Obama secretly signs the most aggressive cybersecurity directive ever
Pres. Obama has autographed an executive order outlining protocol and procedures for the US military to take in the name of preventing cyberattacks from foreign countries, the Washington Post reports, once and for all providing instructions from the Oval Office on how to manage the hush-hush assaults against opposing nation-states that have all been confirmed by the White House while at the same time defending America from any possible harm from abroad.
According to Post’s sources, namely “officials who have seen the classified document and are not authorized to speak on the record,” Pres. Obama signed the paperwork in mid-October. Those authorities explain to the paper that the initiative in question, Presidential Policy Directive 20, “establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace.”
Confronting a threat may sound harmless, but begs to introduce a chicken-and-the-egg scenario that could have some very serious implications. The Post describes the directive as being “the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism,” but the ambiguous order may very well allow the US to continue assaulting the networks of other nations, now with a given go-ahead from the commander-in-chief. Next in line, the Post says, will be rules of engagement straight from the Pentagon that will provide guidelines for when to carry out assaults outside the realm of what is considered ‘American’ in terms of cyberspace.
“What it does, really for the first time, is it explicitly talks about how we will use cyber operations,” one senior administration official tells the paper of the policy directive. “Network defense is what you’re doing inside your own networks. . . . Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
When The New York Times published an exposé on the White House’s so-called Olympics Games program earlier this year, the world became fully aware for once of America’s involvement in international cyberwar, but much to the chagrin of Washington. Officials including members of Pres. Obama’s national security team spoke on condition of anonymity to tell the Times that his predecessor, then-Pres. George W. Bush, began the program in 2006 to target Iran’s nuclear facilities and then passed it along to the current administration to continue under the leadership of the current commander-in-chief.
“From his first months in office,” David Sanger wrote for the Times, Pres. Obama “secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons.”
Congress has fought tooth-and-nail in the months since to plug any leaks that could potentially spill the beans regarding any further secrets with the potential of effecting national security, but those efforts appear unsuccessful given this week’s Post report on Presidential Police Directive 20.
Now take the example of Iran: according to the Post, Pres. Obama’s signature on last month’s directive means the US now has rules and regulations when it comes to protecting its own infrastructure from cyberattack, and can do so by means of launching what appear to be pre-emptive assaults of their own.
“It should enable people to arrive at more effective decisions,” a second senior administration official tells the Post. “In that sense, it’s an enormous step forward.”
That comment echoes US Defense Secretary Leon Panetta’s insistence earlier this year that “defense alone is not enough” in terms of keeping the country safe. But what it also seems to do is put on the books a presidential policy that equates an overzealous offense with a solid defense. While the US has cited Iranian hackers as the key players behind a recent attack on the websites of Capital One Financial Corp. and BB&T Corp., two of the biggest names in the American banking industry, the US has done little — on the record — to reveal any similar assaults from abroad. Instead, rather, it’s relied on fear-mongering to try and convince the country to accept a cybersecurity legislation that will assure American’s safety from foreign hackers, all for the small price of sacrificing their digital-age privacy.
While the Obama White House has failed to acknowledge the Olympic Games program or any involvement in the Stuxnet or Flames viruses linked to the initiative, computer researchers in both the US and Russia have tied Washington to the cripplingly malicious coding. Earlier this month, California-based Chevron, one of the world’s leaders in the oil sector, went public with claims that Stuxnet had infected — but not affected — their computers after the virus was unleashed.
The ability to slow down or speed up centrifuges in nuclear facilities from thousands of miles away made Stuxnet a virus that had very substantial powers. Refusing to speak of the Olympic Games program specifically, former CIA chief Michael Hayden told the Times, “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction.”
According to the Post’s latest, though, future assaults by way of Stuxnet or similar worms could be considered by Washington as defense mechanisms to make sure Iran doesn’t retaliate for what America has long-been lashing out with. One source tells the Times that, before last month’s directive, severing any link between a US-computer and an overseas server by any means possible would be an act that would put America on the offensive. Now even a preemptive attack that disconnects other countries could be considered a defensive ploy according to the president.
“That was seen as something that was aggressive…particularly by some at the State Department,” one defense official tells the Post. With the signing of Pres. Obama’s latest order, though, the paper writes that the directive “effectively enables the military to act more aggressively to thwart cyberattacks on the nation’s web of government and private computer networks.”
It is thought that, through the directive, any systems linked even remotely with America’s can be fair game for an assault. Given the expansion of cloud computing and the ever-expanding interconnection of communities across the globe on the Web, though, that could essentially enable Uncle Sam’s cybersquad to get away with a whole new slew of tricks to try and topple adversaries of any kind that threaten the American way of life. When and where those actions are necessary, of course, remains another topic of discussion. Will those orders be signed in secrecy as well, though?