What's an 'emergency cyber action'?
Several paragraphs in the Presidential Policy Directive on cyberware — those about "emergency cyber actions" — will trouble civil libertarians and companies in the U.S. The reason is not so much the content of the paragraphs but the fact that the government felt it necessary to hide them.
Actually, the words "emergency cyber actions" are themselves classified!
Who wouldn't be suspicious of a SECRET document that spells out the fact that the government, acting under the national command authority, will act to shut down part of the internet if there's an existential threat?
I'm going to reprint the (S/NF) paragraphs in full because they seem to be something we'd want the government to do.
The caveats themselves (and the fact that THEY are secret) suggest that the government will truly revert to something like this in an absolute emergency.
And there is no reason why they can't admit that fact and then allow, encourage, and foster the debate that will result from it. Laying out these general rules, and then making them state secrets, endows them with a power that they ought not have.
Emergency Cyber Actions (C/NF)
The Secretary of Defense is hereby authorized to conduct, or a department or agency head with appropriate authorities may conduct, under procedures approved by the President, Emergency Cyber Actions necessary to mitigate an imminent threat or ongoing attack using DCEO if circumstances at the time do not permit obtaining prior Presidential approval (to the extent that such approval would otherwise be required) and the department or agency head determines that:
An emergency action is necessary in accordance with the United States inherent right of self-defense as recognized in international law to prevent imminent loss of life or significant damage with enduring national impact on the Primary Mission Essential Functions of the United States Government,5 U.S. critical infrastructure and key resources, or the mission of U.S. military forces;
Network defense or law enforcement would be insufficient or unavailable in the necessary timeframe, and other previously approved activities would not be more appropriate;
The Emergency Cyber Actions are reasonably likely not to result in significant consequences;
The Emergency Cyber Actions will be conducted in a manner intended to be nonlethal in purpose, action, and consequence;
The Emergency Cyber Actions will be limited in magnitude, scope, and duration to that level of activity necessary to mitigate the threat or attack;
And so forth. What the classification of this information says to the American people is: We don't trust you, so we are not going to give a basis for stuff we might do in the future that might make you trust us less.
Good job, secret-keepers.