"This paper examines United States and international policy related to offensive cyber warfare, specifically cyber exploitation and cyber attack. Current domestic and international policies lack mechanisms to classify offensive cyber operations into any discernable categories other than 'hostile acts'. Recent cyber-attacks demonstrate how this policy void leads to stark differences in the ways nations perceive the role of the Internet and acceptable conduct in the cyber domain. Moreover, opaque national cyber policies increase the risk states will misinterpret each other's intentions and actions, leading to inadvertent conflict escalation. This current policy framework is insufficient to promote international norms or deter adversaries from conducting offensive cyber operations against U.S. networks. This paper advocates using a three variable approach to classify cyber operations based on the actor, the target, and the effect. Examining each variable in depth shows how this classification system would affect broader changes to U.S. and international cyber policy. This new approach could clarify guidance for the United States'own actions, encourage stability, and promote effective responses to a range of threats from a variety of actors."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/