The White House has reportedly reversed existing guidelines that restricted how the United States can use cyberweapons against adversaries, the Wall Street Journal reported. The move potentially frees up the military and U.S. agencies to add online capabilities to their arsenal.
An administration official called the decision an “offensive step forward” that would help support military operations, deter foreign election influence, and prevent further thefts of intellectual property, according to the Wall Street Journal.
Presidential Policy Directive 20 outlined a classified framework established by the Obama Administration which laid out the multi-agency process that must be followed before the United States can launch any offensive digital operations. The framework was put in place in 2012 (and details leaked by former intelligence contractor Edward Snowden) to prevent accidentally interfering with any multi-year espionage plans that may be in progress. However, critics had said the process delayed operations because too many agencies had to sign off on potential plans.
Reversing the guidelines doesn’t mean everything is now a free-for-all. What rules or guidelines are now in place is unknown, most likely because the replacement is also classified.
“It wasn’t clear what rules the administration is adopting to replace the Obama directive,” the Wall Street Journal reported.
The government has been slowly moving towards giving the military more flexibility in how it conducts operations online. In May, the Senate Armed Services Committee considered a proposal stating that the United States will use “all instruments of national power,” including military force and offensive digital operations, to respond to cyberattacks that threaten American lives or critical infrastructure.
In June, the Pentagon gave U.S. Cyber Command the ability to raid foreign networks to disable weapons before they can be used against the United States, the New York Times reported at the time. The shift was notable because Cyber Command was originally formed as a defensive group focused on repelling attacks on the United States.
The relaxing of the previous rules means the United States can reconsider the question of hacking back, or attacking the system engaged in an attack. Hack-back regularly generates debate in policy circles whenever lawmakers and corporations bring up the possibility. Security experts rightly point out that attackers rarely use their own infrastructure in their operations. An authorized counterattack may wind up targeting thousands of computers and Internet-connected devices belonging to innocent civilians.
Another thing to consider: the previous directive explicitly prevented the government from engaging in domestic operations except in cases of emergency. It’s unclear whether the new rules contain the same restrictions against domestic activities.
An open question is whether announcing that the military now has more flexibility in retaliating in the digital realm would act as deterrence. The idea is that nation-state attackers have refrained from specific types of operations because they fear response by the U.S. military, suggested Joseph Nye, former assistant secretary of defense and current professor at Harvard University.
The relaxing of the previous directive or the new rules don’t apply to defensive operations that occur within the government networks. Espionage relies on being able to collect intelligence, but there are other operations that aims to “cause an effect,” Robert Chesney, a law professor the University of Texas School of Law and director of UT-Austin’s Robert S. Strauss Center for International Security and Law, wrote on Lawfare. The effect could refer to actions such as manipulating control systems and deleting or altering data. Existing legal and policy vetting and oversight rules would still apply for covert actions. Combat operations would still fall under “the usual legal and policy frameworks for military operations,” Chesney wrote.
The question is what rules are now in place for all the “other ‘offensive’ operations,” such as attacking systems located in another country and belonging to an enemy “against whom we are engaged in combat,” operations that prepare the groundwork in advance of actual conflict, and operations that aren’t part of armed conflict but intended to “immediate effect,” Chesney wrote.
There isn’t enough information available at the time to determine whether the changes mean "a massive shift away from any interagency vetting,” or "a marginal change involving much tighter timelines, fewer bites at the apple, and fewer participants,” Chesney said.