Two weeks ago I wrote about methods by which law enforcement could cyber-target individual miscreants. Since then, the National Research Council (NRC) of the National Academies of Science has published a report on a whole different scale of cybertargeting: It deals with policy issues of the United States mounting cyberattacks on groups of cyberterrorists or on countries.

As is generally the case with NRC reports, the one titled "Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities" is very well balanced. It is the product of a 14-person committee, including people of diverse backgrounds and interests. The statement of the committee's task starts: "The National Research Council will appoint an ad hoc committee to examine policy dimensions and legal/ethical implications of offensive information warfare." This report, which is readable, though laboriously, on the Web does not provide a road map on how to conduct cyberwarfare. Instead, it examines the "many questions and issues" associated with the officially sanctioned use of cyberattacks.

The report presents 22 findings and makes 12 specific recommendations.The findings include the obvious -- that "private parties have few useful alternatives for responding to a severe cyber attack" -- to the hidden, that "both the decision-making apparatus for cyber attack and the oversight mechanisms for that apparatus are inadequate today." The recommendations are not all ones that most governments would much like because they address the need to "conduct a broad, unclassified national debate and discussion on cyberattack policy," and that policymakers "should apply the moral and ethical principles underlying the law of armed conflict to cyberattack." Talking about military techniques and strategies in public is just not done.

On the defensive side, some discussion seems to be happening. The National Journal magazine is reporting that the United States is developing a Defense Industrial Base initiative in which the government tries to help companies better protect their --  and sometimes government -- information, such as the plans for the Joint Strike Fighter.

One problem with cyberattacks is that there is little government-specific about them. A handful of hackers can put together as powerful an attack using a botnet as a government can with all its might and money. That is, unless the government has the cooperation of a major software company (see Purina Paranoid Chow?) or, as I talked about two weeks ago, antivirus companies.