The Trump administration on Wednesday rolled back a series of Obama-era rules meant to regulate and coordinate how the United States engages in cyberattacks, portraying the rules as unnecessarily restrictive.
The confidential Obama rules, referred to as “Presidential Policy Directive 20,” set in place processes for approval before any one government agency could launch a cyberattack.
Michael Daniel, President Barack Obama’s White House cybersecurity coordinator, told HuffPost in an email that the directive established “rules of the road for agencies wanting to conduct such operations.”
The government, he said, “needs to make sure there is sound policy governing cyber operations as they can very quickly escalate out of control. ... That’s what PPD-20 put in place, and while not perfect, it was an important start that I hope the Trump Administration has built on.”
A copy of the Obama directive, leaked by NSA whistleblower Edward Snowden and obtained by The Guardian in 2013, also explicitly prevented the government from engaging in domestic cyber operations except in cases of emergency.
It’s unclear what new rules, if any, the Trump administration has implemented instead, but a former senior U.S. official expressed concern to The Wall Street Journal that the new rules might now permit domestic activities.
Trump officials contend Directive 20 was more of an impediment than a useful framework for interagency communication, a stance that could signal an increase in the U.S. engaging in such attacks moving forward.
Per the Journal, Trump’s national security adviser, John Bolton, was reportedly a driving force behind the decision.
Daniel hesitated to speculate on what domestic operations might now be permitted, noting presidential policy documents can’t by themselves enable agencies to engage in activities they aren’t already legally allowed to do. But without knowing how, exactly, the Obama rules have been altered, it’s impossible to know for sure.
“Cyber operations are not an end in and of themselves,” Daniel explained. “Cyber operations are undertaken to achieve a national security or foreign policy purpose. Therefore, a decision about whether or not a particular operation makes sense depends on multiple factors, including risk tolerance.”
Daniel warned that the U.S. should be judicious in the use of its cyber capabilities, as it’s setting a global example.
“Other nations possess strong cyber capabilities and many more are working hard to develop them,” he said. “Therefore, while cyber operations are a valid, useful tool, the U.S. government should consider carefully the precedents it will set when using these capabilities, because any cyber operation we conduct will either explicitly or implicitly be considered acceptable.”
This story has been updated throughout with comment from Daniel.