The Washington Post reported today that U.S. President Bush signed a secret order last July (and only disclosed now), known as National Security Presidential Directive 16, ordering the government to develop rules for deciding when and how the United States would penetrate and disrupt foreign computer systems. The cyber-warfare rules of engagement were being prepared amid speculation that the Pentagon was considering some offensive computer operations against Iraq. The full extent of the U.S. cyber-arsenal is a secret more tightly guarded than even nuclear capabilities. Because of this secrecy, many of the programs are known only to specific groups of people, which has inhibited the drafting of general policy and specific rules of engagement. After months of discussions between the Pentagon, CIA, FBI and NSA, many issues remain far from resolved. “There’s been an initial step by the president to say we need to establish broad guidelines,” a senior administration official said. “We’re trying to be thorough and thoughtful about this. I expect the process will end in another directive, the first of its kind in this area, setting the foundation.”
Officials say they are proceeding cautiously, due to the uncertainties inherent in modeling how a major cyber-attack might play out. By penetrating computer systems that control the communications, transportation, energy and other basic services in a country, cyber-weapons can have serious cascading effects, disrupting both military operations and civilian life.
“There are questions about collateral damage,” said cyber-security Chief Richard A. Clarke (who last week announced his intention to resign). As an example, he cited the possibility that a computer attack on an electric power grid, intended to disrupt military facilities, might turn off electricity to hospitals on the same network. “There also is an issue, frankly, that’s similar to the strategic nuclear issue which is: Do you ever want to do it? Do you want to legitimize that kind of weaponry?”