The Trump administration has reportedly reversed an executive ordered framework called The Presidential Policy Directive 20 from the Obama era for how and when the US can execute cyber attacks. According to reports, President Trump undid the order which consisted of a list of rules detailing a multi-agency process that must be followed before carrying out an attack. In the words of the previous administration’s cybersecurity coordinator Michael Daniel, the directive was “designed to ensure that all appropriate equities got considered when you thought about doing an offensive cyber operation.”
Some were concerned that this decision would leave a gap in the rules delineating the use of cyber weapons. According to the Wall Street Journal, the original source for the news of Trump’s decision, “it wasn’t clear what rules the administration is adopting to replace the Obama directive.” WSJ writes that “A number of current US officials confirmed the directive had been replaced but declined to comment further, citing the classified nature of the progress.”
What these critics seem to miss is the very point of undoing Directive 20.
Trump and Cyber
The president has a very noteworthy record when it comes to cyber issues. He has arguably taken more steps to bolster America’s IT than any of his predecessors. Trump began this trend a year ago in August 2017 when he elevated the military’s collective cyber assets to the status of a full command. Two months later, Trump pushed forward the creation of the National Protection and Programs Directorate (NPPD), an independent body charged with the safety of domestic digital infrastructure. While the actual creation of NPPD was finalized by a Congressional vote, the emergence of the new agency was the result of a broader administration policy direction to give cyber security the primacy it deserves. Other high-profile decisions taken by Trump have included several restrictions on foreign technology for government use such as the Kaspersky ban, programs to strengthen infrastructure connected to political elections, and an executive order that initiated programs to protect critical digital infrastructure throughout the US.
What has been common to nearly all of these steps, for the most part, is that they’ve been mostly defensive in nature.
Trump’s undoing of Directive 20, while not as big in magnitude as creating a new federal agency, was a clear move in the offense direction.
As one administration official briefed on the decision described it, Trump’s move was an “offensive step forward.” The fact that there was a significant loosening of the rules governing the use of cyber weapons sends a signal of America’s willingness to use them. As the same official added, the prime intended recipients of this deterrence message are those intending to manipulate US elections through the digital sphere. A point worth noting is that plans to undo the restrictions began in April, shortly after John Bolton took up his post as the National Security Advisor. Bolton’s well known hawkish stance on defense issues were likely a major factor in pushing forward the matter of Directive 20.
As cyber slowly becomes the primary sphere in which the US is targeted by adversaries, the solutions will not be limited to protecting American assets. It is now clear that the US will also be preparing the ability to retaliate.
