may agree or disagree with the findings, conclusions, or analysis of any given paper in this volume, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed.