The day that President Obama met with the President of China, the Guardian published a Snowden-gram designed, I assume, to embarrass the U.S. and show that, when it came to carping about Chinese cyber-espionage, the U.S. was hypocritical.
The document, a Presidential Policy Directive on cyberwar, does no such thing. It reads as a very careful and well-vetted guidebook to using instruments of cyber power in a way that is reasonable, risk-sensitive, and legitimate.
But the document is classified. Absurdly so, in my opinion. Absurdly so, and damagingly so. Its classification adds sinister implications where there are none.
The U.S. government has been open about the architecture of its cyber warfare forces for years, and policy-makers have spoken openly of the need to prepare the cyber battlefield for war against states and non-state actors, to keep tabs on what malevolent forces are doing to U.S. networks, and to exercise emergency power when and if a catastrophic attack is detected.
Presidential Policy Directive 19 codifies U.S. offensive and defensive cyber warfare policy. As leaked by Snowden, it bears a classification of TOP SECRET // NO FORN, meaning that "the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security." "Could" is not used as an equivalent conditional; as in, hey, it could, it might, but it might not. Could is used actively, as in, the person doing the classifying believes that, to the best of their ability to predict the future, disclosure would cause exceptional harm to national security. Not just hurt, not inconvenience, not a diplomatic row, not even regular harm, serious harm — but exceptional harm.
What in the document might produce that effect? Two paragraphs on page 9 are marked as TOP SECRET. They involve something called "Offensive Cyber Effects Operations." That phrase is unclassified. What you are about to read apparently should strike you as capable of causing national security exceptional harm. You ready? Here we go:
OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist.
The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive.
That's it. In English: The government, already admitting to a cyberwarfare capability, might actually use it one day. That's it. In fact, the qualifying language — "in a manner consistent with the provisions of this directive," means that even these effects must be balanced against potential risk and signed off on by the president. Why would the National Security staff want to prevent these two paragraphs from being seen by anyone without a U.S. security clearance?
Indeed, the very basis of cyber-deterrence requires the enemy KNOWING that the U.S. not only has cyber-weaponry available but has planned for contingencies and will not be afraid to use those weapons in the event that it is advantageous to do so. If this PPD had been published in full without classification, the only possible and reasonable conclusion an enemy would make is that the U.S. is developing robust electronic warfare capabilities and will use them to defend its interests.
Here is the pushback I've gotten from national security officials:
1. It will be harder to negotiate cyber treaties if enemies can point to our doctrine; we would be at a disadvantage relative to countries who have not specifically revealed their capabilities. Only if everyone pretends not to acknowledge reality; Chinese generals have admitted their cyber-capabilities, although not to specific acts; the U.S. has plenty of evidence that Iran and China have engaged in broad-based cyber-warfare and has shared it with virtually everyone. An effective treaty on cyber won't be worth the effort unless all sides know what equities each side has.
2. It will give strategic adversaries a way to fight the U.S. in the court of public opinion. After Hong Kong used Edward Snowden's revelations about cyber-warfare as an excuse to avoid turning over to the U.S., this argument has a little weight to it. But PPD 19 makes no mention of specific countries. Snowden did that himself. No one argues that the U.S. has an obligation to describe precisely how and who it will attack and when; this document merely puts everyone on notice that the U.S. will not shrink from a fight.
3. Anything involving the NSA and cyber policy will automatically be classified because it would take a long inter-agency process to vet each word for declassification. This is true, and besides the point. The military brags openly about its cyber-warriors. And NSA recently declassified the fact that it had been given the offensive cyberwar portfolio back in 1997 and has been working on it ever since.
Why, again, is this classified?
