President Barack Obama's internal directive on cyber warfare was disclosed in public last week, showing for the first time details of U.S. policies for waging both offensive and defensive digital operations by military forces and intelligence agencies.
The directive, known as PPD-20, defines the use of what it terms as “defensive cyber effects operations” (DCEO) and “offensive cyber effects operations” (OCEO) against foreign target networks.
It also revealed plans for the use of what the White House calls "Emergency Cyber Action": urgent responses to cyber attacks or offensive counter cyber actions taken when there is an imminent threat to U.S. government networks or critical private sector infrastructure.
"The United States has an abiding interest in developing and maintaining the use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. national interests in peace, crisis, or war," the order states.
"Given the evolution in U.S. experience, policy, capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework."
It is the first time the Obama administration policy on cyber warfare was revealed. The 18-page document, “U.S. Cyber Operations Policy,” is labeled "Top Secret/Noforn," a term barring non-U.S. citizens from access. The directive was disclosed by Britain's Guardian newspaper.
The documents appear to be one of the highly classified documents disclosed by former NSA contractor Edward Snowden, who went public on Sunday in a video to say he is opposed to the Obama administration and U.S. intelligence agencies large-scale electronic surveillance programs.
On offensive cyber war strikes, the order says these operations “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”
It directs the government to identify potential targets for offensive cyber attack.
No details are provided, but U.S. officials have said the targets would include digital infrastructure such as electrical power grids, telecommunications, and other key networks. Militarily, a key target for offensive cyber attacks remains strategic nuclear forces that can be disrupted through cyber strikes.
Specific presidential approval is required for all cyber attacks that will produce “significant consequences,” the order says.
Cyber attacks can be ordered against what are called “persistent malicious cyber activity” when traditional cyber defenses or law enforcement is insufficient to counter the threat.
Emergency Cyber Actions are to be employed by the military against an “imminent threat or ongoing attack,” the order states and do not require prior presidential approval if it is within the U.S. requirement for “inherent right of self defense” and consistent with the Constitution.
The order also sets up a new policymaking unit at the White House called the Cyber Operations Policy Working Group, dubbed COP-WG. The group is the main cyberwarfare policy coordinating body but has no “operational” power.
National Security Council spokeswoman Caitlin Hayden declined to comment on the disclosure of the directive. She noted that Director of National Intelligence James Clapper “has already spoken to the harm caused by these recent leaks.”
Hayden said in a statement that the directive was signed by the president last year and stated that it is “part of the Administration’s focus on cybersecurity as a top priority.”
“The cyber threat has evolved, and we have new experiences to take into account,” she said.
“It enables us to be flexible while also exercising restraint in dealing with the threats we face.”
The administration’s policy will continue to emphasize “network defense and law enforcement as the preferred courses of action.”
Private industry has been pressing the White House in recent months to take more aggressive, offensive action to counter foreign cyber attacks. China’s military, along with Russia, Iran, and North Korea, are regarded as posing the most serious cyber security threats to U.S. networks.
The order defines defensive cyber warfare as operations outside network defenses or intelligence collection by computers that are “intended to enable or produce cyber effects outside [U.S.] government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace.”
Offensive cyber warfare is less-clearly defined but is more tightly restricted by the terms of the order.
A third category of significant cyber warfare activity outlined in the order is the use of Emergency Cyber Actions that can be authorized by the secretary of defense without first gaining prior approval from the president.
“Nothing in this directive is intended to limit or impair military commanders from using [defensive cyber attacks] or [offensive cyber attacks] specific in a military action approved by the president,” the order says.
The order appears designed to lay out policies and procedures for waging cyber warfare and notes that the operations “may raise unique national security and foreign policy concerns” requiring policy debate because of the global nature of the Internet.
“DCEO and OCEO, even for subtle or clandestine operations, may generate cyber effects in locations other than the intended target, with potential unintended or collateral consequences that may affect U.S. national interests in many locations,” the directive states.
As a result, cyber, warfare must be conducted under standards that apply to “values, principlesm and norms for state behavior” supported by the United States domestically and internationally. The order says cyber warfare also must conform to the 2011 U.S. government document “International Strategy for Cyberspace.”
Obama states in the preface to that strategy document that he believes the digital world is “no longer a lawless frontier.”
The strategy report said, “Our international cyberspace policy reflects our core commitments to fundamental freedoms, privacy, and the free flow of information.”
However, the strategy makes no mention of threats to the Internet posed by China, Russia, and Iran, nor efforts by non-democratic states to seek controls that would limit the freedom of action on the Internet.
Obama met last week with Chinese President Xi Jinping and raised U.S. concerns about Chinese cyber attacks and cyberespionage against the United States.
White House National Security Adviser Thomas Donilon was asked about how Xi responded and told reporters after the summit: “You could ask whether or not the Chinese government at the most senior levels was aware of all the activities that have been underway with respect to the cyber-enabled theft—you can't answer that question, though, today.”
The answer indicates that the Chinese leaders did not admit Chinese military and intelligence agencies were behind the cyber attacks.
Chinese military cyber operations are among the most secret programs and have not been acknowledged publicly or privately by Chinese leaders.
The presidential order states that the U.S. government “shall obtain consent” from states in advance of attack unless the president approves “nonconsensual” attacks.
Information used to inform states of coming cyber war strikes would be limited to protect operational security and the protection of intelligence sources.
The order also says reasonable efforts must be made to clearly identify enemy targets and to identify people and entities that would be affected by the attacks.
Also, the “least intrusive” methods must be used in U.S. cyber attacks, and it also says the government should seek partnerships with private industry in protecting infrastructure from attacks.
It also says the United States must first “obtain consent” from states that will be affected by cyber war actions.
The order also reveals some new details on how intelligence agencies use cyber operations. For example, human spying operations now employ “online personas and other virtual operations” for spying. Those activities are defined as human intelligence operations carried out through the Internet.