The Trump administration has rolled back rules that outlined how to launch cyberattacks on other nations. The decision, which has been under consideration for much of the year, could herald a more hawkish approach to cyberwarfare within the US government.
Signed in 2012, the original Obama-era Presidential Policy Directive 20 (PPD-20) replaced a 2004 Bush-era policy called National Security Presidential Directive (NPSD)-38. The government refused to publish its document at the time, but it was leaked as part of the Snowden files. It outlined Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO). OCEO could focus on targets specified by the government, and would…
offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging
PPD-20 argued that it simply formalised existing policies, and outlined a swathe of processes and restrictions governing cyberwarfare. For example, it would seek consent from countries in which cyber operations took place unless they were military actions, or unless the president decided that asking for consent would go against US national interests.
The rules also called for a multi-agency effort to establish criteria and procedures for responding to persistent malicious cyberactivity by other nations against US national interests.
Directive 20 outlined bureaucratic restrictions on these cyberwarfare capabilities. The US government would reserve their use for circumstances when network defence or law enforcement measures were insufficient. It also said that it would conduct defensive cyberspace actions with the least intrusive methods feasible to mitigate a threat. And it vowed to obtain the consent of network or computer users for the US government to take cyber measures on their behalf.
It contained extensive sections outlining the need to coordinate these cyber capabilities with other government functions, including financial, intelligence and law enforcement, in what it called a “whole-of-government” approach. Policy criteria included how operations were located and their potential effects, the methods used, and their risks and potential impact. It also explicitly outlined civil liberties as a policy consideration when considering offensive and defensive cyber-actions.
Rolling back these rules removes a layer of inter-agency bureaucracy that the government had to follow before launching cyberattacks on overseas adversities. Insiders have called their removal an “offensive step forward” according to a Wall Street Journal report.
Reactions to the Obama-era Directive over the past few years have been mixed. Some experts have argued that it was necessary to introduce checks and balances before launching a cyberattack and to prevent one from wrecking other government operations by mistake or sparking other unintended consequences.
On the other hand, lawmakers have expressed frustration with the approval process, calling it “slow as molasses”, at a time when the cybersecurity stakes have never been higher. Reports of successful attacks on political campaigns from Microsoft and others have mounted in the approach to the 2018 US midterm elections. In March, the Trump administration also called out Russia for attacking US electrical networks.
This is the latest move in a cybersecurity policy shakeup at the White House. In May, newly-appointed national security advisor John Bolton removed the position of cybersecurity coordinator from the National Security Council. This stood in stark contrast to the Obama administration’s support for elevating the position.
Officials have said that the White House has replaced PPD-20 with something else, but any further information is classified.