The US Defense Department has been given a bright green light to draw up a global cyberattack target list at which it can deploy digital weapons with “little or no warning to the adversary or the target,” according to a Top Secret policy document leaked to the press.
The policy document, dubbed “Presidential Policy Directive 20” or PPD-20, is an 18-page cyberpolicy roadmap for the Pentagon that directs it to get on with the business of defending the US and its critical infrastructure, such as the power grid and financial sector, from foreign cyberattack.
While the existence of the document and its broad outlines were revealed in news reports last fall, and a “fact sheet” on PPD-20 was released in January, the detailed policy document leaked at week’s end shows the unleashing of a military juggernaught.
Military use of cyberweapons had been paused for about three years, waiting for the end of an intense policy debate and for orders to move ahead with force into cyberspace, cybersecurity experts say.
“What this document does is lay out authority for the US Cyber Command and Joint Chiefs to use cyberweapons,” says James Lewis, a senior fellow with the Center for Strategic and International Studies in Washington. “It lays out how and when you would use these weapons, what you would target, and how you would do so in ways consistent with the Laws of Armed Conflict, rather than just shooting at random.”
Couched in legalistic language, the document authorizes development of offensive and defensive cybersystems that are consistent with the US Constitution, US law, and the international Law of Armed Conflict – and of a target list to hit with them. The document reviewed by the Monitor, leaked to both the Guardian newspaper in London and the Washington Post, was posted on the Guardian website. [Editor's note: The original version of this story did not cite the source of the document.]
For instance, “Offensive Cyber Effects Operations,” or OCEO, is defined in the document as authorizing digital weapons for “manipulation, disruption, denial, degradation, or destruction” of “physical or virtual” computer systems.
The document says OCEO “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”
Under the heading "Policy Reviews and Preparation," the document states that: "The secretary of defense, the DNI [Director of National Intelligence], and the director of the CIA … shall prepare for approval by the president through the National Security Advisor a plan that identifies potential systems, processes and infrastructure against which the United States should establish and maintain OCEO capabilities."
Most cyberattacks must be authorized by the president, but because attacks happen in milliseconds, the document authorizes the military and other agencies to respond to the threat of an imminent attack or an emergency situation.
Protecting critical infrastructure in the US also is outlined in the document.
Despite years of wrangling, Congress has still not approved legislation addressing cybersecurity for the nation’s infrastructure, and the document does not permit the Pentagon to intrude into networks of domestic companies, such as utilities, and install defenses within computer networks that control the power grid.
But it does allow the military to defend the infrastructure from outside those networks – by identifying and undermining or destroying the attacking system and its key infrastructure. It allows government agencies, not just the military, to take “anticipatory action … against imminent threats” to infrastructure or other systems vital to the US or to US foreign policy.
The procedures outlined in the directive are consistent with the US Constitution, including the president’s role as commander-in-chief, and other applicable law and policies, the White House said in a statement.
“As we have already publicly acknowledged, last year the president signed a classified presidential directive relating to cyberoperations, updating a similar directive dating back to 2004,” Caitlin Hayden, a spokeswoman for the National Security Council, said in a statement released Friday. “This step is part of the administration’s focus on cybersecurity as a top priority. The cyberthreat has evolved, and we have new experiences to take into account.”
This directive, she writes, will “establish principles and processes that can enable more effective planning, development, and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action.”
Indeed, the top-secret document does in several places warn those using the roadmap to use cyberweapons only when absolutely necessary. Because cyberspace is interconnected globally, cyberweapons threaten “collateral consequences that may affect US national interests in many locations.”
Yet it’s not only collateral damage from cyberweapons, but the fuel that unleashing them provides for the current global cyberarms race that worries Ralph Langner, the Hamburg-based cybersecurity expert who in 2010 first publicly identified the Stuxnet cyberweapon that was used to attack and destroy a substantial chunk of Iran’s centrifuge system for developing nuclear fuel.
Stuxnet, the first publicly identified weapons-grade digital warhead, was created and deployed by the US – an attack authorized by President Obama and dubbed “Operation Olympic Games,” according to news reports that the White House has still not formally corroborated.
The biggest threat posed by the PPD-20, Mr. Langner writes, is the model it creates for unleashing powerful cyberweapons into the global network that can then be reworked either by hackers or rogue nation states like Iran and North Korea and relaunched back at the US.
“Nobody actually is able to predict the mid- and long-term effect of cyberweapons,” Langner notes. “The big issue is proliferation: It is much easier to rebuild a cyberweapon that is out in the open than a kinetic weapon.”
For example, even after the design of the F-35 fighter jet is leaked, it still requires a nation state to actually build one, he writes in an e-mail interview. Not so for cyber. A cyberweapons workshop can operate completely under the radar of satellite surveillance. It could even operate in foreign locations or on hostile soil. And, while building a fighter jet based on stolen blueprints may take a decade or so, it would require a dedicated team of cyberweapons experts just months to reengineer a devastating cyberweapon against US critical infrastructure, he adds.
“It’s kind of a gamble,” Langner writes. “The US is betting the farm on a short-term win.... Nuclear weapons are the best-case example, here. They were used just twice. I’m afraid that won’t be the case with cyberweapons, if only because of their advantage. They are ideally suited for low-intensity conflict. This makes me project that they will be used much more often than kinetic force.”
At present, about 30 countries are actively building up offensive cyberpower, including rogue states like Iran and North Korea. Against that scenario, he envisions the US essentially supplying its adversaries with cyberweapon designs.
“It’s hard to believe that they will not try to take advantage of a new poor man’s tool for creating destruction,” Langner writes, “especially when it is so well suited to hitting technologically advanced adversaries like the United States.”