A presidential order revokes a set of Obama-era guidelines for offensive cyber operations.
The intent behind the move, which President Donald Trump signed last week, is to loosen restrictions on U.S. use of cyber weapons against adversaries, according to the report in the Wall Street Journal.
The policy change may satisfy critics who contend the U.S. should be able to move faster and more aggressively in response to cyber attacks. But it also could raise questions as to whether such actions could further aggravate adversaries and cause an escalation of activity.
Trump has spoken of strengthening U.S. defenses, including its cyber capabilities. But his administration has come under increasing pressure after intelligence agencies concluded Russia waged an extensive hacking campaign to interfere with the 2016 presidential election.
U.S. officials maintain Russia is continuing with election-related interference activities ahead of the midterm elections in November.
The old rules, Presidential Policy Directive 20 (PPD-20), were classified. But the material was among the documents leaked by former NSA contractor Edward Snowden and published by The Guardian in June 2013.
The directive broadly outlines a cautious approach for offensive and defensive actions that are likely to result in “significant consequences.” Any of those kinds of operations require approval by the president. The directive also describes the flow of approvals that should be followed for “emergency cyber actions.”
In most cases, countries that either will experience effects from a U.S. cyber action or be the base for U.S. systems that launch an operation should be informed unless ordered by the president, the original directive states. Offensive actions should only be initiated in response to persistent malicious cyber activity if “network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate the malicious cyber activity.”
The directive also says the offensive response should be limited to “the minimum action required to mitigate the activity.”
The most famous offensive cyber operation to become publicly known involved Stuxnet.
A joint operation between the U.S. and Israel, Stuxnet infected industrial control systems used to control uranium centrifuges at Iran’s Natanz nuclear facility. The malware sent commands that damaged the centrifuges, while appearing to operators everything was running normally.
By all measures, Stuxnet was a successful operation. But the U.S. has grappled with how to respond to offensive cyber actions directed against it.