What started last week as a series of reports on domestic spying by the NSA took a turn towards cyber security on Friday when Glenn Greenwald and Ewen MacAskill of The Guardian published the top secret Presidential Policy Directive 20 (PPDâ€“20), which deals with U.S. policy and planning for cyber conflict. Like the other documents that The Guardian released, this one largely confirmed what those who pay close attention to these issues already knew: the United States is working to build up its offensive cyber warfare capabilities. But the document provides other insights as well, and perhaps even a small measure of consolation for cyber war critics.
First, we know from reporting by the New York Times this time last year that the United States has already engaged in offensive cyber attacks with the use of Stuxnet against Iranian nuclear facilities. Over the last year, other reports have pointed to various indicators of the United Statesâ€™s preparations for offensive cyber warfare. By calling attention to that portion of PPDâ€“20 that directs DoD and the intelligence community to draw up a list of possible targets for â€œOffensive Cyber Effects Operations (OCEO)â€ (3), Greenwald and MacAskill have provided one more important bit of information about how U.S. plans for possible offensive cyber warfare are proceeding.
Second, PPDâ€“20 provides an interesting tidbit related to cyber intelligence. Following the hack of HBGary Federal in 2011, various observers took note of the growing number of companies providing technologies and services for cyber intelligence to the U.S. government. One such technology was â€œpersona managementâ€ software that can be used to facilitate online information gathering and perception management operations. Though the evidence for the existence of such tools and techniques seemed solid, some still questioned their reality. But PPDâ€“20 makes reference to â€œthe use of online personasâ€ as a tool for â€œhuman intelligence operations undertaken via the Internetâ€ (5). This provides another, powerful piece of evidence for the reality of persona management.
Third, the document might provide some measure of consolation for cyber war critics. Though news of the Presidentâ€™s order to draw up a list of targets and circumstances for which cyber capabilities might be appropriate is a disappointing development for those of us who wish the Internet were not becoming a battlefield, it is not surprising that policy makers and planners are carrying out this kind of exercise. It is routine and makes sense. If you are going to have a weapon/capability, you should think in advance about when, where, against whom, and with what effects that capability/weapon can be used. So yes, itâ€™s disappointing to see one more step towards the militarization of the Internet and the possibility of cyber war. On the other hand, if we are going to have cyber weapons – and it appears that is all but inevitable at this point – better to think carefully about how they will and wonâ€™t be used than not.
This is where we see one aspect of how some of the document might help to allay criticsâ€™ concerns. One of the biggest criticisms that many had of the Stuxnet operation (myself included) was that it seemed to have been carried out without adequate thought given to the larger implications. This document appears to initiate a process meant to engage in such thought. The document identifies a number of criteria to be considered when deciding upon the use of defensive and offensive cyber effects operations, including â€œimpact,â€ â€œrisks,â€ â€œmethods,â€ â€œgeography and identity,â€ â€œtransparency,â€ and â€œauthorities and civil libertiesâ€ (13). Thomas Rid of the War Studies Department at Kings College asked this week, â€œHow would the authors of #PPD20 assess Stuxnet in hindsight against their own criteria?â€ His answer, â€œProbably ambiguous.â€ He pointed to the possibility for economic retaliation and â€œthe establishment of unwelcome norms of international behaviorâ€ as at least two areas where the Stuxnet operation would likely fall short of PPDâ€“20â€™s criteria. He is likely correct. On the other hand, given the firestorm of criticism that followed revelations of Stuxnet, perhaps PPDâ€“20â€™s criteria can be read as a lesson learned and a commitment not to repeat the mistakes of Stuxnet. Only time will tell.
Increasingly bellicose rhetoric in the U.S. public discourse about cyber warfare combined with revelations of the Stuxnet operation have led myself and others to worry that the United States was perhaps getting trigger happy with its cyber capabilities and that it had a too simplistic and overly optimistic idea of how those capabilities could realistically be used. But, there are elements of PPDâ€“20 that, if truly heeded by planners, should help to allay those fears.
First, critics have noted that the dense interconnectivity of cyberspace, which spans geographic boundaries, places serious limitations on the ability to precisely target and then control the effects of a cyber attack. Stuxnetâ€™s escape into the â€œwildâ€ soon emerged as an important piece of evidence in support of this caveat. We might take some comfort, therefore, in the fact that PPDâ€“20 acknowledges that the global interconnectivity of cyberspace means that both defensive and offensive cyber operations, â€œeven for subtle or clandestine operations, may generate cyber effects in locations other than the intended target, with potential unintended or collateral consequences that may affect U.S. national interests in many locationsâ€ (6). A true appreciation of this possibility should serve to restrain the United Statesâ€™s use of cyber attacks. Again, only time will tell if this lesson has truly been understood by U.S. policy makers.
Second, though the document does confirm the Presidentâ€™s belief that â€œOCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the worldâ€ and therefore calls for the U.S. Government to â€œidentify potential targets of national importance where OCEO can offer a favorable balance of effectivenessâ€ (9), it also recognizes the considerable difficulties in accomplishing this task. Some cyber war proponents have tended to talk about cyber weapons as though they are munitions like any other, that they can be created easily and cheaply, stored up, and then used at lightening speed on any target. They have pointed to Stuxnet as evidence of this latest revolution in military affairs. Others, however, have seen in Stuxnet an example of the costs and complexity of developing and deploying such weapons, as well as their limited operational effectiveness [PDF]. This is because cyber weapons with the greatest potential effectiveness are those tailored to their targets. This tailoring, however, is complex, costly, and in need of constant updating as the target and the wider environment change. PPDâ€“20 recognizes this fact when it says, â€œThe development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already existâ€ (9).
Taken together, the application of the criteria laid out in PPDâ€“20, its recognition of the difficulties of targeting and containing the effects of cyber attacks, and its acknowledgement of the considerable time and effort needed to develop a targeted, contained, and effective cyber weapon should all serve to constrain the United Statesâ€™ use of cyber attack. Of course, the key word here is â€œshould.â€
It is certainly disappointing that the problem of cyber security is still being framed primarily as a national security and military problem and, as such, the United States continues its march towards the militarization of cyberspace. Nonetheless, there are several possible benefits to the public availability of PPDâ€“20.
First, one action item at the end of PPDâ€“20 is to develop a communication plan to explain the policy to the public. Ironically, the leak of this document might make that job easier. The public availability of PPDâ€“20 helps to clarify for the public what its governmentâ€™s understanding of and preparation for cyber warfare does and does not entail.
Second, PPDâ€“20 could help to change the public discourse about cyber warfare. On the whole, the language in PPDâ€“20 is less bellicose than much of the rhetoric that has come to dominate the public discussion of this issue. If truly appreciated and applied, the caveats and criteria identified in PPDâ€“20, though they will not stop the United Statesâ€™s development of offensive cyber warfare capabilities, should serve to restrain the use of those capabilities. The kind of sober assessment found in PPDâ€“20, which acknowledges the potential negative impacts of and limitations to the use of cyber attack, should replace the sometimes overheated and overly optimistic public discourse about cyber warfare.
Finally, the public and the press now have an agreed-upon criteria against which to judge future calls by politicians or others for the use of offensive cyber attacks. The public can hold them to account for following â€œtheir own criteria,â€ as Rid has said, because now we know what the criteria is. And there is no room in that criteria for the kind of cyber warmongering that has become all too prominent recently.