The Obama Administration has confirmed Presidential Policy Directive 20, which will create a classified national policy for handling attacks on the country’s national computing infrastructure.
Details of the policy remain scant; the Electronic Privacy Information Center (EPIC) announced April 22 that it was pursuing a full public release via the Freedom of Information Act.
Directive 20, issued by the Obama Administration last year, “establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools we have at our disposal,” according to the declassified summary.
The goal of these principles and processes is to enable more effective planning, development, and use of the government’s capabilities, the document adds: “It is our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as preferred courses of action.”
The administration pledged that the directive would be consistent with its International Strategy for Cyberspace (PDF), released in 2011, which promised that any cyber-defense stratagem would honor the country’s commitment to freedom, privacy, and the free flow of information.
A Washington Post article first revealed Directive 20, and featured administration officials describing how the policy sets forth defensive and offensive actions in the context of an electronic attack.
“What it does, really for the first time, is it explicitly talks about how we will use cyber-operations,” a senior administration official told the newspaper. “Network defense is what you’re doing inside your own networks… Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”
According to the report, the Pentagon views the electronic landscape as part of its domain, and wants it added to land, sea and air as spaces where battles can be fought. The directive allegedly allows a “defensive” act that might include stopping a computer attack by severing the link between an overseas server and a targeted domestic computer.
The policy will probably remain classified for some time. It’s also unclear how any of its points will be disseminated to industry, which could need the information in the event of a directed attack by a foreign power. The irony of that, of course, is that EPIC disclosed the document on the same day when many smaller sites staged “blackouts” to protest the Cyber Intelligence Sharing and Protection Act (CISPA), which would allow for voluntary information sharing between private companies and the government in the event of a cyber attack.