Presidential Policy Directive 20

Presidential Policy Directive 20 (PPD-20), provides a framework for U.S. cybersecurity by establishing principles and processes. Signed by President Barack Obama in October 2012, this directive supersedes National Security Presidential Directive NSPD-38. Integrating cyber tools with those of national security,EPIC. (n.d.)
Presidential directives and cybersecurity
''EPIC''. Retrieved from http://epic.org/privacy/cybersecurity/presidential-directives/cybersecurity.html. the directive complements NSPD-54/Homeland Security Presidential Directive HSPD-23.

Classified and unreleased by the National Security Agency (NSA), NSPD-54 was authorized by George W. Bush. It gives the U.S. government power to conduct surveillanceElectronic Privacy Information Center. (n.d.)
EPIC v. NSA - Cybersecurity Authority
''EPIC''. Retrieved from http://epic.org/privacy/nsa/epic_v_nsa.html. through monitoring.

Its existence was made public in June 2013 by former intelligence NSA infrastructure analyst Edward Snowden.

Background

Because of private industry, and issues surrounding international and domestic law,Barnard-Wills, D. & Ashenden, D. (2012)
Securing virtual space cyber war, cyber terror, and risk
''Space and culture, 15''(2), p. 110-123. doi:10.1177/1206331211430016. public-private-partnership became the, "cornerstone of America's cybersecurity strategy".White House. (2003, February)
The National Strategy to Secure Cyberspace
(Rep.). Retrieved from http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf. Suggestions for the private sector were detailed in the declassified 2003, National Strategy to Secure Cyberspace. Its companion document, National Security Presidential Directive (NSPD-38), was signed in secret by George W. Bush the following year.

Although the contents of NSPD 38 are still undisclosed, the U.S. military did not recognize cyberspace as a "theater of operations" until the U.S. National Defense Strategy of 2005. The report declared that the, "ability to operate in and from the global commons-space, international waters and airspace, and cyberspace is important ... to project power anywhere in the world from secure bases of operation."The National Defense Strategy of the United States of America
(Rep.) (2005, March). Retrieved from http://www.globalsecurity.org/military/library/policy/dod/nds-usa_mar2005.htm. Three years later, George W. Bush formed the classified Comprehensive National Cybersecurity Initiative (CNCI).

Citing economic and national security, the Obama administration prioritized cybersecurity upon taking office.Krebs B. (2009, May 29)
Obama: Cyber security is a national priority
''Washington Post''. Retrieved from http://voices.washingtonpost.com/securityfix/2009/05/obama_cybersecurity_is_a_natio.html. After an in-depth review of the, "communications and information infrastructure,"White House, Office of the Press Secretary. (2009, April 17)
Statement by the Press Secretary on conclusion of the cyberspace review
ress release Retrieved from http://www.whitehouse.gov/the_press_office/Statement-by-the-Press-Secretary-on-Conclusion-of-the-Cyberspace-Review. the CNCI was partially declassified and expanded under President Obama.Vijayan, J. (2010, March 2)
Obama administration partially lifts secrecy on classified cybersecurity project
''Computerworld''. Retrieved from http://www.whitehouse.gov/the_press_office/Statement-by-the-Press-Secretary-on-Conclusion-of-the-Cyberspace-Review. It outlines "key elements of a broader, updated national U.S. cybersecurity strategy." By 2011, the Pentagon announced its capability to run cyber attacks.Nakashima, E. (2011, November 15)
Pentagon: Cyber offense part of U.S. strategy
''Washington Post''. Retrieved from https://www.washingtonpost.com/national/national-security/pentagon-cyber-offense-part-of-us-strategy/2011/11/15/gIQArEAlPN_story.html.

General

After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August,Rizzo, J. (2012, August 02)
Cybersecurity bill fails in Senate
''CNN''. Retrieved from http://www.cnn.com/2012/08/02/politics/cybersecurity-act/index.html Presidential Policy Directive 20 (PPD-20) was signed in secret. The Electronic Privacy Information Center (EPIC) filed a Freedom of Information Request to see it, but the NSA would not comply.Electronic Privacy Information Center. (n.d.)

Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority. ''EPIC''. Retrieved from http://epic.org/foia/dhs/defense-monitoring.html Some details were reported in November 2012.Nakashima, E. (2012, November 14)
Obama signs secret directive to help thwart cyberattacks
''Washington Post''. Retrieved from https://www.washingtonpost.com/world/national-security/obama-signs-secret-cybersecurity-directive-allowing-more-aggressive-military-role/2012/11/14/7bf51512-2cde-11e2-9ac2-1c61452669c3_story.html. The Washington Post wrote that PPD-20, "is the most extensive White House effort to date to wrestle with what constitutes an 'offensive' and a 'defensive' action in the rapidly evolving world of cyberwar and cyberterrorism." The following January,Greenwald, G. & MacAskill, E. (2013, June 7)
Obama orders US to draw up overseas target list for cyber-attacks
''The Guardian''. Retrieved from https://www.theguardian.com/world/2013/jun/07/obama-china-targets-cyber-overseas the Obama administration released a ten-point factsheet.Federation of American Scientists. (2013, January)

''FAS''. Retrieved from https://www.fas.org/irp/offdocs/ppd/index.html.

Controversy

On June 7, 2013, PPD-20 became public. Released by Edward Snowden and posted by ''The Guardian'', it is part of the 2013 Mass Surveillance Disclosures. While the U.S. factsheet claims PPD-20 acts within the law and is, "consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace", it doesn't reveal cyber operations in the directive.

Snowden's disclosure called attention to passages noting cyberwarfare policy and its possible consequences.Schneier, B. (2013, June 18). Has U.S. started an Internet war? CNN. Retrieved from http://www.cnn.com/2013/06/18/opinion/schneier-cyberwar-policy/index.html. The directive calls both defensive and offensive measures as Defensive Cyber Effects Operations (DCEO) and Offensive Cyber Effects Operations (OCEO), respectively.

Notable points

* "Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact on the United States."
* "OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist."
* "The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive."

Further reading

* 2013 Mass Surveillance Disclosures
* Comprehensive National Cybersecurity Initiative

External links

* Guardian
Presidential Policy Directive 20 (PPD)
* FAS: White Hous
PPD-20 Factsheet

See also

*Cyberwarfare in the United States

References

{{reflist

United States national security directives
United States national security policy
National Security Agency
Presidency of Barack Obama
Obama administration controversies
2013 controversies in the United States
Cyberattacks
Cyberwarfare in the United States
Computer security procedures