US rolls back cyberwarfare rules | Cyber Security

Latest breaking news on

The Trump administration has rolled back that outlined how to launch cyberattacks on other nations. The decision, which has been under consideration for much of the year, could herald a more hawkish approach to within the US government.

Signed in 2012, the original Obama-era Presidential Policy Directive 20 (PPD-20) replaced a 2004 Bush-era policy called National Security Presidential Directive (NPSD)-38. The government refused to publish its document at the time, but it was leaked as part of the Snowden files. It outlined Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO). OCEO could focus on targets specified by the government, and would…

offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging

PPD-20 argued that it simply formalised existing policies, and outlined a swathe of processes and restrictions governing cyberwarfare. For example, it would seek consent from countries in which cyber operations took place unless they were military actions, or unless the president decided that asking for consent would go against US national interests.

The rules also called for a multi-agency effort to establish criteria and procedures for responding to persistent malicious cyberactivity by other nations against US national interests.

Directive 20 outlined bureaucratic restrictions on these cyberwarfare capabilities. The US government would reserve their use for circumstances when network defence or law enforcement measures were insufficient. It also said that it would conduct defensive cyberspace actions with the least intrusive methods feasible to mitigate a threat. And it vowed to obtain the consent of network or computer users for the US government to take cyber measures on their behalf.

It contained extensive sections outlining the need to coordinate these cyber capabilities with other government functions, including financial, intelligence and law enforcement, in what it called a “whole-of-government” approach. Policy criteria included how operations were located and their potential effects, the methods used, and their risks and potential impact. It also explicitly outlined civil liberties as a policy consideration when considering offensive and defensive cyber-actions.

Rolling back these rules removes a layer of inter-agency bureaucracy that the government had to follow before launching cyberattacks on overseas adversities. Insiders have called their removal an “offensive step forward” according to a Wall Street Journal report.