In a sign that the U.S. will be taking a more aggressive approach to cybersecurity, President Trump has reportedly reversed Obama-era guidelines that dictated the process for approving the use of cyberweapons against an adversary. The change will theoretically make it easier for the U.S. to hack back.
The Wall Street Journal spoke to several administration officials who said the president signed an order on Wednesday to repeal the Presidential Policy Directive 20 (PPD-20), a set of cyberattack guidelines put in place by President Obama in 2012. The Journal’s sources say new rules have been put in place but are said to be classified and therefore unavailable to the public. From the report:
The change was described as an “offensive step forward” by an administration official briefed on the decision, one intended to help support military operations, deter foreign election influence and thwart intellectual property theft by meeting such threats with more forceful responses.
We’ve reached out to the White House to confirm that the old guidelines have been repealed and to ask if the administration plans to release a fact sheet that gives a broad idea of any new policies, just as the Obama administration did in January of 2013. We did not receive a reply.
Just because the previous administration released some info about its policy doesn’t mean it was forthcoming about its approach to cybersecurity. The Guardian released the full text of the classified policy in 2013 as part of its dump of documents obtained by NSA whistleblower Edward Snowden. In a report, the Guardian pointed out that the previously available bullet points “did not mention the stepping up of America’s offensive capability and the drawing up of a target list.”
The PPD-20 outlined an elaborate process that government agencies must follow before engaging in offensive cyberattacks. The idea was that extensive coordination between the intel agencies gave potential cyberattacks significant weight and acknowledged the complex nature of such operations as well as the potential for unintended consequences. One fear was that a cyberattack carried out by one agency could interfere with covert operations being performed by another agency. Some believe the previous policy made it too difficult to respond quickly to foreign aggression. Joshua Geltzer, who was senior director of counterterrorism at the U.S. National Security Council, told the Journal that he was sympathetic to the idea that U.S. cyber capabilities need to be “more nimble” but he worried that “very real and hard legal questions” revolving around the issue have not been resolved.
One worry is that a government agency could find itself intentionally or unintentionally violating the rights of U.S. citizens. The concept carries with it some of the same issues that are still being debated around whether corporations should be allowed to hack back. For example, malicious hackers often commandeer thousands of random computers and internet-connected devices to carry out their attacks and cover their tracks. The fear is that an authorized counterattack would use the same techniques and violate constitutional protections for Americans or the rights of innocent civilians abroad.
We may not know what new cyber policies are being put in place but it seems fair to assume the president was not a guiding force in their crafting. His tech illiteracy aside, Trump’s approach to defense has been to turn over non-headline grabbing decisions to military commanders.
It’s also worth noting that U.S. cyberattack policy isn’t only about responding to an attack but can also be a first strike, something we famously saw with the Stuxnet virus that briefly crippled Iran’s nuclear program.
Whatever the new policy is, it’s bound to be better than a proposal by the Pentagon earlier this year that sought to authorize the potential use of nuclear weapons as a response to high-level cyberattacks. While we haven’t figured out what mutually assured destruction looks like in cyberwarfare, the idea of making it another trigger for a nuclear holocaust is lunacy. But hey, that’s the kind of proposal you get when you put everything in the hands of the military.