Cyber warfareObama orders U.S. intelligence to develop a list of targets for U.S. cyberattacks

President Barack Obama has ordered U.S. intelligence agencies to develop a list of overseas targets for possible offensive cyberattacks by the United States.

The Guardian reports thatthe 18-page directive was issued last October. It says that “The secretary of defense, the DNI [Director of National Intelligence], and the director of the CIA … shall prepare for approval by the president through the National Security Advisor a plan that identifies potential systems, processes and infrastructure against which the United States should establish and maintain Offensive Cyber Effects Operations (OCEO) capabilities….”

The document says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power.”

The document  defines OCEO as “operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks. ”

The document also says these operations “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

The Guardian notes that parts of the directive have been gradually declassified, but the unclassified parts only involved intrusion detection systems for protecting federal computer networks, as well as discussing the government’s role in securing critical infrastructure. The classified parts of the directive detail the U.S. plans to begin cyber offensive operations against foreign targets.

A senior official, who insisted on annonymity, told the Guardian that the plan is just the natural evolution of things.

“Once humans develop the capacity to build boats, we build navies. Once you build airplanes, we build air forces,” he said.

The document does say that all U.S. cyber operations should comply with U.S. and international law and work only in conjunction with diplomatic and military operations. Presidential approval will be required for all actions which are “reasonably likely to result in significant consequences,” meaning the loss of life, property damage, severe retaliation, or adverse foreign policy and economic impacts.

Asked about the stepping up of U.S. offensive capabilities outlined in the directive, a senior administration official told the Guardian: “Once humans develop the capacity to build boats, we build navies. Once you build airplanes, we build air forces.”

Caitlin Hayden, National Security Council spokeswoman, said in a statement:

We have not seen the document the Guardian has obtained, as they did not share it with us. However, as we have already publicly acknowledged, last year the president signed a classified presidential directive relating to cyber operations, updating a similar directive dating back to 2004. This step is part of the administration’s focus on cybersecurity as a top priority. The cyber threat has evolved, and we have new experiences to take into account.
This directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools we have at our disposal. It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace.
This directive will establish principles and processes that can enable more effective planning, development, and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action. The procedures outlined in this directive are consistent with the US Constitution, including the president’s role as commander in chief, and other applicable law and policies.”