Following a bombshell series of scoops about the NSA's surveillance of U.S. communications, the Guardian Friday published information from another top secret document. Although somewhat less explosive, the document from 2012 shows that the president ordered his senior national security and intelligence officials to draw up a list of potential overseas targets for cyber-attacks. As Glenn Greenwald and Ewen MacAskill reported:
The 18-page Presidential Policy Directive 20, issued in October last year but never published, states that what it calls Offensive Cyber Effects Operations (OCEO) "can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging".
It says the government will "identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power".
The directive also contemplates the possible use of cyber actions inside the US, though it specifies that no such domestic operations can be conducted without the prior order of the president, except in cases of emergency.
As the Guardian noted too, it's been established that the U.S., along with Israel, has already engaged in at least one serious cyber-attack on an overseas target, "the use of the Stuxnet computer worm targeted on Iranian uranium enrichment centrifuges, the legality of which has been the subject of controversy." As the president meets Friday with Chinese president Xi Jinping to discuss cyberthreats from China, an anonymous intelligence source told the Guardian the U.S. approach to cyberwarfare is "hypocritical":
An intelligence source with extensive knowledge of the National Security Agency's systems told the Guardian the US complaints again China were hypocritical, because America had participated in offensive cyber operations and widespread hacking – breaking into foreign computer systems to mine information.
Provided anonymity to speak critically about classified practices, the source said: "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world."
Previously classified information about the U.S. bolstering cyber-defense mechanisms has also crept into public view in recent weeks. The already widespread (but largely unspoken of) government practice of mass-buying zero-day exploits — hacker tools designed to take advantage of software vulnerabilities -- is now public knowledge.