President Barack Obama can authorize a pre-emptive cyber-attack if U.S. intelligence gains enough evidence of another country or group’s plans to launch its own attack against American interests, according to a recent New York Times report that cited officials involved in a “secret legal review.”
The Times, which was subjected to its own cyber-attack over the past four months by alleged Chinese assailants, found over the weekend that the review concluded that the authorization of Obama, the commander-in-chief, is one of several recent decisions “as the administration moves … to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack.”
The White House is currently trying to come up with rules on how the military may defend against or carry out cyber-attacks, the report stated.
The president would be allowed, for example, to attack other threatening countries with malicious code and software without needing to declare war. There has been only one instance in which Obama used a cyber-attack, which was directed at Iran’s disputed nuclear program via the Stuxnet virus, jointly developed by the United States and Israel.
Under the military’s current rules, the United States may only conduct counterterrorism campaigns in countries where it is officially at war, including Afghanistan. Officials told The Times that new policies for cyberwarfare have “been guided by a decade of evolution in counterterrorism policy,” according to the report, but one intelligence official, who spoke on condition of anonymity, said that the United States has exercised restraint in using cyberweapons in the past.
“There are levels of cyberwarfare that are far more aggressive than anything that has been used or recommended to be done,” the official told the paper.
For example, the United States could disable an adversary’s air defense system during a drone strike, but the White House review focused more on pre-emption in cyberwarfare. The Times quoted an official as saying that the review defined “what constitutes reasonable and proportionate force” to prevent or retaliate against an adversary’s cyber-attack.
The final rules hashed out by the administration will be highly classified because the officials “quickly determined that the cyberweapons were so powerful that—like nuclear weapons—they should be unleashed only on the direct orders of the commander in chief,” according to The Times.
The emergence of the review comes just several days after The Washington Post reported that the Pentagon will expand the Department of Defense’s U.S. Cyber Command—an agency created in 2009 to defend U.S. critical systems and to launch attacks on adversary nations—by more than fivefold. The command, which currently has around 900 staff members, will be increased to around 4,900 personnel.
The decision to increase the size of the Cyber Command came in response to the growing threat of cyber-attacks, The Post reported in late January, citing an official who sought anonymity.
“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyberattack on the United States at some point,” William J. Lynn III, former deputy defense secretary who helped formulate the Pentagon’s cybersecurity plan, told The Post.
“The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or … read about the steps we should have taken in some post-attack commission report,” he added.