Cyberwar is all-but-officially the new Cold War. In its third major scoop in three days, and just hours before President Obama was set to sit down at the Sunnylands estate in California with Chinese President Xi Jinping to talk about cyberwarfare, The Guardian reported that Obama ordered national security agents to compile a list of targets for preemptive Internet-based disruption, similar to the military's long-standing list of nuclear weapon targets. What's more, the directive includes targets within the United States.
Glenn Greenwald reports:
The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) "can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging".
It says the government will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power".
The full directive, which can be read here, is addressed to much of the president's security council and cabinet and is predicated on "the United States' inherent right of self-defense." It reads, in part:
The United States has an abiding interest in developing and maintaining use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. National interests in peace, crisis or war.
It later continues:
The United States Government shall conduct all cyber operations consistent with the U.S. Constitution and other applicable laws and policies of the United States, including Presidential orders and directives.
This suggests that any domestic cyberattack might face additional limitations. As The Guardian notes, the document indicates that the President must issue direct approval before any such action — as with any action deemed to have "significant consequences."
Several categories of planning are outlined. For example, agencies are directed to develop plans for "Responses to Persistent Malicious Cyber Activity," and for "Emergency Cyber Actions," in the event that it becomes "necessary to mitigate an imminent threat." Among the considerations in developing plans are "impact," "risks," geography and identity," "transparency," and "authorities and civil liberties."
The timing of The Guardian's story is particularly bad for the administration. The president and Chinese premier Xi Jinping are meeting at 5 p.m. Eastern to begin a two-day summit that includes cybersecurity as a topic. The BBC explains:
Last month the Washington Post reported that Chinese hackers had accessed designs for more than two dozen US weapons systems, citing a confidential Pentagon report. The US also directly accused Beijing of targeting US government computers as part of a cyber espionage campaign in a report in early May.
China denies any role in state-sponsored hacking - earlier this week its internet chief said China had "mountains of data" pointing to US-based cyber attacks.
The president's response to that just got much more complex.
The existence of the directive itself was not secret, as Greenwald notes. In January, the administration released a fact sheet on Presidential Policy Directive 20, which indicated that "it establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools we have at our disposal." What wasn't mentioned was this component, listed in the full document under "Policy Reviews and Preparation."
The Secretary of Defense, the DNI, and the Director of the CIA — in coordination with the AG, the Secretaries of State and Homeland Security, and relevant IC and sector-specific agencies — shall prepare for approval by the President through the National Security Advisor a plan that identifies potential systems, processes, and infrastructure against which the United States should establish and maintain OCEO capabilities; proposes circumstances under which OCEO might be used; and proposes necessary resources and steps that would be needed for implementation, review, and updates as U.S. national security needs change.
The United States continues to maintain a secret list of possible targets for retaliatory or preemptive nuclear strike, dating back to the Cold War.
Presidential Policy Directive 20 includes one additional note aimed at keeping its details secret. "The government's public posture on related matters," it reads, "shall be: 'All United States Government activities in cyberspace are consistent with the principles stated in the May 2011 International Strategy for Cyberspace.'" That obfuscation is now somewhat unnecessary.
(Photo: President Obama and then-Vice President Xi at the White House in February 2012. Friday's meeting will be there first since Xi became president in March of this year.)