According to news reports, this secret Directive enables the military to act more aggressively to thwart cyberattacks on the nation's government and private computer networks. It establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace.
The Directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats. The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens' and foreign allies' data and privacy are protected and international laws of war are followed.
The Directive states that what it calls Offensive Cyber Effects Operations (OCEO) "can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging." It says the government will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power."
The Directive also contemplates the possible use of cyber actions inside the United States, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.
The aim of the Directive was "to put in place tools and a framework to enable government to make decisions" on cyber actions.
"PPD-20 closes a perceived gap in the authorities necessary for DOD to defend the nation in cyberspace, a gap that has not been addressed by Congress. The directive does not create new powers for federal agencies or the military; however, by distinguishing between network defense and cyber operations, it provides a policy framework for the Pentagon's rules of engagement for cyberspace. As specifically described in the White House fact sheet, PPD-20:
- takes ￼into account the evolution of the threat and growing experience with the threat;
- establishes principles and processes for using cyber operations so cyber tools are integrated with the full array of national security tools;
- provides a whole-of-government approach consistent with values promoted domestically and internationally and articulated in the International Strategy for Cyberspace;
- ￼mandates that the United States take the least action necessary to mitigate threats; and
- prioritizes network defense and law enforcement as preferred courses of action."
This Directive superseded National Security Presidential Directive 38 and complements but does not affect NSPD-54/Homeland Security Presidential Directive 23, National Security Presidential Directive 42 and PPD-8.
- "Obama Signs Secret Directive to Help Thwart Cyberattacks," Wash. Post (Nov. 14, 2012) (full-text).
- Glenn Greenwald & Ewen MacAskill, "Obama orders US to draw up overseas target list for cyber-attacks," The Guardian (June 7, 2013) (full-text).
External Resources Edit
- Joshua Eaton, "American cyber-attack list uncovered," Al Jazeera (full-text).