PPD-20 elimination opens arguments over how U.S. should conduct offensive hacking operations
President Donald Trump has rescinded a key policy directive that governed the approval process for cyberattacks conducted by the U.S. government, potentially opening the door to more offensive operations, an administration official familiar with the matter confirmed to CyberScoop.
Presidential Policy Directive 20, which then-President Barack Obama signed in 2012, had installed an intricate inter-agency legal and policy process for green-lighting cyberattacks. Critics of the process said it unnecessarily delayed offensive operations, while advocates called it an important mechanism for accounting for all of the potential repercussions of a cyberattack.
Trump’s reversal of the memorandum is in keeping with his administration’s efforts to enable military commanders to more freely conduct cyber-operations against adversaries such as nation-states and terrorists. While critics warn of the pitfalls of loosening restrictions on hacking operations, the policy shift answers a call from lawmakers for the government to be more willing to go on the offensive in cyberspace.
Some National Security Council (NSC) officials have been pushing for months to overturn the directive, as CyberScoop first reported in May. It is unclear what policy framework has replaced PPD-20 – an administration official declined to comment when asked – but the months of deliberation suggest that a framework is indeed in place. And as experts have pointed out, another policy process for coordinating cyber-operations would need to be ready for PPD-20 to be rescinded.
The Wall Street Journal was first to report on Trump’s revocation of PPD-20.
Sen. Mike Rounds, R-S.D., member of the Armed Services Committee, praised the decision to scrap PPD-20, calling that directive “ineffective” and “bureaucratic in nature.”
In an interview, Rounds said he is “optimistic that [the replacement of PPD-20] provides us with the opportunity to respond offensively in a more expeditious manner than is currently the case.”
The framework that succeeds PPD-20 should address the third-party software and hardware, or “white space,” through which nation-states can route cyberattacks, he said. “We do our best to respect the sovereignty of other nations. But it’s time to take a look at what [our] near-peer competitors and competitors are doing in that white space.”
“It’s time we…use those [offensive] capabilities when necessary to send a message that it’s going to be extremely expensive for” foreign hackers to attack the United States, Rounds told CyberScoop.
Jason Healey, who was head of cyber infrastructure protection at the White House from 2003 to 2005, highlighted what he said were potential drawbacks of any weakening of restrictions on hacking operations.
“The advantages of looser operational controls are obvious in trying to fight back against [cyber]attacks against the United States,” Healey told CyberScoop. “But the dangers are obvious, too…from hitting the wrong target, to having an attack cascade, to unknowingly conducting an attack during a diplomatic negotiation.’
Joshua Geltzer, who served as a senior NSC official from 2015 to 2017, said removing PPD-20 is in keeping with an effort “you see from [the Trump] administration to, at least in their view, empower departments and agencies in the national security space.”
“I’m sympathetic to that urge, but it can’t be at the expense of considering the various equities at stake,” Geltzer told CyberScoop. “And in the cyber area, [that means] working through some pretty tough legal issues.”
The policy change comes after lawmakers have questioned whether U.S. Cyber Command has been hamstrung in its ability to counter other nation-states in cyberspace. In March, Gen. Paul Nakasone, who has since become head of Cyber Command and the National Security Agency, told lawmakers that PPD was a “work in progress.”
“Is the process perfect? No, it’s not,” Nakasone said. “But this is a constant dialogue that goes on between ourselves, certainly Cyber Command, and the Department of Defense and National Security Council.”
And dialogue comes as the White House has refrained from filling or reworked official cybersecurity positions at the NSC, including the cybersecurity coordinator role.
R. David Edelman, who served in the George W. Bush and Obama administrations House managing international cybersecurity and digital economy issues, said the recent decisions leaves the Trump administration with hard questions to answer.
“They’ve eliminated the cyber coordinator. They’ve reportedly eliminated or replaced PPD-20. But our cybersecurity challenges haven’t been eliminated, far from it,” Edelman told CyberScoop “So who is running the show? What is the new plan? And how will it will keep impulsiveness from becoming the norm in our cyber policy, too?”
The role of offensive cyber activities in deterring foreign interference in U.S. elections has gained more attention ahead of November’s midterm vote. At a White House briefing earlier this month, Nakasone said the U.S. government is “ready to retaliate against election interference with offensive cyber-operations.”
Greg Otto contributed to this report.
