Obama’s Secret Directive Keeps Evolving Cybersecurity Policy Concealed
President Barack Obama has issued and signed a secret presidential directive that the Washington Post reports is “the most extensive White House effort to date to wrestle with what constitutes an ‘offensive’ and a ‘defensive’ action in the rapidly evolving world of cyberwar and cyberterrorism.”
The directive—Presidential Policy Directive 20—will reportedly make it possible for the United States military to respond more aggressively to “thwart cyberattacks on the nation’s web of government and private computer networks. It “establishes a broad and strict set of standards to guide the operations of federal agencies.” And, according to Ellen Nakashima, “For the first time, the directive explicitly makes a distinction between network defense and cyber operations to guide officials charged with making often rapid decisions when confronted with threats.”
Additionally, the secret policy maps out a process for vetting “operations outside government and defense networks” and ensuring “US citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.” As one senior administration official told the Post, “What it does, really for the first time, is it explicitly talks about how we will use cyber operations…Network defense is what you’re doing inside your own networks. . . .Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
The secret directive updates a 2004 presidential directive issued and signed by President George W. Bush that remains secret.
There are a few key points to make here: First, Obama ordered cyber attacks on Iran before this policy was established. That was acceptable and carried out mostly without question from anyone in the establishment or press. It definitely was not a campaign issue. Secondly, this information was classified. It was leaked to the Post. If it was not for a leak, the public would not know Obama had signed and issued a directive containing evolving cybersecurity policy. And the directive could probably be released to the public without jeopardizing national security if all it does is lay out scenarios where the military or government agencies can or should respond defensively and/or offensively.
Details on the cyber attacks in Iran were revealed through “leaks.” It is part of what set off this bipartisan hysteria in Washington that led to anti-leaks proposals being included in an intelligence authorization bill that Sen. Ron Wyden placed a public hold on today.
David Sanger of the New York Times reported on June 1:
From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.
Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.
Sanger noted this was the first time the United States had “repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives.” Obama was reportedly concerned that acknowledging the use of cyberweapons might “enable other countries, terrorists or hackers to justify their own attacks.”
The cyber attacks were detailed more extensively in his book, Confront and Conceal. They were part of Obama’s “light-footprint strategy.” Like drone warfare, the employment of cyber attacks was intended to ensure America’s “military predominance around the globe without resorting to the lengthy, expensive and unpopular wars and occupations that dominated the past decade.
Sanger posed some critical policy questions:
…What is the difference between attacking a country’s weapons-making machinery through a laptop computer or through bunker-busters? What happens when other states catch up with American technology—some already have—and turn these weapons on targets inside the United States or American troops abroad, arguing it was Washington that set the precedent for their use?… And as the White House gets more comfortable with the technology—because it mixes, in the words of one of Obama’s national security aides, “precision, economy and deniability”—what are the implications of relying on them so frequently as a permanent expression of American power?
Perhaps, the secret directive answers some of these questions, but so long as it remains secret there will be a vacuum that can only be filled with presumptions and speculation.
The American Civil Liberties Union’s Michelle Richardson reacted to the details on the secret directive in the Post.
“This article is really vague,” she said. “It’s hard to really judge how good or bad this is. Theoretically, if in the details it does tow the right lines, it could be an improvement inasmuch as it regulates an area that is right now undetermined… but it’s almost impossible to judge where they drew the line [without seeing the directive itself].”
The Electronic Frontier Foundation (EFF) was, according to Raw Story, “puzzled” as well. So long as the details in the Post are all that is public, the directive will be “outside of our expertise,” the organization stated.
Both the ACLU and EFF are organizations, which engage in watchdog activities. Thus, this is a prime example of how government secrecy can make it impossible for an organization to scrutinize policies that might be objectionable. Without facts or concrete details, they cannot guess whether to take action and so they understandably are muted in their reaction.
On May 30, 2011, the Wall Street Journal reported the Pentagon had “concluded that computer sabotage from another country” could “constitute an act of war.” WSJ suggested this would open the door to responding to sabotage with “traditional military force.” These details came from a formal cyber strategy the Pentagon had put together for responding to cyber threats to critical infrastructure. One imperious military official was quoted, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
How does this new policy enhance or expand upon the Pentagon strategy? It is impossible to know. (And it is worth speculating that the reason why more details did not “leak” is because of the fact that intelligence agency heads indicated in June they would no longer tolerate intelligence agency employees talking to the press without authorization.)
President George W. Bush issued sixty-six national security directives. At least thirty of them are still classified. Obama has issued twenty presidential policy directives. Only five them are public.
Steven Aftergood of Secrecy News has urged Obama to release a “summary account” of each of the national security directives Bush signed, which remain secret:
…Of the 54 National Security Presidential Directives issued by the (George W.) Bush Administration to date, the titles of only about half have been publicly identified. There is descriptive material or actual text in the public domain for only about a third. In other words, there are dozens of undisclosed Presidential directives that define U.S. national security policy and task government agencies, but whose substance is unknown either to the public or, as a rule, to Congress…
One might recall Obama said in his first days of office his presidency was “the beginning of a new era of openness in our country.” He told reporters, “For a long time now there’s been too much secrecy in this city.” He paraphrased former Attorney General John Ashcroft and said, “The old rules said that if there was a defensible argument for not disclosing something to the American people, then it should not be disclosed… That era is now over.” He claimed his administration would be on the side of those that seek to make information known and he would hold himself to a “new standard of openness.”
Since then he has presided over a government that has targeted a media organization known as WikiLeaks, which has as its mission a commitment to make information known. He has also embraced the Bush Administration tactic of using overly broad “state secrets” claims to prevent the declassification or exposure of information; fought court orders to release photos depicting abuse of detainees held in US custody and supported legislation to retroactively exempt the photos from release under the Freedom of Information Act (FOIA); threatened to veto legislation to reform congressional notification procedures for covert actions; refused to declassify information on Section 215 of the PATRIOT Act, a section believed to allow for the collection of information not relevant to espionage or terrorism investigations and aggressively pursued a war on whistleblowing by prosecuting whistleblowers to a greater degree than any previous president.
The opposite has happened. Obama has ushered in a new standard of secrecy in government. The decision to conceal evolving cybersecurity policy in a secret directive is a continuation of this standard, which he set during his first term and intends to perpetuate during his second term.