U.S. reserves the right to launch pre-emptive cyber strikes in proposed rules

U.S. President Barack Obama would have the authority to order a pre-emptive strike if the United States detects credible evidence of a major cyberattack being prepared against the nation from overseas under new policy being developed by the administration, reports the New York Times.

Officials involved in a secret legal review of existing powers of the U.S. president in relation to cyberattacks have confirmed that authority, the story said. The rules are being developed as part of that review will be classified.

The review, which will have a bearing on future policies for how the U.S. military can defend and retaliate against a major cyberattack, is also studying how intelligence agencies can carry out searches of computer networks outside the United States for signs of preparations for potential attacks the country, and with presidential approval take action even if there is no declared war, the story said.

Obama is known to have approved the use of cyberweapons only once when he ordered a series of cyberattacks against Iran’s nuclear enrichment facilities, the story said. The operation was code-named Olympic Games and was carried out by the National Security Agency, the story said.

One senior official said in the story that cyberweapons, which can cripple critical infrastructure, are so powerful that they should be used only on direct orders of the commander in chief. The possible exception would be narrowly targeted tactical strikes by the military, such as turning off an air defense system during a conventional strike against an adversary. Automatic retaliation would not occur under the envisioned rules, the story said.  

The rules, which have been in development for more than two years, are being completed at a time when cyberattacks on American companies and critical infrastructure are at an all-time high.

The implications of pre-emption in cyber warfare were specifically analyzed at length in writing the new rules, the story said. One challenging part of the review was to  define “what constitutes reasonable and proportionate force” in halting or retaliating against a cyberattack, an official involved in the review told the media outlet.

During the attacks on Iran’s facilities, which the United States never acknowledged, Obama has insisted that cyberweapons be targeted narrowly, so that they did not affect hospitals or power supplies, the story said. The president frequently voiced concerns that America’s use of cyberweapons could be used by others as justification for attacks on the United States.

Under the new guidelines, the DOD would not be involved in defending against ordinary cyberattacks on American companies or individuals, even though it has the largest array of cybertools. Domestically, that responsibility falls to the Department of Homeland Security, with investigations carried out by the FBI. 

But the military, barred from actions within the United States without a presidential order, would become involved in cases of a major cyberattack within the United States. To maintain ambiguity in an adversary’s mind, officials so far have kept secret what that threshold would be.


Defense Systems Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.