Dave Clemente
(Former Chatham House Expert)

The recent leak of secret documents regarding US government intelligence and cyber security operations have reignited public debate around the proportionality, necessity and legality of these actions, particularly when it involves access to public networks and private data.

One of these documents is Presidential Policy Directive 20, issued in October 2012 and classified as top secret and 'noforn' (not releasable to foreign nationals). It sets the parameters and guiding principles for a range of offensive and defensive cyber operations, including who may authorise activities and under what conditions. This includes operations to manipulate, disrupt and degrade computer networks, as well as measures to defend against similar actions.

The Directive is scheduled for declassification in 25 years, yet its unauthorised disclosure last week comes at a moment when the international debate over offence and defence in cyberspace is steadily increasingly in volume and pace. Although written in the precise, almost terse, language of a high-level policy document, it provides useful insight into the contemporary thinking of US decision-makers on a delicate topic. It contains several elements of particular interest for those wishing to understand better the principles and considerations that guide US action in this domain.

First, the Directive acknowledges the ambiguity inherent in cyberspace. It notes that, due to growing global digital inter-connectivity, offensive and defensive actions 'may raise unique national security and foreign policy concerns', and the potential for 'unintended or collateral consequences that may affect US national interests in many locations'. Presidential approval is also required for defensive or offensive operations that are reasonably likely to result in 'significant consequences' such as loss of life or serious damage to property or to US foreign policy.

Second, despite the ubiquitous reach and near-omniscient powers popularly attributed to US government cyber capabilities, the document admits that 'development and sustainment of [offensive operations] may require considerable time and effort if access and tools for a specific target do not already exist'. This is a rather direct reminder to policy-makers that cyber operations introduce additional complications and hurdles that may not exist when performing kinetic offensive operations such as cruise missile or drone attacks.

Taken together, these two elements demonstrate, at a strategic level, the legal and jurisdictional complexity of cyber operations, and at a tactical level they show the challenges of operating with precision. Hence the need for particularly high-level authorisation.

Third, policy deliberations over offensive and defence measures must consider 'impact on security and stability of the Internet' as well as 'bilateral and multilateral relationships (including Internet governance)' and the 'establishment of unwelcome norms of international behaviour'. This is a positive indication that strategic concerns are being considered alongside tactical planning. It is further reinforced by the recent news that the UN Group of Governmental Experts on Information Security (a group which includes the US, China and Russia) has affirmed that international law, including the UN Charter, applies in cyberspace.

Fourth, the Directive emphasises collaboration and partnership with the private sector, in order to mitigate 'potential adversary responses or unintended consequences of US operations for which the United States Government or the private sector would need to prepare'. Sharing cyber threat information between the public and private sectors is difficult under the best of circumstances, but these partnerships will be of little comfort to US companies who are under attack by foreign actors for offensive US government activities in which they had no involvement. It brings to mind the consequences of the Stuxnet attacks (the US and Israeli-led cyber sabotage) against Iranian nuclear infrastructure, in particular the alleged Iranian cyber attacks against US financial institutions. 

The Directive cannot address all questions regarding US cyber operations, but it does provide a useful glimpse of the state of current policy and will be of interest to many governments. The language is measured, sober and pragmatic, and encourages decision-makers to balance effectiveness of cyber operations as compared with other instruments of national power. Although the operations taken in accordance with these policies will displease many, the Directive notes these activities are to be conducted in a manner 'consistent with [US Govt] obligations under international law'.

The consistency between these obligations and revelations about NSA spying is far from clear, but it is clear the authors of this Directive devoted significant effort to closely defining permissible activities and authorisations in a challenging and often opaque domain of activity. It would be reassuring to know that other nations are devoting equal care to crafting their cyber operations policies. Those leaks are yet to come.

Further resources

Cyber Security and Global Interdependence: What Is Critical?
Programme Report
Dave Clemente, February 2013

Conference: Cyber Security: Balancing Risks, Responsibilities and Returns
10-11 June 2013

More on Cyber Security.