Obama orders target list for cyberattacks
US President Barack Obama has ordered senior national security and intelligence officials to draw up a list of potential overseas targets for US cyberattacks, a top secret presidential directive obtained by The Guardian reveals.
The 18-page Presidential Policy Directive 20, issued last October but not published, states that "Offensive Cyber Effects Operations [OCEO] … can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging".
It also contemplates the possible use of cyberattacks inside the US, but says domestic operations cannot be conducted without the prior order of the president, except in emergencies.
The aim of the document was "to put in place tools and a framework to enable government to make decisions" on cyberactions, a senior administration official told The Guardian.
The administration published some declassified talking points from the directive in January 2013, but those did not mention the stepping up of America's offensive capability and the drawing up of a target list.
The directive's publication came just before the president met his Chinese leader Xi Jinping at a summit in California.
Even before the publication of the directive, Beijing had hit back against US allegations of Chinese cyberattacks, with a senior official claiming to have "mountains of data" on American cyberattacks he claimed were just as serious as those China is accused of having carried out against the US.
Presidential Policy Directive 20 defines OCEO as "operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks."
Asked about the stepping up of US offensive capabilities outlined in the directive, a senior administration official said: "Once humans develop the capacity to build boats, we build navies. Once you build airplanes, we build air forces."
The document says that agencies should consider the consequences of any cyberaction, including the impact on intelligence-gathering, the risk of retaliation, the impact on the stability and security of the internet itself, the balance of political risks versus gains, and the establishment of unwelcome norms of international behaviour.
Among the possible "significant consequences" are loss of life, responsive actions against the US, damage to property, and serious adverse foreign policy or economic impacts.
The US is understood to have already participated in at least one major cyberattack, using the Stuxnet computer worm to target Iranian uranium enrichment centrifuges.
In the presidential directive, the criteria for offensive cyberoperations is not limited to retaliatory action but vaguely framed as advancing "US national objectives around the world".
An intelligence source with extensive knowledge of National Security Agency systems told The Guardian the US complaints again China were hypocritical, as the US had taken part in offensive cyberoperations and widespread hacking of foreign computer systems to mine information.
Provided anonymity to speak critically about classified practices, the source said: "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world."
The US likes to haul China before the international court of public opinion for "doing what we do every day", the source said.
The directive repeatedly emphasises that all cyber-operations must be conducted in accordance with US law and only as a complement to diplomatic and military options. But it also makes clear how both offensive and defensive cyber operations are central to US strategy.