With the latest iteration of the Cybersecurity Act of 2012 once again failing to find favor in the Senate, discussion has shifted away from legislative gridlock and toward presidential action. But whereas many have been focusing on the prospects of an executive order, new reports have emerged to suggest that President Obama has already signed a classified directive that effectively authorizes the Department of Defense to adopt a more aggressive, proactive stance on securing the nation's digital infrastructure.
Presidential Policy Directive 20
The Washington Post was first to break news of this secretive document after reporters learned from high-ranking officials that the directive had been signed in mid-October. Sources suggested the policy framework broadly addresses what constitutes offensive and defensive cyber operations while including a "strict set of standards" for a variety of scenarios that could confront federal agents.
"What it does, really for the first time, is it explicitly talks about how we will use cyber operations," one senior administrator told the Post. "Network defense is what you're doing inside your own networks … Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes."
Cybersecurity has been a consistent fixture on the Obama Administration's presidential agenda, but speculation and confirmation of state-sponsored cyberattacks touching down around the world have only created a heightened sense of urgency. As a result, the document is intended to serve as a decision-support tool as cybersecurity takes on a new set of geopolitical implications.
While the full contents of PDD 20 remain confidential, government officials have openly discussed the need for and support of offensive cyber operations. Stuxnet remains the elephant in the room, of course, as the virus is largely believed to be the handiwork of U.S. and Israeli engineers. But regardless of its origin, U.S. Cyber Command director Keith Alexander has routinely spoken about the dangers that may follow Stuxnet's escape into the wild. According to the Post, he has been a strong proponent of targeted, offensive techniques such as sending "sleep" commands to rogue malware and severing network connections known to be compromised.
The administration may also have felt pressured to lay a formal blueprint for others to follow instead of allowing strategies to splinter across the private sector. As InformationWeek suggested, companies could soon be equipped and deputized to launch "strike-back" attacks as the public sector lives up to its rhetoric of cybersecurity becoming a shared national burden.
Security News from SimplySecurity.com by Trend Micro