A panel of experts deliberating under the auspices of the National Science Foundation has come up with a report which is highly critical of the US’s approach to the threat of cyberattack and has issued this list of recommendations:
1. The United States should establish a public national policy regarding cyberattack for all sectors of government, including but not necessarily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforcement. The senior leadership of these organizations should be involved in formulating this national policy.
2. The U.S. government should conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties—particularly Congress, the professional military, and the intelligence agencies—are involved in discussions and are familiar with the issues.
3. The U.S. government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building.
4. The U.S. government should have a clear, transparent, and inclusive decision- making structure in place to decide how, when, and why a cyberattack will be conducted.
5. The U.S. government should provide a periodic accounting of cyberattacks undertaken by the U.S. armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such a periodic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees.
6. U.S. policy makers should judge the policy, legal, and ethical significance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects.
7. U.S. policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict.
8. The United States should maintain and acquire effective cyberattack capabilities. Advances in capabilities should be continually factored into policy development, and a comprehensive budget accounting for research, development, testing, and evaluation relevant to cyberattack should be available to appropriate decision makers in the executive and legislative branches.
9. The U.S. government should ensure that there are sufficient levels of personnel trained in all dimensions of cyberattack, and that the senior leaders of government have more than a nodding acquaintance with such issues.
10. The U.S. government should consider the establishment of a government-based institutional structure through which selected private sector entities can seek immediate relief if they are the victims of cyberattack.
11. The U.S. government should conduct high-level wargaming exercises to understand the dynamics and potential consequences of cyberconflict.
12. Foundations and government research funders should support academic and think- tank inquiry into cyberconflict, just as they have supported similar work on issues related to nuclear, biological, and chemical weapons.
According to the NYT report,
The United States has no clear military policy about how the nation might respond to a cyberattack on its communications, financial or power networks, a panel of scientists and policy advisers warned Wednesday, and the country needs to clarify both its offensive capabilities and how it would respond to such attacks.
The NYT report also suggests that the US doesn’t rule out the use of nukes in retaliation to a cyberattack, but then goes on to quote Pentagon officials as saying that this is nothing new. The US, it seems, never rules out anything. This is apparently to keep potential aggressors guessing.**
Text of the Executive Summary of the NSF report (pdf) from here.
** Footnote: this didn’t deter Osama bin Laden & Co, though.