President Obama Unilaterally Gives Cybersecurity Powers to the Military


Yesterday, the Washington Post reported that the president signed a hush-hush directive granting the military additional power to respond to cyberattacks. The directive was signed as Congress debated — and, ultimately, rejected — controversial legislation dealing with the same issue. While the Post would have it that the president is simply bypassing nasty bipartisan gridlock in Congress to get important stuff done, that glosses over the unpleasant reality that many knowledgeable people argue against the policies that dear leader just implemented unilaterally. With the stroke of a pen, we now have two problems: Potentially bad policy inflicted on the nation through an abuse of executive power.

Reports the Washington Post:

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber­attacks on the nation's web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.

The new directive is the most extensive White House effort to date to wrestle with what constitutes an "offensive" and a "defensive" action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The details of Presidential Policy Directive 20 are a bit vague, partially because the Pentagon is supposed to fill in the details itself, and (probably) partially because the "leak" about the directive may well be controlled and deliberate, given that the Senate killed Senator Joe Lieberman's Cybersecurity Act yesterday, as well. Suffice it to say that "cybersecurity" is a broad and vague term that can cover everything from the government making sure its own computers are tucked in snugly behind their firewalls, to mandated policies for the private sector and even intrusive snooping.

In fact, the Washington Post reported in September:

The White House has drafted a preliminary executive order aimed at strengthening the nation's computer systems against attack, an effort to begin to accomplish through fiat what could not be achieved through Congress.

The draft order, whose contours are being debated, would create voluntary standards to guide companies in guarding themselves against cyberattacks, according to administration officials. It would also establish a special council made up of key government agencies to identify threats that could compromise critical sectors.

It's not clear whether any parts of that draft executive order were incorporated in the directive reportedly signed by the president. In September, the Post did report that the components of the draft order, and the legislation on which it was based, were opposed by businesses and GOP lawmakers "who decried even voluntary standards as a regulatory burden on business." Yesterday's article made no mention of opposition at all. But civil liberties groups also opposed Lieberman's bill upon which the draft executive order appears to be based, and the Electronic Frontier Foundation celebrated its demise with a press release:

With your help last summer we helped defeat Senator Lieberman's Cybersecurity Act. But for some reason, Senate Majority Leader Reid decided to call for another vote on the bill in the lame duck session today. After an hour's debate, the full Senate voted 51 to 47 against cloture for the Cybersecurity Act, meaning it can't move forward for a vote.

We've spent months going over the various faults in the bill—and of the faults in the other proposed Cybersecurity bills. We were particularly concerned because the Cybersecurity Act included overly vague definitions for key terms like "cybersecurity threat," "cybersecurity threat indicator," and even "countermeasures."

CNet notes that what little we know about the signed directive also points to controversial elements:

The nuts and bolts of the directive will most likely be met with criticism from many sides of the cybersecurity debate. While some will want to strengthen the directive and give free rein to the military to act quickly against cyberthreats, others will warn that the U.S. could step on international legal issues, Internet freedom, and other countries' sovereignty.

The details of the directive and the criticism of the same are less important here than noting that debate and delay over government power is both natural and healthy. People really do have legitimately different opinions on proposed legislation. Those opinions, when aired and debated, allow for better-informed decisions and a fuller understanding of the ultimate impact of policy changes. Mr. Obama is old enough to remember Schoolhouse Rock. Add in a few rough patches and some cynicism, and "I'm just a bill on Capitol Hill" is how it's supposed to work.

So sorry if the process of debating stuff and maybe losing a vote on favored policies is too drawn-out and annoying for you, Mr. President. But you really aren't supposed to be able "to accomplish through fiat what could not be achieved through Congress," as the Post put it so well, in an open and (still somewhat) free society.

Update: The Electronic Privacy Information Center would like to know just what in hell the administration thinks it's doing. EPIC filed a FOIA request to see what's in Presidential Policy Directive 20.