If "Things We're Learning About the Security Workings of the U.S. Government" were a late-night infomercial, today would be the point in the proceedings when the giddy announcer tells us, "But wait! There's more!"
Because more, it seems, there is.
The Guardian has just posted a new revelation about top-secret U.S. government activities, based on a new leaked document: a directive that President Obama, late last year, sent to senior national security and intelligence officials. The directive orders them to, among other things, create a list of potential overseas targets for U.S. cyber-attacks.
The 18-page, classified document, Presidential Policy Directive 20, was issued in October 2012. (It was discussed in a November article in The Washington Post, but not published until now.) The memo was sent to Joe Biden, Hillary Clinton, and pretty much every other high-ranking member of the Executive branch, and it proposes what it calls Offensive Cyber Effects Operations (OCEO) -- essentially, a plan for strategic cyber-attacks against other countries, carried out abroad and, potentially, within the U.S.
The point of such attacks, per the document? To "offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging."
So. Stuxnet -- the computer worm suspected, though not fully confirmed, to have originated from a partnership between the U.S. and Israel -- might have been a harbinger of things to come. As Guardian writers Glenn Greenwald and Ewen MacAskill note, the directive is significant in part because it defines the criteria for offensive cyber operations beyond simple retaliatory actions, and toward "vaguely framed" ideas about the advancement of "U.S. national objectives around the world."
Then again, like so many other pieces of incendiary news that have made their way to the public this week, we don't know the full story here. We don't know whether there are later-issued documents that might have changed the framework proposed in the directive. We don't know how the many powerful people copied on the memo reacted to it. (Per the Post piece on the as-yet-unpublished document, "Officials say they expect the directive will spur more nuanced debate over how to respond to cyber-incidents.")
And though Greenwald and MacAskill note that the directive could indicate "the increasing militarization of the Internet," the document emphasizes cyber-attacks as a potential alternative to physical attacks. The government, the directive says, will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power."
So we, ultimately and unsurprisingly, have more questions than answers when it comes to this particular piece of governmental secret-document-ing. It's worth noting, though, that the most surprising thing about a secret strategy for cyber warfare would be if such a strategy didn't exist. As the document puts it:
The United States has an abiding interest in developing and maintaining use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. national interests in peace, crisis, or war. Given the evolution in U.S. experience, policy, capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework.