[governance] FW: [IP] Obama orders US to draw up overseas target list for cyber-attacks | World news | guardian.co.uk
michael gurstein
gurstein at gmail.com
Fri Jun 7 17:40:30 EDT 2013
-----Original Message-----
From: dfarber [mailto:dave at farber.net]
Sent: Friday, June 07, 2013 5:23 PM
To: ip
Subject: [IP] Obama orders US to draw up overseas target list for
cyber-attacks | World news | guardian.co.uk
http://www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overse
as
Obama orders US to draw up overseas target list for cyber-attacks
Obama's move to establish a cyber warfare doctrine will heighten fears over
the increasing militarization of the internet. Photograph: Jim Young/Reuters
Barack Obama has ordered his senior national security and intelligence
officials to draw up a list of potential overseas targets for US
cyber-attacks, a top secret presidential directive obtained by the Guardian
reveals.
The 18-page Presidential Policy Directive 20, issued in October last year
but never published, states that what it calls Offensive Cyber Effects
Operations (OCEO) "can offer unique and unconventional capabilities to
advance US national objectives around the world with little or no warning to
the adversary or target and with potential effects ranging from subtle to
severely damaging".
It says the government will "identify potential targets of national
importance where OCEO can offer a favorable balance of effectiveness and
risk as compared with other instruments of national power".
The directive also contemplates the possible use of cyber actions inside the
US, though it specifies that no such domestic operations can be conducted
without the prior order of the president, except in cases of emergency.
The aim of the document was "to put in place tools and a framework to enable
government to make decisions" on cyber actions, a senior administration
official told the Guardian.
The administration published some declassified talking points from the
directive in January 2013, but those did not mention the stepping up of
America's offensive capability and the drawing up of a target list.
Obama's move to establish a potentially aggressive cyber warfare doctrine
will heighten fears over the increasing militarization of the internet.
The directive's publication comes as the president plans to confront his
Chinese counterpart Xi Jinping at a summit in California on Friday over
alleged Chinese attacks on western targets.
Even before the publication of the directive, Beijing had hit back against
US criticism, with a senior official claiming to have "mountains of data" on
American cyber-attacks he claimed were every bit as serious as those China
was accused of having carried out against the US.
Presidential Policy Directive 20 defines OCEO as "operations and related
programs or activities . conducted by or on behalf of the United States
Government, in or through cyberspace, that are intended to enable or produce
cyber effects outside United States government networks."
Asked about the stepping up of US offensive capabilities outlined in the
directive, a senior administration official said: "Once humans develop the
capacity to build boats, we build navies. Once you build airplanes, we build
air forces."
The official added: "As a citizen, you expect your government to plan for
scenarios. We're very interested in having a discussion with our
international partners about what the appropriate boundaries are."
The document includes caveats and precautions stating that all US cyber
operations should conform to US and international law, and that any
operations "reasonably likely to result in significant consequences require
specific presidential approval".
The document says that agencies should consider the consequences of any
cyber-action. They include the impact on intelligence-gathering; the risk of
retaliation; the impact on the stability and security of the internet
itself; the balance of political risks versus gains; and the establishment
of unwelcome norms of international behaviour.
Among the possible "significant consequences" are loss of life; responsive
actions against the US; damage to property; serious adverse foreign policy
or economic impacts.
The US is understood to have already participated in at least one major
cyber attack, the use of the Stuxnet computer worm targeted on Iranian
uranium enrichment centrifuges, the legality of which has been the subject
of controversy. US reports citing high-level sources within the intelligence
services said the US and Israel were responsible for the worm.
In the presidential directive, the criteria for offensive cyber operations
in the directive is not limited to retaliatory action but vaguely framed as
advancing "US national objectives around the world".
The revelation that the US is preparing a specific target list for offensive
cyber-action is likely to reignite previously raised concerns of security
researchers and academics, several of whom have warned that large-scale
cyber operations could easily escalate into full-scale military conflict.
Sean Lawson, assistant professor in the department of communication at the
University of Utah, argues: "When militarist cyber rhetoric results in use
of offensive cyber attack it is likely that those attacks will escalate into
physical, kinetic uses of force."
An intelligence source with extensive knowledge of the National Security
Agency's systems told the Guardian the US complaints again China were
hypocritical, because America had participated in offensive cyber operations
and widespread hacking - breaking into foreign computer systems to mine
information.
Provided anonymity to speak critically about classified practices, the
source said: "We hack everyone everywhere. We like to make a distinction
between us and the others. But we are in almost every country in the world."
The US likes to haul China before the international court of public opinion
for "doing what we do every day", the source added.
One of the unclassified points released by the administration in January
stated: "It is our policy that we shall undertake the least action necessary
to mitigate threats and that we will prioritize network defense and law
enforcement as preferred courses of action."
The full classified directive repeatedly emphasizes that all
cyber-operations must be conducted in accordance with US law and only as a
complement to diplomatic and military options. But it also makes clear how
both offensive and defensive cyber operations are central to US strategy.
Under the heading "Policy Reviews and Preparation", a section marked "TS/NF"
- top secret/no foreign - states: "The secretary of defense, the DNI
[Director of National Intelligence], and the director of the CIA . shall
prepare for approval by the president through the National Security Advisor
a plan that identifies potential systems, processes and infrastructure
against which the United States should establish and maintain OCEO
capabilities." The deadline for the plan is six months after the approval of
the directive.
The directive provides that any cyber-operations "intended or likely to
produce cyber effects within the United States" require the approval of the
president, except in the case of an "emergency cyber action". When such an
emergency arises, several departments, including the department of defense,
are authorized to conduct such domestic operations without presidential
approval.
Obama further authorized the use of offensive cyber attacks in foreign
nations without their government's consent whenever "US national interests
and equities" require such nonconsensual attacks. It expressly reserves the
right to use cyber tactics as part of what it calls "anticipatory action
taken against imminent threats".
The directive makes multiple references to the use of offensive cyber
attacks by the US military. It states several times that cyber operations
are to be used only in conjunction with other national tools and within the
confines of law.
When the directive was first reported, lawyers with the Electronic Privacy
Information Center filed a Freedom of Information Act request for it to be
made public. The NSA, in a statement, refused to disclose the directive on
the ground that it was classified.
In January, the Pentagon announced a major expansion of its Cyber Command
Unit, under the command of General Keith Alexander, who is also the director
of the NSA. That unit is responsible for executing both offensive and
defensive cyber operations.
Earlier this year, the Pentagon publicly accused China for the first time of
being behind attacks on the US. The Washington Post reported last month that
Chinese hackers had gained access to the Pentagon's most advanced military
programs.
The director of national intelligence, James Clapper, identified cyber
threats in general as the top national security threat.
Obama officials have repeatedly cited the threat of cyber-attacks to
advocate new legislation that would vest the US government with greater
powers to monitor and control the internet as a means of guarding against
such threats.
One such bill currently pending in Congress, the Cyber Intelligence Sharing
and Protection Act (Cispa), has prompted serious concerns from privacy
groups, who say that it would further erode online privacy while doing
little to enhance cyber security.
In a statement, Caitlin Hayden, national security council spokeswoman, said:
"We have not seen the document the Guardian has obtained, as they did not
share it with us. However, as we have already publicly acknowledged, last
year the president signed a classified presidential directive relating to
cyber operations, updating a similar directive dating back to 2004. This
step is part of the administration's focus on cybersecurity as a top
priority. The cyber threat has evolved, and we have new experiences to take
into account.
"This directive establishes principles and processes for the use of cyber
operations so that cyber tools are integrated with the full array of
national security tools we have at our disposal. It provides a
whole-of-government approach consistent with the values that we promote
domestically and internationally as we have previously articulated in the
International Strategy for Cyberspace.
"This directive will establish principles and processes that can enable more
effective planning, development, and use of our capabilities. It enables us
to be flexible, while also exercising restraint in dealing with the threats
we face. It continues to be our policy that we shall undertake the least
action necessary to mitigate threats and that we will prioritize network
defense and law enforcement as the preferred courses of action. The
procedures outlined in this directive are consistent with the US
Constitution, including the president's role as commander in chief, and
other applicable law and policies."
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/22720195-c2c7cbd3
Modify Your Subscription:
https://www.listbox.com/member/?member_id=22720195&id_secret=22720195-8fdd43
08
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?member_id=22720195&id_secret=22720195-9
7c5b007&post_id=20130607172313:740D7484-CFB8-11E2-A664-EFF6DD6631B7
Powered by Listbox: http://www.listbox.com
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.igcaucus.org
To be removed from the list, visit:
http://www.igcaucus.org/unsubscribing
For all other list information and functions, see:
http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
http://www.igcaucus.org/
Translate this email: http://translate.google.com/translate_t
More information about the Governance
mailing list