WASHINGTON — President Barack Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber-attacks on the nation’s web of government and private computer networks.
Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.
The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyber-war and cyber-terrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyberoperations to guide officials charged with making often rapid decisions when confronted with threats.
The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.
“What it does, really for the first time, is it explicitly talks about how we will use cyberoperations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. ... Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
The new policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant threat to the country.
“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”
On Wednesday, Senate Republicans killed cyber-security legislation backed by Obama, heading off Democratic calls for action this year on a law to guard against computer attacks.
Senate Majority Leader Harry Reid, D-Nev., moved to reconsider a bill that was blocked in August by Republicans who said it would lead to more government regulation of business. On a 51-47 vote, supporters failed to get the 60 votes needed under Senate rules to bring the bill to a vote on passage.
Democratic Sen. Mark Pryor and Republican Sen. John Boozman, both of Arkansas, opposed advancing the bill.
“Everybody should understand, cyber-security is dead for this Congress,” Reid said after the vote.
The legislation, introduced in February by Sens. Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican, would create a system of voluntary cyber-security standards for companies that operate infrastructure such as power grids and chemical plants considered essential to U.S. national security. The bill would also encourage companies and the government to share information on cyber-threats.
The vote came as the Obama administration considers issuing an executive order to implement some elements of the bill.
James Lewis, a cyber-expert at the Center for Strategic and International Studies, welcomed the new directive as bolstering the government’s capability to defend against “destructive scenarios,” such as those that Defense Secretary Leon Panetta recently outlined in a speech on cyber-security.
“It’s clear we’re not going to be a bystander anymore to cyber-attacks,” said Lewis.
The Pentagon now is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyber-attack that could cause significant destruction or casualties.
The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission.
An example of a defensive cyber-operation that once would have been considered an offensive act, for instance, might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.
“That was seen as something that was aggressive,” said one defense official, “particularly by some at the State Department” who often arewary of actions that might infringe on other countries’ sovereignty and undermine U.S. advocacy of Internet freedom. Intelligence agencies are wary of operations that may inhibit intelligence collection. The Pentagon, meanwhile, has defined cyberspace as another military domain - joining air, land, sea and space - and wants flexibility to operate in that realm.
But cyber-operations, the officials stressed, are not an isolated tool. Rather, they are an integral part of the coordinated national security effort that includes diplomatic, economic and traditional military measures.
Information for this article was contributed by Ellen Nakashima of The Washington Post and by Eric Engleman of Bloomberg News.
Front Section, Pages 2 on 11/15/2012