Secret Review Gives Obama License to Cyberkill
Preemption as a military strategy has moved from the battlefield to the world's networks. Revelations about a secret report suggesting President Obama could authorize preemptive cyberstrikes to deflect threats of an attack on the U.S. have spurred debate over the merits and risks of a cyberwarfare offensive.
02/05/13 11:00 AM PT
President Obama can order a preemptive strike if there's credible evidence of a pending major cyberattack from abroad, a secret legal review has found, according to The New York Times.
New policies will dictate how intelligence agencies can monitor remote computer networks elsewhere for signs of potential attacks on the U.S., the newspaper said. The policies will also apparently allow intelligence agencies to attack adversaries by injecting them with destructive malware, even if war has not officially been declared.
Counterattacks must be approved by the president first.
An American power station was the recent target of a cyberattack, the Department of Homeland Security revealed.
Acting on Threats
The new guidelines reportedly make DHS responsible for defending against cyberattacks on American companies or individuals.
The military could become involved if there were a major cyberattack within the country. However, the threshold for determining when its involvement might be justified has been kept vague.
"I think what's happening is the president's setting up to move unilaterally in case he sees a pending threat," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "In a cyberthreat, the nature of the attack is it will happen when you see it, and he wants to be able to shut down the attacking nation, which would involve a preemptive strike. Given the case that governments are likely to be involved in these attacks, it's likely our government is looking at cyberdetente."
The legal review brings to mind a similar controversial move by the Bush administration to justify the invasion of Iraq, as well as its use of what it called "enhanced interrogation techniques," and it could cause the same kind of skepticism about its use.
"I believe it's more of a public relations tool than anything else," Jim McGregor, founder and principal analyst at Tirias Research, told TechNewsWorld.
"[The Obama administration is] just trying to build a case for any actions that may eventually come to light through either open or covert channels," McGregor continued.
Obama has tangled with Congress during the last two years over his requests for more regulations to address cybersecurity. Last summer, Congress failed to pass the Cybersecurity Act of 2012 over complaints that it would be a burden on businesses.
Sen. John McCain, R-Ariz., and others introduced the Secure IT Act last March as an alternative to the White House's proposal. However, the legislation drew fire from privacy groups, and the bill was eventually defeated.
Hints that president Obama could issue an executive order on cybersecurity began appearing in November after the cybersecurity bill he backed stalled in the Senate. Reports surfaced again this week suggesting that Obama would issue a cybersecurity executive order later this month.
Congress has repeatedly turned down a proposal to give the president a "kill switch" that would let him cut off Americans' access to the Internet in case of a cyberattack.
However, "the ability [for the president to kill off access to the Internet] has always existed, so don't believe the political wrangling," McGregor said.
Cybersecurity Hype vs. Reality
Administration officials have warned that a major cyberattack -- a "cyber Pearl Harbor" in the words of outgoing Defense Secretary Leon Panetta -- could level parts of the U.S. infrastructure.
"The term 'cyber Pearl Harbor' has been, in my view, overused and abused to characterize a worst-case scenario that may be far from reality. My view is that the current climate is much more reminiscent of the Cold War," Scott Crawford, managing research director at Enterprise Management Associates, told TechNewsWorld.
"Public and private sector entities must both take a more realistic view of what this theater of operations really means," Crawford continued.
That view must take into account not only the level of threat, but also the government's response capabilities.
"By the time Congress comes to a decision about whether we should respond to a cyberattack," said Enderle, "we'd probably be living in a Mad Max world.