Opening Windows: Transparency in U.S. Offensive Cyber Policy

By: Tian Tian Xin, JD ‘19

In August 2018, the Trump administration rescinded an Obama-era policy directive that outlined the interagency process for authorizing offensive cyber operations conducted by the United States. Once again, the public was plunged into the fog about how the cyber policy sausage is made.

Presidential Policy Directive 20 (PPD-20) was signed by President Obama in 2012 and instituted a complex interagency process for approving cyberattacks. The classified document was leaked by NSA whistleblower Edward Snowden, and was met with sharp criticism that the directive imposed unnecessary red tape and handicapped critical cyber operations. The unauthorized release of the document and its subsequent revocation sparked rigorous debate about the pros and cons of the interagency vetting process for offensive cyber operations.

What replaced PPD-20 and the procedural scaffolding supporting offensive cyber operations remains unclear (or most likely classified). The current administration has voiced its more aggressive cyber policy goals through its National Cyber Strategy, the Department of Defense’s Cyber Strategy, and Cyber Command’s “Command Vision” document. Most observers agree that the Trump administration’s new position will make it easier for the military to initiate cyberattacks, with varying opinions about how it will elevate risks of escalation.

While the Trump administration has made clear a more hardline offensive cyber policy is in place, it has not articulated what procedural safeguards will ensure the process to approve offensive cyberattacks is balanced, thoughtful, and considered. Of course, sources and methods should remain protected, but the processes and procedures our government undertakes before launching offensive cyber operations ought to be more transparent.

A more transparent offensive cyber policy would promote democratic accountability of cyber operations that have the potential to incur backlash against American companies and citizens. When the U.S. military launches kinetic strikes overseas, the American public is rarely directly impacted (or perhaps even aware). But when adversaries respond to U.S. offensive cyber operations, they may retaliate not just against military entities, but could seek softer targets in the private sector.

After Iran’s nuclear program was crippled by the Stuxnet virus, widely believed to be a joint U.S.-Israeli effort, Iranian hackers launched a coordinated cyber-attack on several U.S. banks and attempted to shut down a dam in New York. The attack on 46 major financial institutions and companies, like JPMorgan Chase and Wells Fargo, caused millions of dollars in lost revenue. The dam targeted by Iranian hackers was luckily manually disconnected for maintenance during the intrusion so didn’t release water, but the attack signals a willingness by American adversaries to counterattack by targeting critical infrastructure, potentially affecting huge swaths of the American public.

Given the vulnerabilities of private companies and citizens to the second and third order effects of offensive U.S. cyber operations, the procedures and processes for approving attacks like Stuxnet ought to be given the benefit of public scrutiny, even if the more sensitive details of the operations themselves remain classified. Just as procedures for approving kinetic operations against suspected terrorists outside the United States have been released without jeopardizing future operations, the conditions under which the U.S. government is authorized to conduct cyber attacks ought to be made public as well.

A more transparent process could also model for the private sector how companies should consider addressing cyber threats to their computer networks and systems. Although the private “hack-back” debate is still unsettled and whether companies will eventually be legally authorized to use technical means to pursue attackers is uncertain, the private sector is a critical component of the national cyber strategy and companies often finds themselves at the frontlines of cyber defense.

Making the U.S. government offensive cyberattack policies more transparent could help vulnerable companies shape their own internal processes for deciding when, how, and under what conditions to respond to cyberattacks. Greater transparency could ease the frustrations of a private sector unsatisfied with the government’s inability to respond to the millions of attacks against individuals and businesses, and help appease those chomping at the bit to retaliate against malicious actors. Legal or illegal, it’s an open secret that many companies are already hacking back and with few procedural guardrails. Even if private companies are never authorized to hack back in the United States, private actors in other countries may still be able to strike, and a public framework for deciding when to launch a counter-cyberattack could help model behavior for companies abroad.

Finally, making aspects of the U.S. government’s offensive cyber processes public could help signal to other countries and the international community what procedural norms should be in place before a state launches cyberattacks against its adversaries. As countries around the world are struggling to decide where to draw the line permitting the use of offensive cyberattacks, the United States could take the lead on shaping developing norms by making public our guiding principles, policy criteria, and procedures for authorizing cyberattacks. Countries in Europe, Africa, and South America are entering the cyber policy fray. As these states develop their nascent cyber capabilities and corresponding rules of engagement, the United States should help guide their growth by articulating what are the acceptable reasons for using cyber weapons. Such an act could send a strong message to allies and adversaries alike. Clearly articulating when the United States is willing to launch and retaliate against offensive cyber weapons could have a deterrence effect against other countries.

Whatever directive or framework replacing PPD-20 under the Trump administration likely delegates more authority to operating agencies and mandates less process before approving the use of offensive cyber weapons than before. The virtues of such a new policy are debatable, but making aspects of the procedural safeguards public can yield benefits for democratic accountability, the private sector, and other state actors. If sunlight is said to be the best disinfectant, opening a window onto the government’s process of approving offensive U.S. cyberoperations is much needed. Whether the failure to make the new vetting process public is due to overclassification or legitimate security concerns, the country and the world stand to benefit from greater transparency.