The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.
“What it does, really for the first time, is it explicitly talks about how we will use cyber-
operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant danger to the country.
“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”
Legislation to protect private networks from attack by setting security standards and promoting voluntary information sharing is pending on the Hill, and the White House is also is drafting an executive order along those lines.
James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, welcomed the new directive as bolstering the government’s capability to defend against “destructive scenarios,” such as those that Defense Secretary Leon E. Panetta recently outlined in a speech on cybersecurity.
“It’s clear we’re not going to be a bystander anymore to cyberattacks,” Lewis said.
The Pentagon is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.
The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission.
An example of a defensive cyber-operation that once would have been considered an offensive act, for instance, might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.
“That was seen as something that was aggressive,” said one defense official, “particularly by some at the State Department” who often are wary of actions that might infringe on other countries’ sovereignty and undermine U.S. advocacy of Internet freedom. Intelligence agencies are wary of operations that may inhibit intelligence collection. The Pentagon, meanwhile, has defined cyberspace as another military domain — joining air, land, sea and space — and wants flexibility to operate in that realm.
But cyber-operations, the officials stressed, are not an isolated tool. Rather, they are an integral part of the coordinated national security effort that includes diplomatic, economic and traditional military measures.
Offensive cyber actions, outside of war zones, would still require a higher level of scrutiny from relevant agencies and generally White House permission.
The effort to grapple with these questions dates to the 1990s but has intensified as tools and weapons in cyberspace become ever more sophisticated.
One of those tools was Stuxnet, a computer virus jointly developed by the United States and Israel that damaged nearly 1,000 centrifuges at an Iranian nuclear plant in 2010. If an adversary should turn a similar virus against U.S. computer systems, whether public or private, the government needs to be ready to preempt or respond, officials have said.
Since the creation of the military’s Cyber Command in 2010, its head, Gen. Keith Alexander, has forcefully argued that his hundreds of cyberwarriors at Fort Meade should be given greater latitude to stop or prevent attacks. One such cyber-ops tactic could be tricking malware by sending it “sleep” commands.
Alexander has put a particularly high priority on defending the nation’s private-sector computer systems that control critical functions such as making trains run, electricity flow and water pure.
But repeated efforts by officials to ensure that the Cyber Command has that flexibility have met with resistance — sometimes from within the Pentagon itself — over concerns that enabling the military to move too freely outside its own networks could pose unacceptable risks. A major concern has always been that an action may have a harmful unintended consequence, such as shutting down a hospital generator.
Officials say they expect the directive will spur more nuanced debate over how to respond to cyber-incidents. That might include a cyberattack that wipes data from tens of thousands of computers in a major industrial company, disrupting business operations, but doesn’t blow up a plant or kill people.
The new policy makes clear that the government will turn first to law enforcement or traditional network defense techniques before asking military cyberwarfare units for help or pursuing other alternatives, senior administration officials said.
“We always want to be taking the least action necessary to mitigate the threat,” said one of the senior administration officials. “We don’t want to have more consequences than we intend.”