It’s well understood that if nuclear war ever comes, it is the president who has to make the fateful decisions. But if the United States ever faced a genuine conflict in cyberspace, with decisions having to be made at network speed against adversaries unknown or hard to find, who would be in charge? A major attempt to sort this out at the highest levels is evident in President Policy Directive 20, which President Barack Obama signed last October. The directive is still classified as top secret but was among the papers spilled into public view by Edward Snowden, the contractor for the National Security Agency who also revealed classified materials on Internet and telephone surveillance.
It’s well understood that if nuclear war ever comes, it is the president who has to make the fateful decisions. But if the United States ever faced a genuine conflict in cyberspace, with decisions having to be made at network speed against adversaries unknown or hard to find, who would be in charge? A major attempt to sort this out at the highest levels is evident in President Policy Directive 20, which President Barack Obama signed last October. The directive is still classified as top secret but was among the papers spilled into public view by Edward Snowden, the contractor for the National Security Agency who also revealed classified materials on Internet and telephone surveillance.
Although the military has designated cyberspace as a new domain of conflict, there hasn’t been a real cyberwar yet. Much about this kind of conflict among nations or groups is still only conjecture. But the new directive makes clear that, as now envisioned, it is still a matter of “national-level strategic objectives” to be decided by the president. Presidential approval is required for cyber-operations if they might result in “significant consequences,” which include loss of life, serious levels of retaliation, damage to property, adverse foreign policy consequences or economic impact on the country. Wisely, cyberweapons are being put in a category with nuclear weapons, not to be fired off by a field commander without authority. There’s an exception for emergency actions.
The president’s directive defines two important categories of cyberattack. “Defensive cyber effects operations,” or DCEO, involve reaching outside of U.S. government networks to stop an assault or imminent threat. “Offensive cyber effects operations,” or OCEO, are intended to “offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” Both of these describe attacks, and, according to the directive, the president has ordered targeting plans. Stuxnet, the computer worm developed by the United States and Israel and used to sabotage Iran’s nuclear equipment a few years ago, was in the vanguard of such operations. Just recently, an online magazine that spreads al-Qaida ideology was taken down, presumably another example.
But the directive also acknowledges cautionary factors that have become more evident since Stuxnet was first deployed. It warns that attacks “may generate cyber effects in locations other than the intended target, with potential unintended or collateral consequences …” In deciding whether to deploy offensive cyberweapons, the directive says officials must weigh “the potential threat from adversary reactions” and “the risk of retaliation,” as well as “impact on the security and stability of the Internet” and setting “unwelcome norms of international behavior.” All valid worries, none easy to anticipate.
Certainly, this leak must have pained the White House. But on balance, it is a good sign that the imponderables of fighting a cyberwar are being examined and clarified. Better now, before trouble arrives, than in the midst of crisis or after conflict has broken out.