Are there new rules for cyberwar?
Reports that the Trump administration has rescinded an Obama-era directive guiding the use of offensive cyber operations has cybersecurity experts pondering what, if anything, has replaced it.
The Trump administration rescinded Presidential Policy Directive 20, a move that sets the stage for more aggressive use of offensive cyber operations by the Pentagon against nation-states and their associate hacking groups, the Wall Street Journal reported Aug. 15.
The classified Obama-era directive, leaked by Edward Snowden in 2013, set an interagency process that governs the use of U.S. offensive and defensive cyber operations. It requires approval from the president for cyber actions with "significant consequences," spells out strict conditions for when the secretary of Defense may engage in emergency cyber operations and lays out a multiagency vetting process that includes intelligence agencies and the Departments of Homeland Security and Justice.
The news triggered debate among experts about what will replace the rescinded policy and what type of guardrails will guide U.S. cyber operations moving forward.
On Capitol Hill, many lawmakers have expressed a desire to unshackle U.S. CyberCom and other agencies to hit back at adversary nations with in-kind cyberattacks that disrupt the operations of foreign-backed hacking groups at their source.
Bobby Chesney, a law professor at the University of Texas, noted in a post on Lawfare that "the only reasonable inference is that there will be less interagency vetting before [U.S. Cyber Command] can conduct an operation."
Jason Healey, a former government official and current director of the Cyber Statecraft Initiative at the Atlantic Council, worried that the change could open up the potential for more aggressive action from CyberCom without metrics for victory.
The U.S. is wading into uncharted territory by freeing up U.S. cyber warriors to engage in offensive conflict, Healy warned.
"This is not just a normal war with an adversary that can be defeated," Healey wrote on Twitter in reaction to the news. "It is not just persistent but permanent, a constant state of online engagement between nuclear-armed states. So sure, authorize changes to PPD-20, but recognize this is an experiment."
Thus far in public, Trump administration officials have repeatedly stated a desire not to get into a tit-for-tat cyberwar with adversaries. Instead, administration officials have promoted the use of non-cyber tools such as public "name and shame" tactics that publicly attribute malicious cyber attacks to nation-states, economic sanctions, criminal indictments and other diplomatic and legal tools to enforce behavioral norms in cyberspace.
Christopher Painter, former cyber coordinator for the State Department, indicated that the change could be an improvement on the status quo or a setback, depending on what the replacement policy is and whether such offensive cyber operations become another tool used in conjunction with existing diplomatic and legal instruments.
"We need to have strong cyber capabilities but they should be used, like other tools, as an integrated part of all our capabilities (and not as an isolated bright, shiny object)," Painter said on Twitter.
P.W. Singer, author of "Cybersecurity and Cyberwar" and a frequent Trump critic, said that the "cautious, lawyerly, centralized" PPD-20 was likely in need of an update but that the complex interagency process it outlined was necessary to weigh competing priorities. He questioned whether the Trump administration has the necessary expertise in place after dismissing Tom Bossert and Rob Joyce, two respected officials with backgrounds in cyber policy, from the National Security Council earlier this year.
A representative from the National Security Council did not immediately respond to a request for comment.
NEXT STORY: Marines get into the bug-bounty game