<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div id="main-article-info">
<h1 itemprop="name headline ">Obama orders US to draw up overseas
target list for cyber-attacks</h1>
<p itemprop="description" id="stand-first"
class="stand-first-alone"
data-component="Article:standfirst_cta"><strong>Exclusive:</strong>
Top-secret directive steps up offensive cyber capabilities to
'advance US objectives around the world'<br>
<br>
• <a
href="http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text"></a></p>
</div>
<ul class="article-attributes trackable-component b4"
data-component="Article:byline">
<li class="byline">
<div class="contributor-full"> <span itemscope=""
itemprop="author" itemtype="http://schema.org/Person"><span
itemprop="name"><a class="contributor" rel="author"
itemprop="url"
href="http://www.guardian.co.uk/profile/glenn-greenwald">Glenn
Greenwald</a></span></span> and <span itemscope=""
itemprop="author" itemtype="http://schema.org/Person"><span
itemprop="name"><a class="contributor" rel="author"
itemprop="url"
href="http://www.guardian.co.uk/profile/ewenmacaskill">Ewen
MacAskill</a></span></span> </div>
</li>
<li class="publication"> <a itemprop="publisher"
href="http://www.guardian.co.uk/">guardian.co.uk</a>, <time
itemprop="datePublished" datetime="2013-06-07T20:06BST"
pubdate="">Friday 7 June 2013 20.06 BST</time> </li>
<li class="comment-count"> <a style="display: inline;"
href="http://www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overseas#start-of-comments"
class="content-comment-count" data-link-name="comment-count"
short-url="-p-3gdpy"><span class="comment-count-text">Jump to
comments</span> (<span class="comment-count-val">371</span>)</a>
</li>
</ul>
<div id="main-content-picture" itemscope="" itemprop="image"
itemtype="http://schema.org/ImageObject"> <br>
<div class="caption" itemprop="caption">Obama's move to establish
a cyber warfare doctrine will heighten fears over the increasing
militarization of the internet. Photograph: Jim Young/Reuters</div>
</div>
<div id="article-body-blocks">
<p><a href="http://www.guardian.co.uk/world/barack-obama"
title="More from guardian.co.uk on Barack Obama">Barack Obama</a>
has ordered his senior national security and intelligence
officials to draw up a list of potential overseas targets for US
cyber-attacks, a top secret presidential directive obtained by
the Guardian reveals.</p>
<p>The 18-page Presidential Policy Directive 20, issued in October
last year but never published, states that what it calls
Offensive Cyber Effects Operations (OCEO) "can offer unique and
unconventional capabilities to advance US national objectives
around the world with little or no warning to the adversary or
target and with potential effects ranging from subtle to
severely damaging".</p>
<p>It says the government will "identify potential targets of
national importance where OCEO can offer a favorable balance of
effectiveness and risk as compared with other instruments of
national power".</p>
<p>The directive also contemplates the possible use of cyber
actions inside the US, though it specifies that no such domestic
operations can be conducted without the prior order of the
president, except in cases of emergency. </p>
<p>The aim of the document was "to put in place tools and a
framework to enable government to make decisions" on cyber
actions, a senior administration official told the Guardian.</p>
<p><a
href="http://epic.org/privacy/cybersecurity/Pres-Policy-Dir-20-FactSheet.pdf">The
administration published some declassified talking points</a>
from the directive in January 2013, but those did not mention
the stepping up of America's offensive capability and the
drawing up of a target list.</p>
<p>Obama's move to establish a potentially aggressive cyber
warfare doctrine will heighten fears over the increasing
militarization of the internet.</p>
<p>The directive's publication comes as the president plans to
confront his Chinese counterpart Xi Jinping at a summit in
California on Friday over alleged Chinese attacks on western
targets.</p>
<p>Even before the publication of the directive, Beijing had hit
back against US criticism, with a senior official claiming to
have "mountains of data" on American cyber-attacks he claimed
were every bit as serious as those <a
href="http://www.guardian.co.uk/world/china" title="More from
guardian.co.uk on China">China</a> was accused of having
carried out against the US.</p>
<p>Presidential Policy Directive 20 defines OCEO as "operations
and related programs or activities … conducted by or on behalf
of the <a href="http://www.guardian.co.uk/world/usa"
title="More from guardian.co.uk on United States">United
States</a> Government, in or through cyberspace, that are
intended to enable or produce cyber effects outside United
States government networks."</p>
<p>Asked about the stepping up of US offensive capabilities
outlined in the directive, a senior administration official
said: "Once humans develop the capacity to build boats, we build
navies. Once you build airplanes, we build air forces."</p>
<p>The official added: "As a citizen, you expect your government
to plan for scenarios. We're very interested in having a
discussion with our international partners about what the
appropriate boundaries are."</p>
<p>The document includes caveats and precautions stating that all
US cyber operations should conform to US and international law,
and that any operations "reasonably likely to result in
significant consequences require specific presidential
approval".</p>
<p>The document says that agencies should consider the
consequences of any cyber-action. They include the impact on
intelligence-gathering; the risk of retaliation; the impact on
the stability and security of the internet itself; the balance
of political risks versus gains; and the establishment of
unwelcome norms of international behaviour.</p>
<p>Among the possible "significant consequences" are loss of life;
responsive actions against the US; damage to property; serious
adverse foreign policy or economic impacts.</p>
<p>The US is understood to have already participated in at least
one major cyber attack, the use of the Stuxnet computer worm
targeted on Iranian uranium enrichment centrifuges, the legality
of which has been the subject of controversy. US reports citing
high-level sources within the intelligence services said the US
and Israel were responsible for the worm.</p>
<p>In the presidential directive, the criteria for offensive cyber
operations in the directive is not limited to retaliatory action
but vaguely framed as advancing "US national objectives around
the world".</p>
<p>The revelation that the US is preparing a specific target list
for offensive cyber-action is likely to reignite previously
raised concerns of security researchers and academics, several
of whom have warned that large-scale cyber operations could
easily escalate into full-scale military conflict.</p>
<p>Sean Lawson, assistant professor in the department of
communication at the University of Utah, argues: "When
militarist cyber rhetoric results in use of offensive cyber
attack it is likely that those attacks will escalate into
physical, kinetic uses of force."</p>
<p>An intelligence source with extensive knowledge of the National
Security Agency's systems told the Guardian the US complaints
again China were hypocritical, because America had participated
in offensive cyber operations and widespread <a
href="http://www.guardian.co.uk/technology/hacking"
title="More from guardian.co.uk on Hacking">hacking</a> –
breaking into foreign computer systems to mine information.</p>
<p>Provided anonymity to speak critically about classified
practices, the source said: "We hack everyone everywhere. We
like to make a distinction between us and the others. But we are
in almost every country in the world."</p>
<p>The US likes to haul China before the international court of
public opinion for "doing what we do every day", the source
added.</p>
<p>One of the unclassified points released by the administration
in January stated: "It is our policy that we shall undertake the
least action necessary to mitigate threats and that we will
prioritize network defense and law enforcement as preferred
courses of action."</p>
<p>The full classified directive repeatedly emphasizes that all
cyber-operations must be conducted in accordance with US law and
only as a complement to diplomatic and military options. But it
also makes clear how both offensive and defensive cyber
operations are central to US strategy. </p>
<p>Under the heading "Policy Reviews and Preparation", a section
marked "TS/NF" - top secret/no foreign - states: "The secretary
of defense, the DNI [Director of National Intelligence], and the
director of the CIA … shall prepare for approval by the
president through the National Security Advisor a plan that
identifies potential systems, processes and infrastructure
against which the United States should establish and maintain
OCEO capabilities…" The deadline for the plan is six months
after the approval of the directive.</p>
<p>The directive provides that any cyber-operations "intended or
likely to produce cyber effects within the United States"
require the approval of the president, except in the case of an
"emergency cyber action". When such an emergency arises, several
departments, including the department of defense, are authorized
to conduct such domestic operations without presidential
approval.</p>
<p>Obama further authorized the use of offensive cyber attacks in
foreign nations without their government's consent whenever "US
national interests and equities" require such nonconsensual
attacks. It expressly reserves the right to use cyber tactics as
part of what it calls "anticipatory action taken against
imminent threats".</p>
<p>The directive makes multiple references to the use of offensive
cyber attacks by the US military. It states several times that
cyber operations are to be used only in conjunction with other
national tools and within the confines of law.</p>
<p>When the directive was first reported, lawyers with the
Electronic <a href="http://www.guardian.co.uk/world/privacy"
title="More from guardian.co.uk on Privacy">Privacy</a>
Information Center filed a Freedom of Information Act request
for it to be made public. The NSA, in a statement, refused to
disclose the directive on the ground that it was classified.</p>
<p>In January, the Pentagon announced a major expansion of its
Cyber Command Unit, under the command of General Keith
Alexander, who is also the director of the NSA. That unit is
responsible for executing both offensive and defensive cyber
operations.</p>
<p>Earlier this year, the Pentagon publicly accused China for the
first time of being behind attacks on the US. The Washington
Post reported last month that Chinese hackers had gained access
to the Pentagon's most advanced military programs.</p>
<p>The director of national intelligence, James Clapper,
identified cyber threats in general as the top national security
threat.</p>
<p>Obama officials have repeatedly cited the threat of
cyber-attacks to advocate new legislation that would vest the US
government with greater powers to monitor and control the
internet as a means of guarding against such threats.</p>
<p>One such bill currently pending in Congress, the Cyber
Intelligence Sharing and Protection Act (Cispa), has prompted
serious concerns from privacy groups, who say that it would
further erode online privacy while doing little to enhance cyber
security.</p>
<p>In a statement, Caitlin Hayden, national security council
spokeswoman, said: "We have not seen the document the Guardian
has obtained, as they did not share it with us. However, as we
have already publicly acknowledged, last year the president
signed a classified presidential directive relating to cyber
operations, updating a similar directive dating back to 2004.
This step is part of the administration's focus on cybersecurity
as a top priority. The cyber threat has evolved, and we have new
experiences to take into account.</p>
<p>"This directive establishes principles and processes for the
use of cyber operations so that cyber tools are integrated with
the full array of national security tools we have at our
disposal. It provides a whole-of-government approach consistent
with the values that we promote domestically and internationally
as we have previously articulated in the International Strategy
for Cyberspace.</p>
<p>"This directive will establish principles and processes that
can enable more effective planning, development, and use of our
capabilities. It enables us to be flexible, while also
exercising restraint in dealing with the threats we face. It
continues to be our policy that we shall undertake the least
action necessary to mitigate threats and that we will prioritize
network defense and law enforcement as the preferred courses of
action. The procedures outlined in this directive are consistent
with the US Constitution, including the president's role as
commander in chief, and other applicable law and policies."</p>
</div>
</body>
</html>