In search of a cyber Manhattan Project : assorted thoughts on U.S. cyberattack by and for the computer illiterate
Abstract
National discourse on cyberconflict has largely focused on defensive concerns, or protecting “critical infrastructure” from cyber threats. By contrast, the U.S. government’s employment of cyberattack is shrouded in secrecy and receives scant public attention. The seminal study on U.S. cyberattack, published by the National Academy of Sciences in 2009, noted that the clandestine nature of U.S. cyber operations hinders “widespread understanding and debate about the nature and implications of U.S. cyberattack.” This secrecy has contributed to a policy and legal framework for cyberattack that the NRC-NAS Report called “ill-formed, underdeveloped and highly uncertain.” Since the NRC-NAS Report was published, the U.S. government has signaled an unprecedented seriousness of purpose in addressing cyberconflict. It has marshaled its cyber resources under the leadership of a single “Cyber Command” and attempted to articulate formal “cyberstrategy.” Media reports from 2010-11 provide rare insight into cyberattack decision-making, and describe gradual development of policy and process for a specific type of cyberattack. The topic of U.S. cyberattack merits revisiting. This Report surveys the current international environment regarding cyberconflict, traces the development of “cyberstrategy” by the Executive Office of the President (EoP) and the Department of Defense (DoD) to make general points about the U.S. approach to cyberattack, and examines the statutory framework applicable to U.S. cyberattack in a narrow set of cases. This Report draws on news media reports about a series of cyberattack incidents to examine the dynamics of the cyberattack policy-making process, discusses recent attempts to address these issues, and summarizes lessons learned.