The Snowden Reader
Page 23
Defensive Cyber Effects Operations (DCEO): Operations and related programs or activities—other than network defense or cyber collection—conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace. (C/NF)
Nonintrusive Defensive Countermeasures (NDCM): The subset of DCEO that does not require accessing computers, information or communications systems, or networks without authorization from the owners or operators of the targeted computers, information or communications systems, or networks or exceeding authorized access and only creates the minimum cyber effects needed to mitigate the threat activity. (C/NF)
Offensive Cyber Effects Operations (OCEO): Operations and related programs or activities—other than network defense, cyber collection, or DCEO—conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks. (C/NF)
Cyber Operations: Cyber collection, DCEO (including NDCM), and OCEO collectively. (U)
Significant Consequences: Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States. (U)
U.S. National Interests: Matters of vital interest to the United States to include national security, public safety, national economic security, the safe and reliable functioning of “critical infrastructure,” and the availability of “key resources.”. . . (U)
Emergency Cyber Action: A cyber operation undertaken at the direction of the head of a department or agency with appropriate authorities who has determined that such action is necessary, pursuant to the requirements of this directive, to mitigate an imminent threat or ongoing attack against U.S. national interests from inside or outside cyberspace and under circumstances that at the time do not permit obtaining prior Presidential approval to the extent that such approval would otherwise be required. (S/NF)
II. Purpose and Scope (U)
The United States has an abiding interest in developing and maintaining use of cyberspace as an integral part of U.S. national capabilities to collect intelligence and to deter, deny, or defeat any adversary that seeks to harm U.S. national interests in peace, crisis, or war. Given the evolution in U.S. experience, policy, capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework. (C/NF)
The United States Government shall conduct all cyber operations consistent with the U.S. Constitution and other applicable laws and policies of the United States, including Presidential orders and directives. (C/NF)
The United States Government shall conduct DCEO and OCEO under this directive consistent with its obligations under international law, including with regard to matters of sovereignty and neutrality, and, as applicable, the law of armed conflict. (C/NF)
This directive pertains to cyber operations, including those that support or enable kinetic, information, or other types of operations. Most of this directive is directed exclusively to DCEO and OCEO. (S/NF)
The United States Government has mature capabilities and effective processes for cyber collection. (S/NF)
Therefore, this directive affirms and does not intend to alter existing procedures, guidelines, or authorities for cyber collection. (S/NF)
This directive provides a procedure for cyber collection operations that are reasonably likely to result in “significant consequences.”. . . (S/NF)
The principles and requirements in this directive apply except as otherwise lawfully directed by the President. With the exception of the grant of authority to the Secretary of Defense to conduct Emergency Cyber Actions as provided below, nothing in this directive is intended to alter the existing authorities of, or grant new authorities to, any United States Government department or agency (including authorities to carry out operational activities), or supersede any existing coordination and approval processes, other than those of NSPD-38. Nothing in this directive is intended to limit or impair military commanders from using DCEO or OCEO specified in a military action approved by the President and previously coordinated and deconflicted as required by existing processes and this directive. (S/NF)
In addition, this directive does not pertain to or alter existing authorities related to the following categories of activities by or on behalf of the United States Government, regardless of whether they produce cyber effects:
Activities conducted under section 503 of the National Security Act of 1947 (as amended);
Activities conducted pursuant to the Foreign Intelligence Surveillance Act, the approval authority delegated to the Attorney General (AG) by section 2.5 of Executive Order 12333 (as amended), or law enforcement authorities; however, cyber operations reasonably likely to result in significant consequences still require Presidential approval, and operations that reasonably can be expected to adversely affect other United States Government operations still require coordination under established processes;
Activities conducted by the United States Secret Service for the purpose of protecting the President, the Vice President, and others as defined in 18 U.S.C. § 3056; however, cyber operations reasonably likely to result in significant consequences still require Presidential approval, and operations that reasonably can be expected to adversely affect other United States Government operations still require coordination under established processes;
The use of online personas and other virtual operations . . . undertaken exclusively for counterintelligence, intelligence collection, or law enforcement purposes—that do not involve the use of DCEO or OCEO;
Activities conducted in cyberspace pursuant to counterintelligence authorities for the purpose of protecting specific intelligence sources, methods, and activities;
Signals intelligence collection other than cyber collection as defined in this directive;
Open-source intelligence collection;
Network defense;
Traditional electronic warfare . . . activities;
The development of content to support influence campaigns, military deception, or military information support operations; or
Simple transit of data or commands through networks that do not create cyber effects on those networks. (S/NF)
III. Guiding Principles for DCEO and OCEO (U)
DCEO and OCEO may raise unique national security and foreign policy concerns that require additional coordination and policy considerations because cyberspace is globally connected. DCEO and OCEO, even for subtle or clandestine operations, may generate cyber effects in locations other than the intended target, with potential unintended or collateral consequences that may affect U.S. national interests in many locations. (S/NF)
The United States Government shall conduct DCEO and OCEO in a manner consistent with applicable values, principles, and norms for state behavior that the United States Government promotes domestically and internationally as described in the 2011 “International Strategy for Cyberspace.” (C/NF)
National-level strategic objectives and operational necessities shall dictate what the United States Government seeks to accomplish with DCEO and OCEO. (C/NF)
The United States Government shall integrate DCEO and OCEO, as appropriate, with other diplomatic, informational, military, economic, financial, intelligence, counterintelligence, and law enforcement options, taking into account effectiveness, costs, risks, potential consequences, foreign policy, and other policy considerations. (C/NF)
The United States Government shall reserve the right to act in accordance with the United States’ inherent right of self defense as recognized in international law, including through
the conduct of DCEO. (C/NF)
The United States Government shall conduct neither DCEO nor OCEO that are intended or likely to produce cyber effects within the United States unless approved by the President. A department or agency, however, with appropriate authority may conduct a particular case of DCEO that is intended or likely to produce cyber effects within the United States if it qualifies as an Emergency Cyber Action as set forth in this directive and otherwise complies with applicable laws and policies, including Presidential orders and directives. (C/NF)
The United States Government shall obtain consent from countries in which cyber effects are expected to occur or those countries hosting U.S. computers and systems used to conduct DCEO or OCEO unless:
Military actions approved by the President and ordered by the Secretary of Defense authorize nonconsensual DCEO or OCEO, with provisions made for using existing processes to conduct appropriate interagency coordination on targets, geographic areas, levels of effect, and degrees of risk for the operations;
DCEO is undertaken in accordance with the United States’ inherent right of self defense as recognized in international law, and the United States Government provides notification afterwards in a manner consistent with the protection of U.S. military and intelligence capabilities and foreign policy considerations and in accordance with applicable law; or
The President—on the recommendation of the Deputies Committee and, as appropriate, the Principals Committee—determines that an exception to obtaining consent is necessary, takes into account overall U.S. national interests and equities, and meets a high threshold of need and effective outcomes relative to the risks created by such an exception. (S/NF)
The information revealed to other countries in the course of seeking consent shall be consistent with operational security requirements and the protection of intelligence sources, methods, and activities. (S/NF)
The United States Government, to ensure appropriate application of these principles, shall make all reasonable efforts, under circumstances prevailing at the time, to identify the adversary and the ownership and geographic location of the targets and related infrastructure where DCEO or OCEO will be conducted or cyber effects are expected to occur, and to identify the people and entities, including U.S. persons, that could be affected by proposed DCEO or OCEO. (S/NF)
Additional Considerations for DCEO (U)
The Nation requires flexible and agile capabilities that leverage the full resources of the United States Government to conduct necessary and proportionate DCEO. These operations shall conform to the following additional policy principles:
The United States Government shall reserve use of DCEO to protect U.S. national interests in circumstances when network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate a threat, and when other previously approved measures would not be more appropriate, or if a Deputies or Principals Committee review determines that proposed DCEO provides an advantageous degree of effectiveness, timeliness, or efficiency compared to other methods commensurate with the risks;
The United States Government shall conduct DCEO with the least intrusive methods feasible to mitigate a threat;
The United States Government shall seek partnerships with industry, other levels of government as appropriate, and other nations and organizations to promote cooperative defensive capabilities, including, as appropriate, through the use of DCEO as governed by the provisions in this directive; and
Partnerships with industry and other levels of government for the protection of critical infrastructure shall be coordinated with the Department of Homeland Security (DHS), working with relevant sector-specific agencies and, as appropriate, the Department of Commerce (DOC). (S/NF)
The United States recognizes that network defense, design, and management cannot mitigate all possible malicious cyber activity and reserves the right, consistent with applicable law, to protect itself from malicious cyber activity that threatens U.S. national interests. (S/NF)
The United States Government shall work with private industry—through DHS, DOC, and relevant sector-specific agencies—to protect critical infrastructure in a manner that minimizes the need for DCEO against malicious cyber activity; however, the United States Government shall retain DCEO, including anticipatory action taken against imminent threats, as governed by the provisions in this directive, as an option to protect such infrastructure. (S/NF)
The United States Government shall—in coordination, as appropriate, with DHS, law enforcement, and other relevant departments and agencies, to include sector-specific agencies—obtain the consent of network or computer owners for United States Government use of DCEO to protect against malicious cyber activity on their behalf, unless the activity implicates the United States’ inherent right of self-defense as recognized in international law or the policy review processes established in this directive and appropriate legal reviews determine that such consent is not required. (S/NF)
Offensive Cyber Effects Operations (U)
OCEO can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging. The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist. (TS/NF)
The United States Government shall identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power, establish and maintain OCEO capabilities integrated as appropriate with other U.S. offensive capabilities, and execute those capabilities in a manner consistent with the provisions of this directive. (TS/NF)
IV. Cyber Operations with Significant Consequences (U)
Specific Presidential approval is required for any cyber operations—including cyber collection, DCEO, and OCEO—determined by the head of a department or agency to conduct the operation to be reasonably likely to result in “significant consequences” as defined in this directive. This requirement applies to cyber operations generally, except for those already approved by the President, even if this directive otherwise does not pertain to such operations as provided in the “Purpose and Scope” section of this directive. (S/NF)
V. Threat Response Operations (U)
Responses to Persistent Malicious Cyber Activity (U)
Departments and agencies with appropriate authorities—consistent with the provisions set forth in this directive and in coordination with the Departments of State, Defense (DOD), Justice (DOJ), and Homeland Security; the Federal Bureau of Investigation (FBI); the Office of the Director of National Intelligence (DNI); the National Security Agency (NSA); the Central Intelligence Agency (CIA); the Departments of the Treasury and Energy (DOE); and other relevant members of the Intelligence Community (IC) and sector-specific agencies—shall establish criteria and procedures to be approved by the President for responding to persistent malicious cyber activity against U.S. national interests. Such criteria and procedures shall include the following requirements:
The United States Government shall reserve use of such responses to circumstances when network defense or law enforcement measures are insufficient or cannot be put in place in time to mitigate the malicious cyber activity; and
Departments and agencies shall conduct these responses in a manner not reasonably likely to result in significant consequences and use the minimum action required to mitigate the activity. (S/NF)
Emergency Cyber Actions (C/NF)
The Secretary of Defense is hereby authorized to conduct, or a department or agency head with appropriate authorities may conduct, under procedures approved by the President, Emergency Cyber Actions necessary to mitigate an imminent threat or ongoing attack using DCEO if circumstances at the time do not permit obtaining prior Presidential approval (to the extent that such approval would otherwise be required) and
the department or agency head determines that:
An emergency action is necessary in accordance with the United States inherent right of self-defense as recognized in international law to prevent imminent loss of life or significant damage with enduring national impact on the Primary Mission Essential Functions of the United States Government, . . . U.S. critical infrastructure and key resources, or the mission of U.S. military forces;
Network defense or law enforcement would be insufficient or unavailable in the necessary timeframe, and other previously approved activities would not be more appropriate;
The Emergency Cyber Actions are reasonably likely not to result in significant consequences;
The Emergency Cyber Actions will be conducted in a manner intended to be nonlethal in purpose, action, and consequence;
The Emergency Cyber Actions will be limited in magnitude, scope, and duration to that level of activity necessary to mitigate the threat or attack;
The Emergency Cyber Actions, when practicable, have been coordinated with appropriate departments and agencies, including State, DOD, DHS, DOJ, the Office of the DNI, FBI, CIA, NSA, the Treasury, DOE, and other relevant members of the IC and sector-specific agencies; and The Emergency Cyber Actions are consistent with the U.S. Constitution and other applicable laws and policies of the United States, including Presidential orders and directives. (S/NF)