This PDF is available from The National Academies Press at http://www.nap.edu/catalog.php?record_id=12997 Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Committee on Deterring Cyberattacks: Informing Strategies and ISBN Developing Options; National Research Council 978-0-309-16035-3 400 pages 8 1/2 x 11 PAPERBACK (2010) Visit the National Academies Press online and register for... Instant access to free PDF downloads of titles from the NATIONAL ACADEMY OF SCIENCES NATIONAL ACADEMY OF ENGINEERING INSTITUTE OF MEDICINE NATIONAL RESEARCH COUNCIL 10% off print titles Custom notification of new releases in your field of interest Special offers and discounts Distribution, posting, or copying of this PDF is strictly prohibited without written permission of the National Academies Press. Unless otherwise indicated, all materials in this PDF are copyrighted by the National Academy of Sciences. Request reprint permission for this book Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Proceedings of a WorkshoP on deterring cyberattacks Informing Strategies and Developing Options for U.S. Policy Committee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Policy and Global Affairs Division Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee that oversaw this project were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the Office of the Director of National Intelligence under award number HHM402-05-D0011, DO #12. Any opinions, findings, conclusions, or recommendations expressed in this publica- tion are those of the authors and do not necessarily reflect the views of the organization that provided support for the project. International Standard Book Number-13: 978-0-309-16035-3 International Standard Book Number-10: 0-309-16035-9 Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 (800) 624-6242 (202) 334-3313 (in the Washington metropolitan area) Internet: http://www.nap.edu Copyright 2010 by the National Academy of Sciences. All rights reserved. Printed in the United States of America Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy COMMITTEE ON DETERRINg CybERATTACkS: INFORMINg STRATEgIES AND DEvELOPINg OPTIONS FOR u.S. POLICy JOHN D. STEINBRUNER, University of Maryland, Chair STEVEN M. BELLOVIN, Columbia University STEPHEN DYCUS, Vermont Law School SUE ECKERT, Brown University JACK L. GOLDSMITH III, Harvard Law School ROBERT JERVIS, Columbia University JAN M. LODAL, Lodal and Company PHILIP VENABLES, Goldman Sachs Staff HERBERT S. LIN, Study Director and Chief Scientist, Computer Science and Telecommunications Board TOM ARRISON, Senior Program Officer, Policy and Global Affairs Division VIRGINIA BACON TALATI, Associate Program Officer Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy COMPuTER SCIENCE AND TELECOMMuNICATIONS bOARD ROBERT F. SPROULL, Oracle, Chair PRITHVIRAJ BANERJEE, Hewlett Packard Company STEVEN M. BELLOVIN, Columbia University WILLIAM J. DALLY, NVIDIA Corporation and Stanford University SEYMOUR E. GOODMAN, Georgia Institute of Technology JOHN E. KELLY III, IBM JON M. KLEINBERG, Cornell University ROBERT E. KRAUT, Carnegie Mellon University SUSAN LANDAU, privacyink.org DAVID E. LIDDLE, U.S. Venture Partners WILLIAM H. PRESS, University of Texas PRABHAKAR RAGHAVAN, Yahoo! Research DAVID E. SHAW, Columbia University ALFRED Z. SPECTOR, Google, Inc. JOHN A. SWAINSON, Swainson Analysis Services, Inc. PETER SZOLOVITS, Massachusetts Institute of Technology PETER J. WEINBERGER, Google, Inc. ERNEST J. WILSON III, UUnniivveerrssiittyy ooff SSoouutthheerrnn CCaalliiffoorrnniiaa Staff JON EISENBERG, Director RENEE HAWKINS, Financial and Administrative Manager HERBERT S. LIN, Chief Scientist, CSTB LYNETTE I. MILLETT, Senior Program Officer EMILY ANN MEYER, Program Officer ENITA A. WILLIAMS, Associate Program Officer VIRGINIA BACON TALATI, Program Associate SHENAE BRADLEY, Senior Program Assistant ERIC WHITAKER, Senior Program Assistant For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at [email protected]. i Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Preface In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation’s important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures (that is, measures taken unilaterally by an organization to increase the resistance of an information technology system or network to attack), it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council (NRC) undertook a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government (see Box P.1 for the statement of task). In the first phase, the Committee on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. policy produced a letter report, released in March 2010 and reprinted in Appendix A of this volume, that provided basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks. The second phase of this project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop. In addition to commissioning papers, the NRC sponsored a prize competition for papers that addressed one or more of the questions raised in the letter report. Two of these papers were singled out for recognition as noted on p. xii in the Contents and have been included in Group 7 of this volume. Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee. Under NRC guidelines for conducting workshops, workshop activities do not seek consensus, and proceedings (such as the present volume) cannot be said to represent an NRC view on the subject at hand. Furthermore, indi- vidual members of the committee may agree or disagree with the findings, conclusions, or analysis of ii Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy iii PREFACE Box P.1 Statement of Task An ad hoc committee will oversee a two-phase activity to foster a broad, multidisciplinary exami- nation of deterrence strategies and their possible utility to the U.S. government in its policies toward preventing cyberattacks. In the first phase, the committee will prepare a letter report identifying the key issues and questions that merit examination. In the second phase, the committee will engage experts to prepare papers that address key issues and questions, including those posed in the letter report. The papers will be compiled in a National Research Council publication and/or published by appropriate journals. This phase will include a committee meeting and a public workshop to discuss draft papers, with authors finalizing the papers following the workshop. any given paper in this volume, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed. The meeting agenda and biosketches of the speakers are provided in Appendixes B and C, respec- tively. Appendix D provides biosketches of the committee and staff. Copyright © National Academy of Sciences. All rights reserved. Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of the papers contained in this volume: Amitai Aviram, University of Illinois Robert Axelrod, University of Michigan William Banks, Syracuse University David Elliott, Stanford University Anita Jones, University of Virginia Cheryl Koopman, Stanford University Ronald Lee, Arnold & Porter, LLP Joseph Nye, Harvard University Francesco Parisi, University of Minnesota Joel Reidenberg, Fordham University Jerome Saltzer, Massachusetts Institute of Technology John Savage, Brown University Dan Schutzer, Financial Services Technology Consortium Walter Slocombe, Caplin & Drysdale Jack Snyder, Columbia University Joel Trachtman, Tufts University Jenell Trigg, Lerman Senter, PLLC Although the reviewers listed above have provided many constructive comments and sug- gestions, they were not asked to endorse the views presented in any of these commissioned and ix Copyright © National Academy of Sciences. All rights reserved.