When then candidate Barack Obama spoke at Purdue University last July in his first major policy speech on cybersecurity, he called upon the American government and public to update its national security strategy to include cyberthreats.

Although discussion of strategy cybersecurity defenses is indeed emerging as a major public issue, there’s been almost no dialog about the other component of a cyberthreat strategy, cyber-offensive or retaliatory capacity and when and how it should or shouldn’t be used.

A new report titled Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities from the the National Research Council perhaps for the first time, to provides an intellectual framework for thinking about cyberattack and understanding these issues.

The current policy and legal framework regulating use of cyberattack by the United States is ill-formed, undeveloped, and highly uncertain, according to the report.

While defenses against such attacks are discussed, the report says, “ questions on the potential for, and the ramifications of, the United States' use of cyberattack as a component of its military and intelligence arsenal have not been the subject of much public debate.”

In the report’s view, the essential framework for the legal analysis of cyberattack is based on the principle that notions related to “use of force” and “armed attack” should be judged primarily by the effects of an action rather than its modality. As the authors of the study put it, “ the fact that an attack is carried out through the use of cyberweapons rather than kinetic weapons is far less significant than the effects that result from such use, where “effects” are understood to include both direct and indirect effects. the law of armed conflict.

The report argues that the Charter of the United Nations, the legal framework traditionally governing conventional warfare, including both law governing the legality of going to war (jus ad bellum) and law governing behavior during war (jus in bello), do apply to cyberattack, although new analytical work may be needed to understand how these principles do or should apply to cyberweapons.

As the report puts it, “some types of cyberattack are difficult to analyze within the traditional structure.” Among the more problematic cases, according to the report are the presumption of nation-to-nation conflict between national military forces, the exception for espionage, and the emphasis on notions of territorial integrity.

Matters can be further complicated by the presence of non-state actors, such as cyberterrorists, “patriotic hackers”, and criminal groups. Perhaps the most important complication relates to identification of the appropriate party against which action might be taken and the related availability of cyber targets whose destruction might cause pain or meaningful damage to the terrorist or criminal group.

The report recommends that the United States establish a public national policy regarding cyberattack for all sectors of government, including but not necessarily limited to the Departments of Defense, State, Homeland Security, Treasury, and Commerce; the intelligence community; and law enforcement.

The government, it says, should also conduct a broad, unclassified national debate and discussion about cyberattack policy, ensuring that all parties—particularly Congress, the professional military, and the intelligence agencies—are involved in discussions and are familiar with the issues.

In addition the report urges that the US government should work to find common ground with other nations regarding cyberattack. Such common ground should include better mutual understanding regarding various national views of cyberattack, as well as measures to promote transparency and confidence building.

“The US government should have a clear, transparent, and inclusive decisionmaking structure in place to decide how, when, and why a cyberattack will be conducted,” the report says. “The US government should provide a periodic accounting of cyberattacks undertaken by the US armed forces, federal law enforcement agencies, intelligence agencies, and any other agencies with authorities to conduct such attacks in sufficient detail to provide decision makers with a more comprehensive understanding of these activities. Such a periodic accounting should be made available both to senior decision makers in the executive branch and to the appropriate congressional leaders and committees.”

Finally, the report recommends that US policy makers should judge the policy, legal, and ethical significance of launching a cyberattack largely on the basis of both its likely direct effects and its indirect effects.

This implies, according to the report, US policy makers should apply the moral and ethical principles underlying the law of armed conflict to cyberattack even in situations that fall short of actual armed conflict.