Just as the Senate failed to pass legislation to protect the U.S. electrical grid and other critical industries from cyberattacks, it has emerged that President Barack Obama signed a “secret directive,” as reported by the Washington Post, establishing guidelines for the military to take cybersecurity action on both an offensive and defensive front.
The Washington Post quotes sources, unauthorized to go on the record but who have seen the classified information, who said the directive will help officials make quick decisions in the event of a threat:
“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”
The Washington Post reported this Presidential Policy Directive 20, which was signed in October’s National Cybersecurity Month, is an update to 2004 policy that ends debate over who can do what in the event of a cyberthreat. The directive also reportedly details how officials will be able to take action in networks outside of their own to ultimately protect data of citizens and allies. The Washington Post explained further that debate is expected to continue about what a response to a cyberthreat could look like:
The new policy makes clear that the government will turn first to law enforcement or traditional network defense techniques before asking military cyberwarfare units for help or pursuing other alternatives, senior administration officials said.
The Post reported that action on the government’s part will still require White House permission. Information Week has more on this front:
Legally speaking, there can be a fine line between so-called defensive operations — such as conducting reconnaissance — and what constitutes acceptable levels of offensive operations. On the other hand, the existence of the new directive, despite its exact contents being secret, may help private sector organizations attain greater strike-back capabilities themselves.
Privacy advocates, like the Electronic Privacy Information Center, following the Washington Post article have called for Directive 20 to be released to the public through a Freedom of Information Act request.
CNET brought up that the directive will most likely face criticism from both sides — those who want to strengthen it and those concerned of government overstep when it comes to issues like Internet freedom.
The failure of the Senate Wednesday to move the Cybersecurity Act forward, which would establish a cybersecurity regulations for critical infrastructure, sets the Obama up to sign another executive order. His administration has said that if Congress does not pass cybersecurity legislation, the president will act to protect critical infrastructure companies from cyberthreats and electronic espionage.
The Hill reported that some Republicans opposed the bill, citing the burden some of the proposed regulations and standards would place on industry.
“Frankly, the underlying bill is not supported by the business community for all the right reasons,” Sen. Saxby Chambliss (R-Ga.) said, according to The Hill. “They’re the ones that are going to be called to comply with the mandates and the regulations, and frankly it’s just not going to give them the protection they need against cyberattacks.”
- Cybersecurity Bill for Infrastructure Updated to Address Privacy Concerns – Some Say Its Too Little, Others Too Much
- Controversial Cybersecurity Legislation Amended But Many Say Privacy Is Still a Concern
- U.S. Points Finger at Iran for Gas Company Cyberattack, Defense Secretary Issues Warning
The Associated Press contributed to this report.