In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation's important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures, it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests. At the request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government.



The first phase produced a letter report providing basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks.



The second phase of the project entailed selecting appropriate experts to write papers on questions raised in the letter report. A number of experts, identified by the committee, were commissioned to write these papers under contract with the National Academy of Sciences. Commissioned papers were discussed at a public workshop held June 10-11, 2010, in Washington, D.C., and authors revised their papers after the workshop.



Although the authors were selected and the papers reviewed and discussed by the committee, the individually authored papers do not reflect consensus views of the committee, and the reader should view these papers as offering points of departure that can stimulate further work on the topics discussed. The papers presented in this volume are published essentially as received from the authors, with some proofreading corrections made as limited time allowed.

Table of Contents


Front Matter
Group 1 - Attribution and Economics
Introducing the Economics of Cybersecurity: Principles and Policy Options--Tyler Moore
Untangling Attribution--David D. Clark and Susan Landau
A Survey of Challenges in Attribution--W. Earl Boebert
Group 2 - Strategy, Policy, and Doctrine
Applicability of Traditional Deterrence Concepts and Theory to the Cyber Realm--Patrick M. Morgan
Categorizing and Understanding Offensive Cyber Capabilities and Their Use--Gregory Rattray and Jason Healey
A Framework for Thinking About Cyber Conflict and Cyber Deterrence with Possible Declaratory Policies for These Domains--Stephen J. Lukasik
Pulling Punches in Cyberspace--Martin Libicki
Group 3 - Law and Regulation
Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts--Michael N. Schmitt
Cyber Security and International Agreements--Abraham D. Sofaer, David Clark, and Whitfield Diffie
The Council of Europe Convention on Cybercrime--Michael A. Vatis
Group 4 - Psychology
Decision Making Under Uncertainty--Rose McDermott
Group 5 - Organization of Government
The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence--Paul Rosenzweig
Group 6 - Privacy and Civil Liberties
Civil Liberties and Privacy Implications of Policies to Prevent Cyberattacks--Robert Gellman
Group 7 - Contributed Papers
Targeting Third-Party Collaboration--Geoff A. Cohen
Thinking Through Active Defense in Cyberspace--Jay P. Kesan and Carol M. Hayes
Appendixes
Appendix A: Reprinted Letter Report from the Committee on Deterring Cyberattacks
Appendix B: Workshop Agenda
Appendix C: Biosketches of Authors
Appendix D: Biosketches of Committee and Staff