A secret directive signed by President Barack Obama in mid-October enables the military to act more aggressively to thwart cyber attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, said several U.S. officials who saw the classified document, but not authorized to speak on the record, according to a report in The Washington Post.
The new directive is an extensive White House effort to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyber war and cyber terrorism, where an attack can launch in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure U.S. citizens’ and foreign allies’ data and privacy end up protected and everyone follows international laws of war.
The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyber threat, which officials warn may overtake terrorism as the most significant danger to the country.
Legislation to protect private networks from attack by setting security standards and promoting voluntary information sharing remains pending on Capitol Hill, and the White House is also drafting an executive order along those lines.
The Pentagon should soon finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyber attack that could cause significant destruction or casualties.
The presidential directive attempts to settle years of debate among government agencies about who has authorization to take what sorts of actions in cyberspace and with what level of permission.