In a classified directive that was signed in October, President Barack Obama has given the Defense Department clearer guidelines on how it should conduct operations in cyberspace.
The directive, whose existence was first reported Nov. 14 in The Washington Post and subsequently was confirmed by Arms Control Today, is designed to clarify government roles in protecting U.S. computer networks from attack.
In a Dec. 12 interview, Tim Sample, vice president for special programs at Battelle Memorial Institute, which describes itself as the world’s largest nonprofit research and development organization, said he believed that the directive is meant to delineate thresholds between defensive and offensive actions in cyberspace.
Part of the value of such a distinction is that it would give the Pentagon guidance on how to conduct operations, said Sample, who previously worked as a CIA analyst and as staff director of the House Permanent Select Committee on Intelligence. For example, he said, “one of the big issues” the directive addresses is the possibility of pre-emptive attacks in cyberspace and the circumstances under which they may be conducted.
Over the past several months, Defense Secretary Leon Panetta and other Pentagon officials have made public statements about the rules of engagement in cyberspace. (See ACT, November 2012.) Formulating rules of engagement “is hard to do without clearer guidelines,” Sample said. “My impression is that [the directive] takes an important step to help clarify [the Pentagon’s] expectations, but it’s not the final word.”
The directive is the latest in a series of documents outlining U.S. cyberpolicy since Obama took office in 2009. The Pentagon released its cyber strategy document on July 14, 2011. The document was criticized by some at the time for not having enough detail on offensive cyberoptions. (See ACT, September 2011.)
Strategies and Capabilities
In a Dec. 12 interview, Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council and director of cyberinfrastructure protection at the White House under President George W. Bush, said that “the rules of engagement seem to be a settled issue.” Healey said he is “deeply worried” that the new rules lower the threshold for a U.S. response.
During his time in the Air Force in the late 1990s, Healey contributed to some of the first cyber rules of engagement during the military’s initial struggles with the implications of the inherent right of commanders to respond in kind if under a cyberattack.
Healey said he believes that the focus by cyberspecialists in industry and the government on the time it takes to respond to a cyberattack or incident makes it likely that the Pentagon is granting mid- to low-level officers the authority to retaliate to a cyberattack.
“Cyberconflicts develop over weeks, months, or years,” Healey said. “That means that we don’t need to push response authority too low, as there has been time for more reflective decision-making before shooting back. Given how new cyberspace is and how vulnerable we are, leaving more time for politicians, diplomats, and generals to deliberate should be a priority.”
As part of the Pentagon’s effort to master cyberspace, the Defense Advanced Research Projects Agency in November began soliciting research proposals “in the area of understanding, planning, and managing” military cyberoperations. In a program known as Plan X, the Pentagon is creating a virtual “cyberrange,” which replicates global networks to allow the Defense Department to test its cyberspace-related capabilities and strategies.
Executive Order
The news of the presidential directive comes at a time when the White House is working on an executive order designed to reduce the risk of cyberattacks on the country’s “critical infrastructure,” a term generally understood to refer to include power grids and transportation infrastructure.
The Nov. 21 draft of the executive order, a copy of which was obtained by Arms Control Today, requires the secretary of homeland security to identify the infrastructure at greatest risk and in which “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security.”
According to media accounts, the executive order, which is expected to be issued soon, is an attempt to do what Congress has not done and begin securing the nation’s critical infrastructure from a potentially devastating cyberattack. Several pieces of cybersecurity legislation were introduced during the last Congress, but none passed.
Legislation on cybersecurity issues is expected to be taken up by the Congress that convened in January.
Sample said that the administration or Congress “ends up taking the steps they think they can accomplish versus what is needed in the big picture. What you see is good, well-meaning legislation or regulation in bits and pieces.” Sample called for a public debate on cybersecurity and on legislation dealing with that issue. “If you do everything behind closed doors, then not only do your allies not understand where you are and what you are doing, your adversaries don’t either,” he said. “That is a calculus for missteps and misunderstandings.”