« Internationalizing the Internet! | Main | USCCU - a complete checklist to consider if you want to be cyber secure! »

Defensive or offensive? - National Research Council

That’s the question!

During research on the internet I found a book written by the National Research Council, provided online by the Computer Science and Telecommunications Board (CSTB) named “Technology, Policy, Law, and Ethics regarding US Acquisition and Use of Cyber Attack Capabilities” (2009). It is quite a read though very interesting as it actually deals with many issues that are concerned when discussing whether the USG should implement a policy directed towards an offensive one or to stick with defensive.

=> At first, the book distinguishes between an cyber attack and cyber exploitation. The latter being purely for information gathering and not to be destructive. This could suggest that cyber exploitation would not fall under the term of ‘offensive’ as it is not seen as being a counter-attack. This coincides with discussions regarding intelligence gathering of China on the US and vice versa.

==> Another important issue addressed is when does the USG knows it is being under cyber attack? And how/when do you know who you attacker is? As the book states:
There is a tension bw a policy need for rapid response and the technical reality that attribution is a time-consuming task.
They continue with
..Shortening the time for investigation may well increase the likelihood of errors being made in the response.

It is tricky. How much time to spend on investigating who was attacking you, while there is a pressure and need to respond as soon as possible (in case of offensive policy)? Is the level of error not too high to conduct this kind of policy?

==> Another aspect is ethics. It has been discussed widely that counter-attacks might have unexpected collateral damage. This was also pointed out in the overarching findings (nr 5). It is stated that indirect consequences might even outweigh the direct consequences. If it is questionable what the side-effects are of a cyber attack, it might not be worth-wile to proceed.

There is a wide range of aspects that need consideration when discussing pro/con offensive policy, however, for now I will leave this out here for all of us to think about it.

Posted by Annemiek Moraal on November 8, 2009 11:24 AM |

TrackBack

TrackBack URL for this entry:
http://www.henryfarrell.net/movabletype/mt-tb.cgi/4760