Trump Pulls Gloves Off on Offensive Cyber ActionsPresidential Order Reportedly Loosens Restrictions on Use of Cyber Weapons
U.S. President Donald Trump signed a presidential order on Wednesday that revokes a set of Obama-era guidelines for offensive cyber operations, the Wall Street Journal reports.
The move was made without fanfare and was described by anonymous administration officials speaking to the publication. It's intended to loosen restrictions on U.S. use of cyber weapons against adversaries, the Journal reports.
The policy change may satisfy critics who contend the U.S. should be able to move faster and more aggressively in response to cyber attacks. But it also could raise questions as to whether such actions could further aggravate adversaries and cause an escalation of activity.
"I think the decision will inevitably escalate an already tense situation among nation-states," says Ilia Kolochenko, CEO of the computer security firm High-Tech Bridge. "Following the U.S. example, many other countries may consider this option, virtually declaring cyber war on each other."
Trump has spoken of strengthening U.S. defenses, including its cyber capabilities. But his administration has come under increasing pressure after intelligence agencies concluded Russia waged an extensive hacking campaign to interfere with the 2016 presidential election.
U.S. officials maintain that Russia is continuing with election-related interference activities ahead of the midterm elections, due to take place on Nov. 6.
The old rules, Presidential Policy Directive 20 (PPD-20), were classified. But the material was among the documents leaked by former NSA contractor Edward Snowden and published by The Guardian in June 2013.
The directive broadly outlines a cautious approach for offensive and defensive actions that are likely to result in "significant consequences." Any of those kinds of operations require approval by the president. The directive also describes the flow of approvals that should be followed for "emergency cyber actions."
In most cases, countries that either will experience effects from a U.S. cyber action or be the base for U.S. systems that launch an operation should be informed unless ordered by the president, the original directive states. Offensive actions should only be initiated in response to persistent malicious cyber activity if "network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate the malicious cyber activity."
The directive also says the offensive response should be limited to "the minimum action required to mitigate the activity."
Kenneth Geers, chief research scientist for Comodo and a cybersecurity fellow with the Atlantic Council, says that loosening the rules could run counter to U.S. strategic interests.
"A malicious insider may abuse this policy change for an attack targeting the United States itself," Geers says.
Also, if agencies aren't communicating with one another as well as before, there's a chance that "U.S. agencies might start shooting at each other," Geers says.
The most famous offensive cyber operation to become publicly known involved the malware known as Stuxnet (see Report: Obama Ordered Stuxnet Assault).
Suspected to be a joint operation between the U.S. and Israel, Stuxnet infected industrial control systems used to control uranium centrifuges that were part of Iran's nuclear program. The malware was designed to send commands that damaged the centrifuges.
By all measures, Stuxnet was a successful operation. But the U.S. has grappled with how to respond to offensive cyber actions directed against it.
After it became clear Russia was targeting the U.S. presidential election, then Vice President Joe Biden vowed in October 2016 that the U.S. would use its cyber capabilities to send President Vladimir Putin a "message."
"He'll know it," Mr. Biden told NBC's Meet the Press. "And it will be at the time of our choosing. And under the circumstances that have the greatest impact."
But it's unclear if any action was undertaken. The decision is fraught with difficulty: Impairing an adversary might draw a far worse response.
With Russia, for example, the U.S. and U.K warned in April that the country had methodically worked to gain footholds in routers, switches, firewalls and network intrusion detection systems (see US, UK: Russian Hackers Deeply Embedded in Routers, Switches).
At the time, Jeanette Manfra, the U.S. National Protection and Programs Directorate's assistant secretary for cybersecurity and communications, said Russia's activities threaten "the very integrity of our cyber ecosystem."
New Funding, Legislation
Trump's administration had acknowledged the intensifying dangers in cyberspace. Vice President Mike Pence said on July 31 that that "America's digital infrastructure is under constant cyberattack."
"Our cyber adversaries also seek to infiltrate our critical infrastructure, including our electrical grid, power stations, so that in some future conflict they might have the opportunity to shut down the nerve center of American energy and our national life," Pence said in remarks at the Alexander Hamilton U.S. Custom House in New York.
Pence said that the administration had allocated an additional $1.2 billion for cyber defense and requested another $15 billion for cybersecurity. The administration is also seeking to create a new agency within the Department of Homeland Security called the Cybersecurity and Infrastructure Security Agency.
In December, the House of Representatives passed the legislation, H.R. 3359. Pence called on the Senate to approve the legislation before year's end.