WASHINGTON — President Barack Obama has signed executive orders that lay out how far military commanders around the globe can go in using cyber attacks and other computer-based operations against enemies and as part of routine espionage in other countries.
The orders detail when the military must seek presidential approval for a specific cyber assault on an enemy and weave cyber capabilities into U.S. war fighting strategy, defense officials and cyber security experts told The Associated Press.
Signed more than a month ago, the orders cap a two-year Pentagon effort to draft U.S. rules of the road for cyber warfare, and come as the U.S. begins to work with allies on global ground rules.
The guidelines are much like those that govern the use of other weapons of war, from nuclear bombs to missiles to secret surveillance, the officials said.
In a broad new strategy document, the Pentagon lays out some of the cyber capabilities the military may use during peacetime and conflict. They range from planting a computer virus to using cyberattacks to bring down an enemy’s electrical grid or defense network.
“You don’t have to bomb them anymore. That’s the new world,” said James Lewis, cybersecurity expert at the Center for Strategic and International Studies.
The new Pentagon strategy, he said, lays out cyber as a new warfare domain and stresses the need to fortify network defenses, protect critical infrastructure and work with allies and corporate partners.
The entire strategy has not been released, but several U.S. officials described it on condition of anonymity. Many aspects of it have been made public by U.S. officials, including Deputy Defense Secretary William Lynn, in speeches over the past several months.
The Pentagon is expected to announce the entire strategy soon.
As an example, the new White House guidelines would allow the military to transmit computer code to another country’s network to test the route and make sure connections work — much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.
The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.
The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries — even if those are virtual network lines.
“We must be able to defend and operate freely in cyberspace,” Lynn said in a speech last week in Paris. The U.S., he said, must work with other countries to monitor networks and share threat information.
Lynn and others also say the Pentagon must more aggressively protect the networks of defense contractors that possess valuable information about military systems and weapons’ designs. In a new pilot program, the Defense Department has begun sharing classified threat intelligence with a handful of companies to help them identify and block malicious cyber activity on their networks.
Over time, Lynn said, the program could be a model for the Homeland Security Department as it works with companies that run critical infrastructure such as power plants, the electric grid and financial systems.