Want CNET to notify you of price drops and the latest stories?

Obama reportedly signs secretive cybersecurity policy directive

With Senate and House debates over cybersecurity in high gear, the president signs a directive outlining how the military can act when the U.S. is threatened with cyberattacks.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
3 min read

President Obama has long said cybersecurity is one of his priorities and it appears he is now acting on his words.

According to the Washington Post, he is said to have signed a secret policy directive last month that will give the military and other government authorities the ability to act quickly if the country comes under cyberattack.

Dubbed the "Presidential Policy Directive 20," this classified document allegedly outlines the rules of how federal agencies are allowed to react when it comes to online breaches of security, hacking, cyberthreats, and attacks.

One of the major elements of the directive, according to the Washington Post, is that it deals with "offensive" versus "defensive" action and makes the distinction between network defense and cyber operations.

"What it does, really for the first time, is it explicitly talks about how we will use cyber operations," a senior administration official told the Washington Post. "Network defense is what you're doing inside your own networks... Cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes."

According to the Washington Post, offensive actions will require high scrutiny and White House permission. An example of an offensive action in halting a cyberattack would be shutting off the link between an overseas server and a local targeted computer.

News of this directive comes as Senate Republicans yesterday shot down cybersecurity legislation backed by the president. According to Bloomberg, in a 51-47 vote the Senate failed to pass a cybersecurity bill and most likely killed any chance for congressional action on legislation this year. This type of House and Senate in-fighting is probably what led the president to look for other ways to pass some sort of cybersecurity law, like the directive.

Besides outlining how the military is to act during a cyberattack, the directive is also said to ensure that U.S. citizens' data and privacy is protected. It also allegedly states that law enforcement or traditional network defense techniques will be used first before the government turns to military cyber units for help.

"We always want to be taking the least action necessary to mitigate the threat," another senior administration official told the Washington Post. "We don't want to have more consequences than we intend."

The nuts and bolts of the directive will most likely be met with criticism from many sides of the cybersecurity debate. While some will want to strengthen the directive and give free rein to the military to act quickly against cyberthreats, others will warn that the U.S. could step on international legal issues, Internet freedom, and other countries' sovereignty.

Proposed government legislation on national cybersecurity has been thrown around the House, Senate, and White House for years. Besides the legislation killed by the Senate yesterday, Sen. Joseph Lieberman also recently pushed Obama to sign a cybersecurity executive order that would act as a so-called Internet kill switch granting the president vast power over private networks during a "national cyberemergency." Now Lieberman is hoping a more modest version of his proposal will be approved by January.

According to the Washington Post, the Pentagon now plans to finalize the Presidential Policy Directive 20's new rules. It's unclear, however, when and how the government will start using the directive.