President Obama gave extended and unprecedented attention to cyber-threats during his State Of The Union speech. Just hours before the speech he also signed an executive order calling for broader sharing of information about cyberwar and cyber-threats. But these are not the only ways that the president has signaled the high priority he gives to cyber-threats: The Administration has also asserted its right to launch pre-emptive cyber attacks.
A report initially carried by the New York Times covered a "secret legal review" that included discussion of pre-emptive action. The review concluded that the president can order US cyber-forces to "attack adversaries by injecting them with destructive code – even if there is no declared war."
As Chloe Albanesius notes at PC Magazine, these broad assertions of cyber-strike authority are not entirely new. The Stuxnet worm, which reportedly caused thousands of Iranian nuclear-enrichment centrifuges to overspeed and self-destruct, is widely believed to have been developed and deployed by the US.
Development of Stuxnet reportedly began during the administration of George W. Bush. The program was continued by Obama, who presumably authorized its deployment.
The development of formalized rules for deployment of cyber-weapons, however, is a new step. The rules, once finalized, will remain highly classified. One official told the NYT that "cyberweapons were so powerful that – like nuclear weapons – they should be unleashed only on the direct orders of the commander in chief."
There is no secret, however, about President Obama's broader concern about cyber-threats and cyberwar. His executive order regarding threat information sharing was revealed shortly before his State Of The Union speech – and the speech itself contained by far the most extensive remarks on cyber-threats of any such address ever given.
Officials noted that a military cyber-strike would not be ordered in response to "ordinary" cyber attacks such as those that have been launched against banks and other firms – including one recent attack that compromised employee information at the NYT itself.
While officials declined to specify the conditions under which a pre-emptive strike might be ordered, imminent threats to defense systems or (for example) the power grid would be prime candidates.
As the security information-sharing executive order shows, the Administration and defense planners are not indifferent to the cybersecurity concerns of businesses. But the reality of the emerging age of cyberwarfare is that businesses must provide their own first lines of defense. State-supported groups are not the only threat; these may well form tactical alliances with cyber-criminals, industrial espionage and plain theft going hand in hand.