An Aggressive New Cybersecurity Strategy

Image: CBS News Credit: Mandel Ngan via CBS News[/caption]

“Barack Obama has ordered his senior national security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks,” The Guardian reported on Friday. In a top-secret document titled “Presidential Policy Directive/PPD-20” and published by the British newspaper, the following statement, which should receive significant attention, appeared:

“[Offensive Cyber Effects Operations] can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects from subtle to severely damaging.”

This quote clearly demonstrates that the American government’s posture with regards to cyber warfare is shifting from a defensive stance to an offensive one. The statement from PPD-20 is sharply distinct from the stated cybersecurity strategy on the White House website, where the primary objectives are to “improve our resilience to cyber incidents” and to “reduce the cyber threat.” What the U.S. is saying about cybersecurity and what it is doing about cybersecurity are apparently two different things; the former sounds mostly defensive, while the latter is plainly aggressive.

However, the revelation of the presidential directive should not have surprised anyone. Two days before the document was even published in The Guardian, Reuters reported that “China’s top Internet security official says he has ‘mountains of evidence’ pointing to extensive U.S. hacking aimed at China, but it would be irresponsible to blame Washington for such attacks.” Yet, as PPD-20 shows, it would not be altogether foolish for Chinese officials to suspect U.S. government involvement in any hacking attacks.

China, of course, is not guilt-free when it comes to offensive cyber warfare strategies. At the same time, is a presidential policy directive requesting an overseas “hit list” for cyber-attacks the right move? In its assessment of the now-public document, The Guardian predicted that “Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarization of the internet.” The British newspaper also said that “among the possible ‘significant consequences’ [of any cyber-action] are loss of life; responsive actions against the US; damage to property; serious adverse foreign policy or economic impacts.” Are these consequences worth risking in the name of cybersecurity?

The president’s actions are certainly more aggressive, but they could also be seen as an excessive escalation. The United States may not be adequately prepared for an enhanced online conflict with China. And the negative consequences of offensive U.S. action would not necessarily be restricted to the government. Echoing this sentiment, Barbara Starr of CNN wrote on June 7, “in cyberattacks, there is a unique need to assess the possibility of civilian damage.”

The release of Presidential Policy Directive 20 signals a new direction in how the United States will deal with cybersecurity issues going forward. Four months ago, Policymic’s Pierce Stanley commented that “President Obama mentioned cyber threats in his State of the Union, but the speech was thin on what the U.S. can actually do to send a clear signal to countries like China that harbor cyber spies.” Well, now that PPD-20 is out in the open, a clear signal of the Obama administration’s intent for cybersecurity has been sent. What remains to be seen is how a new, aggressive stance will change Internet-based tensions.