According to news reports, President Obama has signed a directive to guide the actions of federal agencies in responding to cyber threats that explicitly permits actions outside government networks. President Policy Directive 20, which is not publicly available, reportedly directs agencies to take no more aggressive action than is necessary to address a threat. Under certain circumstances, however, the directive would permit the use of actions directed outside government networks—called “cyber operations”—but only for defensive purposes.
Traditional network defense strategies confined to government networks should continue to be the first response to cyber attacks, accompanied By outreach to law enforcement officials as needed. However, reports suggest that the presidential directive would permit defensive cyber actions outside government networks in some circumstances, subject to more stringent agency approval and, in many cases, the approval of the White House. This vetting process is intended to ensure that data and privacy are protected while also following the international laws of war.
The administration is still considering an executive order on cybersecurity issues that will likely address cybersecurity for private networks. Although the Senate had planned to take up cybersecurity legislation in the current lame-duck session, a vote to pass legislation in the Senate failed yesterday; the Senate may revisit the issue next month.