President Obama has tasked senior national security and intelligence officials with preparing a list of potential overseas targets for U.S. cyber attacks, the Guardian reports, the latest in a series of stories sourced to leaked documents. The story offers a rare glimpse into the Obama administration's cyber offensive planning and the contours of when it is and isn't willing to use those capabilities.
The leaked government documents portray the Obama administration as willing to hack foreign targets to preempt perceived threats against U.S. interests. Attacks in foreign countries without that country's consent are permissible, they say, when "U.S. national interests and equities" are at stake or as "anticipatory action taken against imminent threats."
According to the Guardian, the documents reference offensive cyber capabilities by the U.S. military and state "several times that cyber operations are to be used only in conjunction with other national tools and within the confines of law." And it's worth noting that preparing a potential target list is not the same thing as planning to strike those targets; for many years, the Pentagon maintained worst-case-scenario plans for invading Canada.
The Obama administration, based on these documents, seems to see offensive cyber attacks as most appropriate when used to preempt a possible incoming attack. In this sense, their cyber doctrine bears a striking resemblance to Obama's case for the use of drone strikes, which he articulated in a recent speech. Drones, he argues, are justified on the one hand by the need to remove impending national security threats and, on the other, by the fact that all other options would be much costlier. Of course, as with drone strikes, preemptive cyber attacks risk collateral damage and mistakenly targeting someone who was not actually a threat.
The document does not appear to reference any planned or recent attacks. But the most famous U.S. cyber attack is of course Stuxnet, the virus developed and deployed in conjunction with Israel to set back Iran's nuclear program. The virus was a remarkable success, sending Iranian centrifuges spinning out of control, before it began spreading across the Internet by mistake, ultimately outing the program.
Stuxnet appears consistent with the contours of a cyber doctrine hinted at in these documents. It was meant to preempt an impending national security threat – Iran's nuclear program – worked in secret and was certainly offensive. It was part of a larger effort that included diplomacy, sanctions and the threat of physical strikes. It's also worth noting what Stuxnet was not: a revenge attack meant to punish Iran. The virus was meant to work in secret; ideally, the Iranians were not even to know it had been deployed. Similarly, the Obama administration has insisted that it deploys drone strikes only against people who pose an ongoing threat to the U.S. rather than as "revenge" strikes. (Many critics of the drone program doubt this.)
This apparent cyber doctrine of quiet, drone-like preemption differs widely from another cyber strategy that many observers have believed the U.S. would or should take: deterrence. In this thinking, the U.S. would counter the growing threat of foreign hackers by, essentially, scaring them away from even trying. This would mean developing offensive cyber capabilities that could be used to hit back at hackers who attempt to breach U.S. systems and then making sure that foreign hackers understand they're putting themselves at risk by even trying. In this way, offensive cyber capabilities would be kind of like nuclear weapons, which exist primarily to deter adversaries from using their weapons first.
After all, preemptive cyber attacks might be able to slow Iranian centrifuges but they're much less suited to, say, shutting down Chinese military hackers. Nor are simple cyber defenses up to that task; because foreign hackers risk little in trying to tap into sensitive U.S. servers; merely building more protections is only going to extend the time it takes them to finally succeed. This is why many U.S. companies already want to develop "hacking back" capabilities, something that is forbidden under U.S. law.
The New York Times' David Sanger, in his 2012 book "Confront and Conceal," explained why many expected the Obama administration to pursue a cyber strategy more similar to nuclear deterrence than to the drone-like quiet preemption he appears to be pursuing:
The administration has only recently acknowledged that the country is now spending hundreds of millions of dollars every year developing, refining, and – in the case of Iran – employing those [offensive cyber] weapons. It has said almost nothing about a strategic doctrine for using them. Instead, when the subject of cyber comes up, Obama and his advisers almost always turn the conversation to cyber defense – how to harden and protect America's power grid, its banking system and the rest of its critical infrastructure.
But if history is any guide, eventually it will be in America's own interest to explain its offensive capability, if for no other reason than because the Cold War taught us that a strong offense is the critical element of a good defense.