President Obama signed a classified presidential directive last month that enables the military to act more aggressively to frustrate cyberattacks on government and private computer networks.
The White House confirmed the issuance of Presidential Policy Directive 20, updating a 2004 presidential directive, but declined to provide specifics. "The directive itself is classified, so we cannot discuss all of the elements contained in it," a senior administration official says.
But James Lewis, the well-connected cybersecurity expert at the Center for Strategic and International Studies, says the directive, months in the works, will allow the military to actively target digital assailants if it believes such an attack would cause significant harm to individual Americans or its institutions. He says the military didn't have that authority before.
Could the directive allow the military to defend against the distributed denial of service attacks that had plagued U.S. banks earlier this fall? Unlikely, Lewis says, though it could if the military determines that the attack would be highly destructive.
Lewis says the National Security Agency has improved its ability to identify those attacking IT systems.
Now, he says, the Pentagon will finalize new rules of engagement to provide direction to authorities on how to prevent a cyberattack.
According to a Washington Post report, the directive establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, citing several U.S. officials who have seen the classified document but aren't authorized to speak on the record. The paper also says the directive lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens' and foreign allies' data and privacy are protected and international laws of war are followed.
In an e-mail exchange, the senior administration official says the directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the fully array of national security tools we have at our disposal. "It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace," the official says.
The directive will establish principles and processes that can enable more effective planning, development and use of the government's capabilities, enabling the government to be flexible while also exercising restraint in dealing with the threats the nation faces. "It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action," the official says.
New and existing directives do not provide new authorities to agencies or departments and American military, intelligence community and law enforcement agencies obtain no new authorities in the issuance of this directive, the official says.
The official points out the directives do not give the government additional oversight over privately owned networks.
The directive comes at a time when Obama is considering issuing an executive order that, in part, would direct the government to work with the private sector to develop cybersecurity best practices that the owners of the nation's critical infrastructure could adopt voluntarily. It also coincides with the Senate reconsideration of the Cybersecurity Act of 2012, comprehensive IT security legislation that stalled last summer when the bill could not get enough votes to block a filibuster.