WASHINGTON – President Barack Obama has ordered his national security team to draw up a secret target list for possible cyber attacks, a major expansion of U.S. planning for disabling and hacking into foreign computer networks, according to a copy of the top secret directive.
White House officials emphasized that the document laid out principles for defending U.S. computer networks and insisted that it did not imply that the U.S. would be stepping up cyber attacks overseas.
But they did not dispute that the planning called for in the document goes beyond previous policy directives, which had emphasized protection from foreign computer hacking.
The directive “enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action,” said Caitlin Hayden, a spokeswoman for the National Security Council.
According to the directive, which Obama signed in October, offensive cyber attacks “can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary.”
The document orders the Pentagon, the Central Intelligence Agency and other departments “to identify potential targets of national importance where (cyber attacks) can offer a favorable balance of effectiveness and risk.”
The directive was made public Friday by Britain’s Guardian newspapers, which obtained a copy.
Disclosure of the order came at an awkward time for the White House – the same day that Obama was meeting with Chinese President Xi Jinping at a summit in Rancho Mirage, Calif. Obama was expected to bring up U.S. complaints about Chinese intrusions into U.S. computer networks, some of which are believed to have been ordered by the Chinese government.
The order directs the defense secretary, head of the CIA and the director of national intelligence to identify “systems, processes and infrastructure against which the United States should establish and maintain” offensive cyber effects operations.
It defines those as “operations and related programs or activities … in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks.”
All such operations should conform to U.S. and international law and those that are “reasonably likely to result in significant consequences require specific presidential approval,” it says. Significant consequences are defined as those resulting in loss of life, responsive actions against the U.S., damage to property and serious adverse foreign policy or economic impacts.
The president must approve any operation “intended or likely to produce cyber effects within the United States,” except in the case of an “emergency cyber action,” the order states.