The Trump administration kicked off a new era of government cyber operations by “rescinding” a presidential directive that had restricted offensive capabilities, an administration official told Fifth Domain, but experts warned the move would not be sufficient in detering state-based hacking.
The Wall Street Journal reported Aug. 15 that Trump reversed what’s known as Presidential Policy Directive 20, which previously governed offensive cyber operations.
A Trump administration official speaking to Fifth Domain declined to elaborate on the policy change, although the replacement is likely to allow for greater offensive operations. Under the previous rules, approved in 2012, cyber operations that resulted in “significant consequences” required presidential approval. The document was labeled “top secret” but Edward Snowden included it among a trove of files he released.
Current and former military and intelligence officials have told Fifth Domain that the previous rules led to Cyber Command being overly cautious in cyberspace. Some said the approval process to carry out offensive cyberattacks took too long.
A June report from the Defense Science Board said that America’s cyber policy was “stalled, self-limiting, and focused on tactical outcomes … Current policies often thwart cyber capability.”
In addition, March report from Cyber Command said that the U.S. “must increase resiliency, defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors.”
But experts warned that loosening restrictions on offensive cyber operations may not be adequate by itself.
“Attempting deterrence using a single domain is rarely effective,” Peter Cooper, a nonresident senior fellow at the Atlantic Council, told Fifth Domain. “This is especially true in the cyber domain, where capability is normally classified, making it difficult for a state to signal to its capabilities. Attempting to deter with only the cyber domain is like shouting from behind a locked door.”
Instead, Cooper said that effective deterrence requires a whole of government approach that is ideally done in cooperation with other countries. Asked whether the Trump administration is taking that approach, he said that “international cooperation has been occurring and there have been some indications of its effectiveness.”
Others warned that it would be difficult to tell if a more aggressive approach to offensive operations in cyberspace is working.
“What metrics will we have if this is working or not?,” Jason Healey, a White House official in the George W. Bush administration told Fifth Domain. "If we don’t know what to measure than we won’t know if this is succeeding or failing. It’ll be like Afghanistan where the military is able to say, ‘just one more surge and we’ll break them.’”
China, Russia, Iran and North Korea are the top threats for the National Security Agency and the U.S. government, said Josiah Dykstra, a researcher at the NSA during the Black Hat Conference last week in Las Vegas.
"All of these have conducted attacks against the United States in recent years,” Dykstra said.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.