Ex-DHS official on PPD-20 repeal: Consider potential blowback to private sector

Suzanne Spaulding says the U.S. government should carefully consider the potential private-sector repercussions of conducting offensive cyber operations.
Then-Undersecretary for NPPD Suzanne Spaulding speaks at the 2016 Cybersecurity Summit in Minneapolis. (Source: Cybersecurity Summit/Event Shows)

The U.S. government’s new and reportedly more muscular approach to conducting offensive cyber-operations must carefully consider the potential blowback of such actions to the private sector, a former senior Department of Homeland Security official has warned.

“DHS needs to be part of the discussion around the cost-benefit analysis to bring the private sector point of view because we know the private sector often bears the brunt of the retaliation that comes in the wake of more aggressive activity,” Suzanne Spaulding said Wednesday at the Atlantic Council.

Asked what public indication there would that those concerns are being addressed, Spaulding, who served as a DHS undersecretary under President Barack Obama, said the answer lies in the private sector. Private companies will have a sense of “whether their equities were adequately considered” before a U.S. government decision to conduct offensive operations, Spaulding said during a panel discussion. “And my guess is they’ll let us know.”

For years, foreign hackers have targeted U.S. companies in multiple sectors, and a surge in U.S. government hacking against foreign adversaries could invite retaliation against any number of multibillion-dollar American firms.


President Donald Trump in August revoked the Obama-era doctrine governing U.S. hacking operations – known as Presidential Policy Directive 20 – clearing the way for a more offensive approach. PPD-20 had set forth an elaborate interagency legal and policy process for approving U.S. cyberattacks. Critics of the directive said it unnecessarily delayed offensive operations, while advocates said it was an important mechanism for accounting for all of the possible repercussions of a cyberattack.

Little information is available on the document that replaced PPD-20 because it is classified. However, White House national security adviser John Bolton has indicated the administration will take a more aggressive tack to hacking operations while retaining a thorough interagency approval process.

“We’re going to do a lot of things offensively and I think our adversaries need to know that,”  Bolton said in September. “Our hands are not tied as they were in the Obama administration,” he said of the revocation of PPD-20. The successor to PPD-20, he said, is “very different” and “we hope [that it] will provide the necessary coordination and direction, but still enable these operations to be conducted in a timely fashion.”

Michael Daly, CTO of cybersecurity and special missions at Raytheon, said that it wasn’t just U.S. government hacking that could trigger a retaliatory response from foreign hackers.

“The risk to the private sector is real, but that same risk existed regardless of the method of sanction…on another country,” Daly said during the panel discussion. “If it was a financial sanction, then [a foreign country] still might decide to hack back against a U.S. company or some other company.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts