WASHINGTON — Perhaps lost in all the coverage involving the leaking of classified documents by former Booz Allen Hamilton employee Edward Snowden this month was one development that outlines an exceedingly complex undertaking of the Obama administration: trying to define and guide military operations in cyberspace.
The document, “Presidential Policy Directive 20,” was signed in October, and several details about its contents were reported by the Washington Post the following month. But the full scope of the directive, which includes both specific definitions of cyberspace and distinctions between offensive and defensive cyber actions, didn’t become clear until the text of the document was published by the Guardian as part of its ongoing series disclosing details leaked by Snowden.
Trying to provide those definitions had held up progress in normalizing cyber as an operational space for the military since the last major cyber presidential directive was signed in 2004. That directive, also classified, pushed decisions on cyber operations to the White House but did not begin to grapple with the larger difficulties involved in including cyber in broader policy and doctrine.
“The directive means that the military is trying to get a handle on how you use it, how it’s applied; they’re trying to make it another source of fire; they’re developing doctrine and rules,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
The document, confirmed by sources as authentic and set to be declassified in 2037, begins by tackling one of the running debates surrounding cyber policy: What is cyberspace?
As the directive defines it, cyberspace is “the interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computers, information or communications systems, networks and embedded processors and controllers.”
Those last two items ostensibly mean that any electronic device, even modern dishwashers that posses smart technology, can be considered part of cyberspace.
But beyond outlining the domain, the directive distinguishes between offensive and defensive cyber actions, or “cyber effects” that include destroying an enemy’s computer system. Defensive Cyber Effects Operations (DCEO) aren’t defined by the type of cyber action that’s taken, but instead are described based on intent. Actions designed to protect the US from imminent threats, ongoing attacks or malicious activity against US national interests are deemed defensive.
Offensive operations aren’t positively defined. Instead, they are described as any cyber operation that produces effects that aren’t defensive.
The President's Discretion
Beyond the definitions, the document included several major policy decisions about the use of cyberattack tools. The president maintained a requirement that any cyber operation that involves cyber effects in the US receive his approval but authorized the defense secretary to use DCEO against attackers outside of the United States without first receiving White House approval if action is immediately needed.
In May, Defense News reported that the Defense Department was close to completing new classified standing rules of engagement that outline how and when the military would use cyber tools against attackers without seeking presidential consent each time. Those rules will provide greater detail and specificity than the general framework provided in the presidential directive.
In a statement, National Security Council spokeswoman Caitlin Hayden described the document as part of the process of updating policy as cyber has evolved.
“This directive establishes principles and processes for the use of cyber operations, so that cyber tools are integrated with the full array of national security tools we have at our disposal,” she said. “This directive will establish principles and processes that can enable more effective planning, development and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face.
“It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action,” Hayden said. “The procedures outlined in this directive are consistent with the US Constitution, including the president’s role as commander in chief, and other applicable law and policies.”
Is Secrecy Needed?
Lewis said that while it’s an important document, the fact that the government is moving ahead with defining military operations in cyberspace isn’t surprising and is long overdue.
“The document itself is fairly benign,” Lewis said. “People are unwilling to admit that it’s been an armed space since the 1990s. China had doctrine in the ’90s. Russia had doctrine in the ’90s.”
And the secrecy surrounding the development of a new cyber policy is unnecessary, he said.
“Why was it classified?” he said. “There’s a point where greater transparency would help calm some of the fears the public would have.”
One of the more sensational passages of the directive describes a list to be drawn up by senior administration officials of potential targets for cyberattacks. Experts said this list is more significant as a policy discussion about what types of targets might be attacked and less about identifying any particular entity.
The fact that discussion of types of cyber targets is so closely guarded stands in stark contrast to the treatment of nuclear weapons during the Cold War, said Ben Sheppard, a senior associate at the Institute for Alternative Futures. With nuclear doctrine there was regular, open debate at think tanks about what would be an appropriate use of the weapons.
“If you go back to the Cold War, there was plenty of discussion of nuclear doctrine, but with cyber, everything is highly classified,” he said. “For example, the nuclear doctrine talked about nuclear targets.”
Sheppard said the lack of transparency limits the effectiveness of cyber capabilities as deterrents.
“By having a discussion about a doctrine, you are then making it clear to adversaries as to what the red lines are,” he said. “That, in itself, could serve as a useful deterrent. Effective deterrence requires that the other side know how you would respond.”