Risk
11/14/2012
01:33 PM
50%
50%

Obama Secret Order Authorizes Cybersecurity Strikebacks

Secret policy details how military units may be used to launch offensive cyber operations in the wake of online attacks against the United States.

Defense Tech: 20 War-Fighting Innovations
Military Transformers: 20 Innovative Defense Technologies
(click image for larger view and for slideshow)
A secret directive, signed by President Obama in mid-October, has authorized the military to help battle cyber attacks launched against the United States.

Known as Presidential Policy Directive 20, the classified document "establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace," The Washington Post first reported.

The policy reportedly includes privacy and data security safeguards for U.S. citizens and foreign allies, and also requires that any actions comply with international laws of war. Ultimately, the policy -- which updates a 2004 presidential directive -- is meant to make clear exactly what can and cannot be done.

[ Watch out for unintended consequences. Read Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout. ]

"What it does, really for the first time, is it explicitly talks about how we will use cyber operations," a senior administration official told The Washington Post. "Network defense is what you're doing inside your own networks. ... Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes."

Legally speaking, there can be a fine line between so-called defensive operations -- such as conducting reconnaissance -- and what constitutes acceptable levels of offensive operations. On the other hand, the existence of the new directive, despite its exact contents being secret, may help private sector organizations attain greater strike-back capabilities themselves.

One notable provision of the White House policy is that law enforcement agencies and in-place information security defenses must remain the first line of defense, and be utilized prior to any military units being authorized to battle a cyber attack. "We always want to be taking the least action necessary to mitigate the threat," a senior administration official told The Washington Post. "We don't want to have more consequences than we intend."

The new policy comes after years of inaction on the cybersecurity front by Congress. Notably, Congress this year failed to pass the Cybersecurity Act of 2012, despite the White House urging legislators to "modernize" the outdated cybersecurity laws that are currently on the books.

As a result, the White House has been drafting an executive order that will reportedly offer voluntary guidelines for critical infrastructure companies in the private sector to share security information with government agencies, to help them battle an ever-increasing volume of online attacks directed at their systems.

Last month, Defense Secretary Leon E. Panetta warned that hackers have been infiltrating the control systems that run critical pieces of U.S. infrastructure, and likewise called on Congress to pass legislation to help. But in the absence of such legislation, he backed the alternative of a White House executive order on cybersecurity. "We have no choice because the threat that we face is already here," he said.

Many government agencies have been pushing for greater strikeback capabilities. Last year, National Security Agency director and Cyber Command commander Gen. Keith Alexander said that for cybersecurity, "the advantage is on the offense," and argued that government agencies should -- at last in some cases -- be able to take down botnets or other malicious actors.

Since then, the military has been drafting cyber rules of engagement, after being authorized by the annual defense budget in December 2011 to carry out some types of offensive cyber attacks. Likewise, the Defense Advanced Research Projects Agency (DARPA) has begun researching cyber warfare tools.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.