[governance] (Tangential) Obama orders US to draw up overseas target list for cyber-attacks
Riaz K Tayob
riaz.tayob at gmail.com
Fri Jun 7 17:46:41 EDT 2013
Obama orders US to draw up overseas target list for cyber-attacks
*Exclusive:* Top-secret directive steps up offensive cyber capabilities
to 'advance US objectives around the world'
.
<http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text>
*
Glenn Greenwald <http://www.guardian.co.uk/profile/glenn-greenwald>
and Ewen MacAskill <http://www.guardian.co.uk/profile/ewenmacaskill>
* guardian.co.uk <http://www.guardian.co.uk/>, Friday 7 June 2013
20.06 BST
* Jump to comments (371)
<http://www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overseas#start-of-comments>
Obama's move to establish a cyber warfare doctrine will heighten fears
over the increasing militarization of the internet. Photograph: Jim
Young/Reuters
Barack Obama <http://www.guardian.co.uk/world/barack-obama> has ordered
his senior national security and intelligence officials to draw up a
list of potential overseas targets for US cyber-attacks, a top secret
presidential directive obtained by the Guardian reveals.
The 18-page Presidential Policy Directive 20, issued in October last
year but never published, states that what it calls Offensive Cyber
Effects Operations (OCEO) "can offer unique and unconventional
capabilities to advance US national objectives around the world with
little or no warning to the adversary or target and with potential
effects ranging from subtle to severely damaging".
It says the government will "identify potential targets of national
importance where OCEO can offer a favorable balance of effectiveness and
risk as compared with other instruments of national power".
The directive also contemplates the possible use of cyber actions inside
the US, though it specifies that no such domestic operations can be
conducted without the prior order of the president, except in cases of
emergency.
The aim of the document was "to put in place tools and a framework to
enable government to make decisions" on cyber actions, a senior
administration official told the Guardian.
The administration published some declassified talking points
<http://epic.org/privacy/cybersecurity/Pres-Policy-Dir-20-FactSheet.pdf>
from the directive in January 2013, but those did not mention the
stepping up of America's offensive capability and the drawing up of a
target list.
Obama's move to establish a potentially aggressive cyber warfare
doctrine will heighten fears over the increasing militarization of the
internet.
The directive's publication comes as the president plans to confront his
Chinese counterpart Xi Jinping at a summit in California on Friday over
alleged Chinese attacks on western targets.
Even before the publication of the directive, Beijing had hit back
against US criticism, with a senior official claiming to have "mountains
of data" on American cyber-attacks he claimed were every bit as serious
as those China <http://www.guardian.co.uk/world/china> was accused of
having carried out against the US.
Presidential Policy Directive 20 defines OCEO as "operations and related
programs or activities ... conducted by or on behalf of the United
States <http://www.guardian.co.uk/world/usa> Government, in or through
cyberspace, that are intended to enable or produce cyber effects outside
United States government networks."
Asked about the stepping up of US offensive capabilities outlined in the
directive, a senior administration official said: "Once humans develop
the capacity to build boats, we build navies. Once you build airplanes,
we build air forces."
The official added: "As a citizen, you expect your government to plan
for scenarios. We're very interested in having a discussion with our
international partners about what the appropriate boundaries are."
The document includes caveats and precautions stating that all US cyber
operations should conform to US and international law, and that any
operations "reasonably likely to result in significant consequences
require specific presidential approval".
The document says that agencies should consider the consequences of any
cyber-action. They include the impact on intelligence-gathering; the
risk of retaliation; the impact on the stability and security of the
internet itself; the balance of political risks versus gains; and the
establishment of unwelcome norms of international behaviour.
Among the possible "significant consequences" are loss of life;
responsive actions against the US; damage to property; serious adverse
foreign policy or economic impacts.
The US is understood to have already participated in at least one major
cyber attack, the use of the Stuxnet computer worm targeted on Iranian
uranium enrichment centrifuges, the legality of which has been the
subject of controversy. US reports citing high-level sources within the
intelligence services said the US and Israel were responsible for the worm.
In the presidential directive, the criteria for offensive cyber
operations in the directive is not limited to retaliatory action but
vaguely framed as advancing "US national objectives around the world".
The revelation that the US is preparing a specific target list for
offensive cyber-action is likely to reignite previously raised concerns
of security researchers and academics, several of whom have warned that
large-scale cyber operations could easily escalate into full-scale
military conflict.
Sean Lawson, assistant professor in the department of communication at
the University of Utah, argues: "When militarist cyber rhetoric results
in use of offensive cyber attack it is likely that those attacks will
escalate into physical, kinetic uses of force."
An intelligence source with extensive knowledge of the National Security
Agency's systems told the Guardian the US complaints again China were
hypocritical, because America had participated in offensive cyber
operations and widespread hacking
<http://www.guardian.co.uk/technology/hacking> -- breaking into foreign
computer systems to mine information.
Provided anonymity to speak critically about classified practices, the
source said: "We hack everyone everywhere. We like to make a distinction
between us and the others. But we are in almost every country in the world."
The US likes to haul China before the international court of public
opinion for "doing what we do every day", the source added.
One of the unclassified points released by the administration in January
stated: "It is our policy that we shall undertake the least action
necessary to mitigate threats and that we will prioritize network
defense and law enforcement as preferred courses of action."
The full classified directive repeatedly emphasizes that all
cyber-operations must be conducted in accordance with US law and only as
a complement to diplomatic and military options. But it also makes clear
how both offensive and defensive cyber operations are central to US
strategy.
Under the heading "Policy Reviews and Preparation", a section marked
"TS/NF" - top secret/no foreign - states: "The secretary of defense, the
DNI [Director of National Intelligence], and the director of the CIA ...
shall prepare for approval by the president through the National
Security Advisor a plan that identifies potential systems, processes and
infrastructure against which the United States should establish and
maintain OCEO capabilities..." The deadline for the plan is six months
after the approval of the directive.
The directive provides that any cyber-operations "intended or likely to
produce cyber effects within the United States" require the approval of
the president, except in the case of an "emergency cyber action". When
such an emergency arises, several departments, including the department
of defense, are authorized to conduct such domestic operations without
presidential approval.
Obama further authorized the use of offensive cyber attacks in foreign
nations without their government's consent whenever "US national
interests and equities" require such nonconsensual attacks. It expressly
reserves the right to use cyber tactics as part of what it calls
"anticipatory action taken against imminent threats".
The directive makes multiple references to the use of offensive cyber
attacks by the US military. It states several times that cyber
operations are to be used only in conjunction with other national tools
and within the confines of law.
When the directive was first reported, lawyers with the Electronic
Privacy <http://www.guardian.co.uk/world/privacy> Information Center
filed a Freedom of Information Act request for it to be made public. The
NSA, in a statement, refused to disclose the directive on the ground
that it was classified.
In January, the Pentagon announced a major expansion of its Cyber
Command Unit, under the command of General Keith Alexander, who is also
the director of the NSA. That unit is responsible for executing both
offensive and defensive cyber operations.
Earlier this year, the Pentagon publicly accused China for the first
time of being behind attacks on the US. The Washington Post reported
last month that Chinese hackers had gained access to the Pentagon's most
advanced military programs.
The director of national intelligence, James Clapper, identified cyber
threats in general as the top national security threat.
Obama officials have repeatedly cited the threat of cyber-attacks to
advocate new legislation that would vest the US government with greater
powers to monitor and control the internet as a means of guarding
against such threats.
One such bill currently pending in Congress, the Cyber Intelligence
Sharing and Protection Act (Cispa), has prompted serious concerns from
privacy groups, who say that it would further erode online privacy while
doing little to enhance cyber security.
In a statement, Caitlin Hayden, national security council spokeswoman,
said: "We have not seen the document the Guardian has obtained, as they
did not share it with us. However, as we have already publicly
acknowledged, last year the president signed a classified presidential
directive relating to cyber operations, updating a similar directive
dating back to 2004. This step is part of the administration's focus on
cybersecurity as a top priority. The cyber threat has evolved, and we
have new experiences to take into account.
"This directive establishes principles and processes for the use of
cyber operations so that cyber tools are integrated with the full array
of national security tools we have at our disposal. It provides a
whole-of-government approach consistent with the values that we promote
domestically and internationally as we have previously articulated in
the International Strategy for Cyberspace.
"This directive will establish principles and processes that can enable
more effective planning, development, and use of our capabilities. It
enables us to be flexible, while also exercising restraint in dealing
with the threats we face. It continues to be our policy that we shall
undertake the least action necessary to mitigate threats and that we
will prioritize network defense and law enforcement as the preferred
courses of action. The procedures outlined in this directive are
consistent with the US Constitution, including the president's role as
commander in chief, and other applicable law and policies."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20130608/210d534f/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.igcaucus.org
To be removed from the list, visit:
http://www.igcaucus.org/unsubscribing
For all other list information and functions, see:
http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
http://www.igcaucus.org/
Translate this email: http://translate.google.com/translate_t
More information about the Governance
mailing list