The White House has, for the first time, laid out specific ground rules for how and when the U.S. military can carry out offensive and defensive cyber operations against foreign threats.
The guidelines were codified in a new White House directive signed by President Obama in mid-October, according to The Washington Post. A senior Obama administration official confirmed to The Hill that the president has signed a directive on “cyber operations.”
The senior administration official stressed that the directive does not create new powers for federal agencies or the military.
“The directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the fully array of national-security tools we have at our disposal,” the official said. “It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace.”
The cyber rules of engagement, known inside the White House and Pentagon as Presidential Policy Directive 20, represent the latest step by the administration to take the fight to state and non-state actors looking to attack U.S. government and civilian networks.
The new directive also closes a critical policy gap at the DOD on cyber warfare that Congress failed to address earlier this year.
In August, White House chief counterterrorism adviser John Brennan told reporters that the administration was considering exercising presidential authority to impose cybersecurity mandates after lawmakers failed to adopt legislation to implement those measures.
Passing cybersecurity legislation was near the top of Defense Secretary Leon Panetta’s legislative to-do list for Congress in the lame-duck session, behind a sequestration deal and approval of a defense authorization bill.
A cybersecurity bill co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan CollinsSusan CollinsCollins: I'm not working with Freedom Caucus chairman on healthcare Mexico: Recent deportations 'a violation' of US immigration rules White House denies misleading public in aircraft carrier mix-up MORE (R-Maine) has remained stalled on Capitol Hill for months.
Senate Majority Leader Harry ReidHarry ReidWarren builds her brand with 2020 down the road 'Tuesday Group' turncoats must use recess to regroup on ObamaCare Dem senator says his party will restore 60-vote Supreme Court filibuster MORE (D-Nev.) has called for a vote on the legislation in November, but observers are not optimistic that a final product will reach the president’s desk, given ongoing partisan fighting over the legislation.
Specifically, the new presidential directive differentiates between network defense capabilities and other so-called “cyber operations” that address DOD’s recently disclosed offensive capabilities in the digital realm.
“What [the directive] does, really for the first time, is it explicitly talks about how we will use cyber operations,” a senior White House official told The Washington Post on Wednesday.
“Network defense is what you’re doing inside your own networks. ... Cyber operations is stuff outside that space,” the official added.
The Pentagon in October acknowledged that U.S. military forces are able to carry out pre-emptive or retaliatory acts of cyber warfare.
“Our mission is to defend this nation. We defend. We deter. And if called upon, we take decisive action,” Defense Secretary Leon Panetta said during his keynote address to the Business Executives for National Security conference in New York.
“If a crippling cyberattack were launched against our nation, the American people must be defended,” he said. “And if the commander in chief orders a response, the Defense Department must be ready to act.”
The senior administration official said the directive signed by Obama would enable the administration to be “flexible” in dealing with cyber threats.
“It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action.”
Jennifer Martinez contributed.